Nobody Prevention Script

A big problem today is the abundance of Spammers listing as “Nobody”.

This tutorial will outline how to properly set it up on Cpanel based systems.

root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real
// backup your existing sendmail in the event of an error.

root@yourserver [~]# pico /usr/sbin/sendmail
// Open this badboy up, now paste the code below into it.

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 else {

        print INFO "$date - $PWD -  @info\n";

 my $mailprog = '/usr/sbin/sendmail.real';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
 while ( ) {
         print MAIL;
 close (INFO);
close (MAIL);

Now save the work above…

root@yourserver [~]# chmod +x /usr/sbin/sendmail
// make sendmail executable

root@yourserver [~]# echo > /var/log/formmail.log

root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)

root@yourserver [~]# pico /var/log/formmail.log
// above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam. In the past without this script it would list them as “Nobody”. With the script in place it lists the user and where the mail is being setn from.
As always it’s a good idea to routinely check who and how many perl processes are running as this is also another large gateway for outgoing spam.

root@yourserver [~]# ps aux | grep perl
// if you see a user with one to many perl processes running, and nothing much going on at his site, in most cases that i’ve seen this is the source of spam.


Both comments and pings are currently closed.

Comments are closed.