-3

My unix server is sending lots of spam mail. I am investigating the issue but could not find the script location. Here is one of the spam mail header. There is no information about script location.

    1XG440-0003wz-8i-H
mail 8 12
<latisha_powers@silakalite.com>
1407580792 0
-helo_name silakalite.com
-host_address 127.0.0.1.44541
-host_name localhost.localdomain
-interface_address 127.0.0.1.25
-received_protocol esmtp
-body_linecount 5
-deliver_firsttime
XX
1
vilder_fax@ohtmail.com

245P Received: from localhost.localdomain ([127.0.0.1] helo=silakalite.com)
    by s1.codezing.com with esmtp (Exim 4.67)
    (envelope-from <latisha_powers@silakalite.com>)
    id 1XG440-0003wz-8i
    for vilder_fax@ohtmail.com; Sat, 09 Aug 2014 13:39:52 +0300
037  Date: Sat, 9 Aug 2014 10:39:50 +0000
055F From: "Latisha Powers" <latisha_powers@silakalite.com>
058R Reply-To:"Latisha Powers" <latisha_powers@silakalite.com>
046I Message-ID: <b8f7788-1c74b-7e@silakalite.com>
027T To: vilder_fax@ohtmail.com
028  Subject: Re:  heh malay car
023  X-Priority: 3 (Normal)
018  MIME-Version: 1.0
046  Content-Type: text/html; charset="iso-8859-1"
032  Content-Transfer-Encoding: 8bit

Also here you can find exim mainlog. 

2014-08-09 12:29:15 1XG2xZ-0001cm-Sy == nepal_hero@yahoo.com R=lookuphost T=remo
te_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<maude_m
cmahon@silakalite.com> SIZE=1851: host mta6.am0.yahoodns.net [66.196.118.36]: 42
1 4.7.1 [TS03] All messages from 46.102.243.208 will be permanently deferred; Re
trying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-08-09 12:29:18 1XG2xi-0001dA-KT <= hillary_newton@silakalite.com U=apache P
=local S=794 T="Fw:  He he Ulia Suzana Homemade Lesbian" from <hillary_newton@si
lakalite.com> for nepalbabu54@yahoo.com

How can i identify the script location?

umki
  • 769
  • 13
  • 31

1 Answers1

0

Your web hosting panel uses Exim as its mail server. One of your customers has a website that has an insecure feedback form (it allows a submitter to specify the recipient, possibly the sender, and the data). The first clue is from this:

2014-08-09 12:29:18 1XG2xi-0001dA-KT <= hillary_newton@silakalite.com U=apache P =local

It says that the user is apache. So the next thing to do is go look in your webserver logs, starting at exactly 12:29:18, and look a few seconds before and a few seconds after until you find one site that a GET or POST was performed on a feedback form (or an insecure form in general).

Is silakalite.com your customer? Is hillary_newton@ a valid sender for that domain? If yes, then it should be easy to find the website which is causing this. If no, then you can only figure it out by the timestamps.

Todd Lyons
  • 998
  • 12
  • 19