Apple User Email Password Keeps Getting Compromised Sending Spam Thought?

PDW

Well-Known Member
Dec 29, 2003
138
3
168
I am at my witts end with this. I have one email account on the server that keeps becoming compromised and sends spam. This is on a government account and I have probably 50 users and this one user is using an iPhone and an apple computer.

The server is set to use SSL (force and required), pop before smtp before send mail session etc....
We have changed his password every time its become compromised and I have no other accounts with the issue.
I run CSF, as well as ASSP Deluxe (so great tool for finding logs and all.

Thoughts on where else I should be looking. I am baffled. Been dealing with this for a few months.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
Based on the information you have given us so far, I have a couple of thoughts:

1) The email account is not actually compromised, but is being "spoofed" - good SPF, DKIM and DMARC can go some way towards mitigating this scenario (You should be able to see in the mail logs if the account is actually logging into the server to send the spam emails - if you don't have access to the server logs you may need to enlist the help of the server administrator)

2) One or more of the devices your user connects to his email account from (or the computer or account you send the new passwords from) is infected with something like a key logger and every time you send him a new password it is shared with the hackers. - again you should be able to verify if the email account is actually being used (eg authenticated to) to send the mails from the logs.

3) The user is writing down the new password on a post-it, and sticking it to his screen for everyone to see !

Hope this helps.
 
  • Like
Reactions: cPanelLauren

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Logs show they are using the password and sending through the server. So ya not spoofing and getting returned due to spoofing in the log below I ** out some for security reasons.
Dec-18-1900:09:58202.137.142.181 info: authentication (LOGIN) realms - user:jgo*@gh*.org, pass:***;

Very frustrating.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
Is your user using a mail client or webmail ?
 

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Apple mail client on his phone as well as on his apple computer, so email client not a website.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
Is that a standard log that logs the password the user used? I'm not aware of such a facility in cPanel, but then again I stick mainly to using command line logs.

If the password is being logged there... in plain text... then the potential exists that whatever facility is being used to view this is also compromised. Although that would probably mean that other email accounts would be compromised.

What networks is the user using to check their email account? Public wifi? Are the networks being used safe and secure? Are they using secure/encrypted ports or STARTTLS sessions?

I'm assuming keyloggers can exist for Macs just like they can for other systems. They could also exist at the network level.

Are you sure the user is using strong and secure passwords? They're not using something like doggo1 and then when that password is compromised, changing it to doggo2 ... you might be surprised at how often something like this happens.
 
  • Like
Reactions: rpvw

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
Whilst I am sensitive to the fact this is a government account (and you are probably catching a good deal of user irritation from it), if it is in any way possible to enlist the cooperation of the client - these are the steps I would be inclined to try:
  1. Disable any webmail services for that account if possible.
  2. Disable POP before SMTP - it is a security risk and it just requires the users to set up SMTP authentication credentials separately in their mail clients
  3. Change the password to the email account in question and DON'T TELL the client for a few days (if the account is used with the new password the breach is your end)
  4. Ask the client to change the password on the desktop after the first few days delay (if the account starts sending spam the likely-hood is the desktop or desktop connection is breached.)
  5. After a time, change the password on the mobile device and see if the spam starts up again. (If it does then the mobile is breached)
The intention is to attempt to eliminate the various services/devices that could e breached or leaking the changed password. To that end, you may want/need to try changing the cPanel login password for that account as well.

Hope this is some use.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Whilst I am sensitive to the fact this is a government account (and you are probably catching a good deal of user irritation from it), if it is in any way possible to enlist the cooperation of the client - these are the steps I would be inclined to try:
  1. Disable any webmail services for that account if possible.
  2. Disable POP before SMTP - it is a security risk and it just requires the users to set up SMTP authentication credentials separately in their mail clients
  3. Change the password to the email account in question and DON'T TELL the client for a few days (if the account is used with the new password the breach is your end)
  4. Ask the client to change the password on the desktop after the first few days delay (if the account starts sending spam the likely-hood is the desktop or desktop connection is breached.)
  5. After a time, change the password on the mobile device and see if the spam starts up again. (If it does then the mobile is breached)
The intention is to attempt to eliminate the various services/devices that could e breached or leaking the changed password. To that end, you may want/need to try changing the cPanel login password for that account as well.

Hope this is some use.
This is the exact advice I'd give but I wouldn't disable webmail - just change their password and do a hard restart of dovecot. Then watch /var/log/maillog further logins to that account would be something that's occurring on the server.