Stop PHP nobody Spammers

Jerry404 08:41, April 10, 2005

Could you put example spam_log output? I think i got it to work on Redhat9/Cpanel system, however information recorded seems to be limited to Date/Location of the script. Which is a lot anyway, howeve rlooking at the $variables in the script I expected more info.

VexT 18:57, April 13, 2005

Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - - 
Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - -

Haloweb 14:06, April 14, 2005

I tried to get this working on Redhat9/Cpanel but although it recorded all the php sendmail attempts it was not sending the actual mail - any ideas ?

ScottsdaleHosting 09:59, April 19, 2005

Haloweb, 
 
Did you move the original /usr/sbin/sendmail to /usr/sbin/sendmail.hidden exactly as it stated in the tutorial. You have to rename your actual sendmail file to sendmail.hidden because the new spam catching sendmail script is calling upon sendmail.hidden to actually do the delivering of the message.

VexT 07:15, May 1, 2005

The spam_log doesn't seem to have any line breaks. Great stuff especially if that could be addressed.

Snowman 11:38, May 2, 2005

Great tute. 
 
For adding the log to logrotate will the following work? 
 
/var/log/spam_log { 
missingok 
postrotate 
endscript 
} 
 
and if so should this be added to the bottom of logrotate.conf or to the /etc/logrotate.d/exim file????

Snowman 03:14, May 14, 2005

Unfortunately this hack stopped working for no apparent reason after about 24 hours, all mail was lost wiht nothign getting thru at all until i removed it :( 
 
Its a pity cause it was a great idea.

Steve 03:38, May 17, 2005

Did you ensure you did 
chattr + i /usr/sbin/sendmail 
and also check the permissions? It sounds like Cpanel did an automatic update and overwrote your changes.

Craig 18:07, May 22, 2005

Hello 
 
This is a nice tutorial, but some things: 
 
(1) If we are disabling the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code? This has not been addressed. If we clearly specify the SMTP.MYDOMAIN.COM in our PHP code, will that work? 
 
(2) How exactly can we add the EXIM file to logrotate? I use cPanel 10.0.0-R161 . 
 
Thanks, and if you reply, kindly send a note to my email address as well. 
 
CM

Steve 17:21, May 25, 2005

You can add the following to get it rotating. 
 
pico /etc/logrotate.conf 
 
# SPAM LOG rotation 
/var/log/spam_log { 
monthly 
create 0777 root root 
rotate 1 
} 
 
Article updated with this as well.

Andrew 16:50, June 1, 2005

As someone mentioned, can line breaks be added to make the logs more readable? 
 
Thanks.

Andrew 17:58, June 2, 2005

**UPDATE** this tutorial does not work!! It will break the PHP mailer function, no mail got delivered for any of our clients while using this hack. 
 
Andrew

Vincent 22:29, June 13, 2005

To add the linebreak, simply change 
 
print INFO "$date - $PWD - @infon"; 
 
to 
 
print INFO "$date - $PWD - @infon /n/n";

Mak 02:02, June 16, 2005

it working fine, but there should be more enhancement, How about destination email 
and what about generating rss feed of new spams?

Mark 02:20, June 16, 2005

How about more improvment like 
1) Destination email 
2) user 
3) script path 
and then generating RSS file of the result 
would it be cool and useful ?

mic 06:45, June 16, 2005

I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail - any ideas ?

Susan 06:51, June 16, 2005

I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail

PHP 22:52, June 25, 2005

When running this: 
chattr + i /usr/sbin/sendmail 
 
It gives: 
chattr: No such file or directory while trying to stat i 
 
I have verified that the file exists by opening it. 
 
