CPanel + Exim + Apache issues! Someone must have run into, and solved this before =(
I'm sure everyone is familiar with CPanel/WHM and Exim, i'm also sure most of us have run into an insecure formmail cgi script, or something along those lines, exploited to dump out spam, or mail bombs by some script kiddie on the net. Well thats exactly what one of our servers have run into, except its not formmail (we cleaned them all out, not a single .cgi left on the server), but unfortunatly the exim logs do not provide enough information to resolve the case.
Exim provides just "nobody@serverhostname.com" in the logs as sending mail, no domain, username, nada, and theres too much traffic and too many domains to check the apache logfiles to track down the site with the exploitable script (300 or so domains, 700 logfiles in /usr/local/apache/domlogs/).
My question is, has anyone managed to make exim 3.xx /dev/null emails coming from nobody@serverhostname.com, log the domain the original request is coming from .... *anything?!*. I've done some searching on cpanel.net, on google, on exim.org, IRC, you name it, and haven't had a terrible amount of luck, i saw two solutions, one needed a version of exim not used by CPanel (not in the mood to play overhaul), and one required strings to be added to *every* virtualhost in the httpd.conf (lets be realistic, thats not a realistic solution nowdays, esp not on reseller servers).
So my question is, all you CPanel guys and gals, a few of you must have run into this/be running into this, how are you coping with this, do you have modifications to exim to display more information in the logs, did you find an efficient way to trap mail from nobody@serverhostname, or what.
Currently i implemented a fix i think might work, but because i cant even find the script exploiting apache mail handleing, i really cant test it, or tell if my solution is working... i can only wait for more abuse complaints (though i did get a chuckle, someone used it to smack a spammer, and the spammer was crying that his mailbox was being harassed, "way to take one for the team kiddo", but it still has to stop
).Hope someone has insight, I could really use it
