Tracking Spammers
Sometimes you may find the mail queue of your server being filled up with spam
mails. This kind of attacks should be handled with highest priority otherwise
the mail server will cause an unexpected hike in the server load.
Spammers will usually attack the server using any of the following methods.
1) Using scripts that send huge amount of mails. this is the most common way
people used to attack a server.
2) Sending mails from a hacked email account.
Tracking Spammer on Cpanel server.
As you know, exim is generally used as mail servers in Cpanel.
a) Tracking the scripts that send mails:
The following command will be helpful to get the path of the script that is
sending mails.
ps -C exim -fH ewww|awk '{for(i=1;i<=40;i++){print $i}}'|sort|uniq -c|grep
PWD|sort -n
A sample output of the above command is given by
---
6 PWD=/home/username/public_html/sm
8 PWD=/
---
From the above command we will get the username under which the script is
running. So if you suspect it as spamming, there is no difficulty to find the
user.
So, from the above command you can see that 6 mails are being sent from the
directory /home/username/public_html/sm. 6 is an acceptable value and may be
ignored. If you find the value is not within a permissible limit the files
under the directory in question needs to be checked in detail.
Also you may ignore the following lines if any line that contains
PWD=/
PWD=/var/spool/exim/
Keep in mind that the above command will also track the spammers when spamming is going on the server. If it was happened few times ago, you can use the following command.
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
The output format of the above command is the same.
That's all about tracking a spamming script.
b) Tracking direct Spammers.
Sometimes a spammer will send spam mails from their email client your server. They connect to the SMTP port of your end to send mails. In most of the servers, the SMTP port would be 25. If we know the SMTP port, we can trace the spammer IP address using the following command.
netstat -plan |grep :25 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
If you are using another port for SMTP ( not 25 ), you should replace the port 25 with the correct one.
If you are not sure about the SMTP port, please use the following command to get the port number.
cat /etc/services | grep smtp
The Output format of the above command is as follows.
---
1 116.71.245.135
1 125.234.48.129
1 140.99.35.170
1 202.157.140.6
1 202.188.126.67
1 203.120.149.51
1 203.123.11.18
1 209.85.223.187
1 217.20.114.34
2 151.65.135.172
---
If you find any IP address have high number of connectsions, say 10, it should be double checked.
To block the spammer IP address you can use the following command.
iptables -A INPUT -s IP_address -j DROP
Don't forget to replace the "IP_address" in above command with the correct IP address.
Hope this article was helpful. Here I explained the initial steps you should take to stop spamming.
This is not the only way to track a spammer in a Cpanel server. Be aware of all options in an exim log file, which should be very helping to track a spammer.
If you are well aware of the exim commands and exim logs, you need to take a look at this. Try finding your own ways and you will become an intelligent sys admin.
In the next session, I will give you some tips on preventing spamming more easily.
---
You could easily catch a spammer if you keep your eyes wide open , look for clues that are hidden , be persistent. No spammer is as intelligent as a system administrator . They get away because we are lazy enough to let them do it. But chasing , catching and killing spammers should be considered as a sys admin’s virtue.
Sometimes you may find the mail queue of your server being filled up with spam
mails. This kind of attacks should be handled with highest priority otherwise
the mail server will cause an unexpected hike in the server load.
Spammers will usually attack the server using any of the following methods.
1) Using scripts that send huge amount of mails. this is the most common way
people used to attack a server.
2) Sending mails from a hacked email account.
Tracking Spammer on Cpanel server.
As you know, exim is generally used as mail servers in Cpanel.
a) Tracking the scripts that send mails:
The following command will be helpful to get the path of the script that is
sending mails.
ps -C exim -fH ewww|awk '{for(i=1;i<=40;i++){print $i}}'|sort|uniq -c|grep
PWD|sort -n
A sample output of the above command is given by
---
6 PWD=/home/username/public_html/sm
8 PWD=/
---
From the above command we will get the username under which the script is
running. So if you suspect it as spamming, there is no difficulty to find the
user.
So, from the above command you can see that 6 mails are being sent from the
directory /home/username/public_html/sm. 6 is an acceptable value and may be
ignored. If you find the value is not within a permissible limit the files
under the directory in question needs to be checked in detail.
Also you may ignore the following lines if any line that contains
PWD=/
PWD=/var/spool/exim/
Keep in mind that the above command will also track the spammers when spamming is going on the server. If it was happened few times ago, you can use the following command.
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
The output format of the above command is the same.
That's all about tracking a spamming script.
b) Tracking direct Spammers.
Sometimes a spammer will send spam mails from their email client your server. They connect to the SMTP port of your end to send mails. In most of the servers, the SMTP port would be 25. If we know the SMTP port, we can trace the spammer IP address using the following command.
netstat -plan |grep :25 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
If you are using another port for SMTP ( not 25 ), you should replace the port 25 with the correct one.
If you are not sure about the SMTP port, please use the following command to get the port number.
cat /etc/services | grep smtp
The Output format of the above command is as follows.
---
1 116.71.245.135
1 125.234.48.129
1 140.99.35.170
1 202.157.140.6
1 202.188.126.67
1 203.120.149.51
1 203.123.11.18
1 209.85.223.187
1 217.20.114.34
2 151.65.135.172
---
If you find any IP address have high number of connectsions, say 10, it should be double checked.
To block the spammer IP address you can use the following command.
iptables -A INPUT -s IP_address -j DROP
Don't forget to replace the "IP_address" in above command with the correct IP address.
Hope this article was helpful. Here I explained the initial steps you should take to stop spamming.
This is not the only way to track a spammer in a Cpanel server. Be aware of all options in an exim log file, which should be very helping to track a spammer.
If you are well aware of the exim commands and exim logs, you need to take a look at this. Try finding your own ways and you will become an intelligent sys admin.
In the next session, I will give you some tips on preventing spamming more easily.
---
You could easily catch a spammer if you keep your eyes wide open , look for clues that are hidden , be persistent. No spammer is as intelligent as a system administrator . They get away because we are lazy enough to let them do it. But chasing , catching and killing spammers should be considered as a sys admin’s virtue.
ليست هناك تعليقات:
إرسال تعليق