What can be done?

dt 11:47, July 3, 2005

To PHP: just remove the space between + and i and it will work.

behzad 15:17, July 9, 2005

This hack only delivers to local emails. an error occuring when try to send mail out, like yahoo mail: 
 
[email protected] R=fail_remote_domains: unrouteable 
mail domain "yahoo.com"

ogy 22:55, July 12, 2005

it would be chattr +i /usr/bin/sendmail

MCT 22:20, July 24, 2005

PHP -- get rid of the space between the + and the i, should look like: 
chattr +i /usr/sbin/sendmail 
 
Got this working well, but started getting these silly messages like "- - user x 33333 33334 /home/user /usr/local/cpanel/bin/noshell" in the log file. Little snooping and it turned out to be message forwards to emails on the same server set up by clients in cpanel. Very scary at first, as it looks like spammer activity!

someone 09:49, July 31, 2005

You people do know that this is VERY insecure and not properly written, right? 
 
Do me a favor and just do this as root: 
 
perl -le 'print getpwudi($<);' 
 
You will see roots password hash. 
 
perl -le '$,=":"; @info = getpwnam((getpwuid($<))[0]); delete(@info[1]); print @info;' 
root::0:0:::root:/root:/bin/bash 
 
well well, isn't that better. 
 
and what's up with this 0777 crap? sense when does a logfile need to have execute permissions anyways? 
 
What needs to be done here is use the syslog facility. 
 
Please people, do not blindly use scripts from the internet without knowing what they are doing first.

Stephen 20:48, September 5, 2005

How can i uninstall this script? 
 
My clientexec script stop sending invoice...

Yujin 08:28, September 9, 2005

To uninstall the script, do 
 
rm -f /usr/sbin/sendmail 
mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail

M.A 12:00, October 5, 2005

I cannot send a mail from PHP program with mail() function . 
 
What should I do ?

Taz 01:25, October 21, 2005

Mine logs aswell ( not cleanly no line breaks) but the email doesnt get delivered. plz help

hz 00:01, October 26, 2005

I canÂ´t see anymore spam_log, only appears: - - - - - instead /home/user/script.cgi

Thomas 17:49, November 22, 2005

Hi 
hmm, I just implemented your script and it is working perfectly. thanks 
 
The output I have is like 
Tue Nov 22 17:29:20 CET 2005 - 127.0.0.1 ran at xx.xx.xxx.xx n 
(only hide my ip) 
could somebody explain me what that means?

Tamouh 03:53, November 24, 2005

Additionally, you can monitor EXIM logs and find out which script path initiated the spam by adding this line in the start of your EXIM config file (This should be al in one line): 
 
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error

emeric Olenga 12:57, November 30, 2005

how to clean up tail - f /var/log/spam_log when is big?

Bhavik 12:47, December 2, 2005

If we are disable the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code. Can anybody help me out?

Lukas 15:41, December 20, 2005

i got a logs like this one: how i can locate a spammer ? 
 
myip nTue Dec 20 14:32:46 CET 2005 - 83.29.68.195 ran at 
myip nTue Dec 20 14:33:12 CET 2005 - 83.29.68.195 ran at 
myip nTue Dec 20 14:33:19 CET 2005 - 83.29.68.195 ran at

Cem 18:57, December 29, 2005

Hi, 
 
Thank you for that great tutorial. Can you make it more advanced?

SAINT 03:54, January 22, 2006

If you are running Cpanel you can do the same thing clicking "tweak settings" under Server Configurations. This fixed the Spam problem and did not break the mail scripts.

jayesh 09:23, February 21, 2006

please reply this query 
 
i m using mail function to send mails in php they get sent in bulk folder. 
i want to send them in inbox 
how do i do 
help????

Hitesh Kachru 20:16, February 26, 2006

Can this be done on Qmail with Plesk CP. How to do this in Qmail?

kailas 08:38, April 5, 2006

but how will I know that there is PHP nobody Spammers and I have to do the above . please assist me with this

Prabash32 16:30, April 9, 2006

This article is of great use for us... 
working fine on our servers... 
mmmmmm Great..!!!!!!!!! 
 
 
Thanks

Nixon Girard 23:24, April 16, 2006

SENSATIONAL

codeunix 16:26, April 29, 2006

i have a big problem, i cant send any email, i get Mail delivery system error that emai lwas not delivered, please help me out :( 
 
thanks

bobby 12:36, May 15, 2006

hi, 
just curiose, why do i see sendmail processes for users even if they have no script installed that use sendmail? 
 
Thanks

ME 18:02, May 16, 2006

I get this error when i log as root 
/usr/sbin/sendmail: Exec format error

Me 21:12, May 31, 2006

Yujin 
To uninstall the script, do 
 
rm -f /usr/sbin/sendmail 
mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail 
============================ 
 
rm: cannot remove `/usr/sbin/sendmail': Operation not permitted 
root@home [~]# 
 
any soluation ???

Steve 01:34, June 1, 2006

chattr -i sendmail myabe? 
Or try lsattr sendmail to see if it has any special permissions set. You might have to shut down the mail server beforeyou can remove it if a process is using that it won't be able to remove.

Richard 16:09, June 21, 2006

Has anyone tried the above changes using Dovecot, instead of sendmail? I can't really find info about that :-(

justin 07:18, July 10, 2006

The idea is great. But nobone has futher explained the need for 0777 for the logs. 
isn't that a point.(by someone) 
 
:)

Rafal 02:17, February 3, 2007

Great article! Im using this on every my server

Edward 23:07, April 23, 2007

I cant get this to log or send mail out. It just fails! Anyone got any experience as to why? 
 
System: Fedora Core 3 
Mail: Postfix

abdalla 19:31, July 26, 2007

it`s not working 
 
not secure 
 
just read ur exim logs and throw it away 
 
bye

ldaap 08:38, September 24, 2007

This script does not work with plesk panel, becouse when i implemented the server stop send emails by this way

behnam sarfarazi 15:07, December 12, 2007

how i can to know who is spammer in the log ?

Dennis 21:54, December 14, 2007

Great script. Works for all my servers, except for the new one. 
 
The new one with newest Plesk/Qmail will fail to send mail using this script.

matt 19:22, February 7, 2008

This looks a bit outdated, but the script has a few errors. 
 
Please note @infon looks as though it should be @info\n <note the slash in front of the trailing n. It looks like the html does not display the slashes.

Edward 00:37, April 27, 2008

Hi, 
 
I'm trying to add the line break in the spam log, But it is not working. I changed the line: 
print INFO "$date - $PWD - @infon"; 
to 
print INFO "$date - $PWD - @infon /n/n"; 
But not working. :-( 
 
Also can we see the exact script/file name in the log like the one described by VexT 
 
VexT 
Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - - 
Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - - 
 
I am only getting only the corresponding directory and not file. Please see the results from my server: 
 
# tail -f /var/log/spam_log 
Sun Apr 27 01:16:54 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - / - Sun Apr 27 01:17:40 EEST 2008 
 
Please advice. 
 
Thanks.

Randy Henderson 02:21, November 19, 2008

This seems dated, none of the "this works great" comments had a date (the last one said Apr 27 from the logs but who knows what year). Since cPanel 11 I am not sure this would work. 
 
But the jewel in reading all this was Tamouh's post. This works great with putting who sent the email through the exim log where it should be. 
 
The only difference between what Tamouh post and what I am using is I also added +subject to my configuration. 
 
November 2008

J. ADAM 03:20, March 17, 2010

I'm newbe here on that, how can see the log file where??? 
no idea 
thank you for help me

Andras 17:02, September 29, 2010

For those who have trouble sending mail after installing this script:

1) sendmail IS the program that mails the mails
2) you replace that program with a script that instead of sending the mail writes a log of who is sending
3) this way you can see WHO is sending
4) after you killed off that WHO you should remove the script and restore the original sendmail file so that it can send the mails
5) you should also probably empty the queue if it is full of spam

Best-Selling Hosting

Top Rated Providers

Editors Pick

Stop PHP nobody Spammers Published: Apr 07, 2005

Rating

3/5

Rating

Rating

Rate it!

Related Articles

Comments (58)

Add Your Thoughts

Best-Selling Hosting

Top Rated Providers

Editors Pick

Stop PHP nobody Spammers Published: Apr 07, 2005 Rating 3/5

Rating

Rating

Rate it!

Related Articles

Comments (58)

Add Your Thoughts

Stop PHP nobody Spammers Published: Apr 07, 2005

Rating

3/5