Attempting to block spam

[pstallings]

I have a problem on our server at work at the moment. We have a few accounts with just a few place holder domains and separate web site templates. The accounts are setup with default settings, did not add any accounts. However we are having a problem with spammers sending unauthorized emails through our servers. thousands of emails coming from <RandomName>@<ourdomain>.com. however this account does not exist.

They all seem to have something along this in the Mail Control Data:

**** 505 505
<kristy_house@<OurDomain>.com
1393281041 0
-ident *****
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 3
-max_received_linelength 162
-auth_id *****
-auth_sender *********
[B]-allow_unqualified_recipient
-allow_unqualified_sender[/B]
-local
-spam_score_int 35
-sender_set_untrusted
XX

I have a few questions:
- How can I find the IP address submitting these emails to blacklist them?
- How can I disable the option for the two above options?
- How else could I prevent these issues?

Thanks for any help!

 

[cPanelMichael]

Hello

The mail header you provided does not provide enough information to pinpoint how exactly the email was sent out. Have you reviewed /var/log/exim_mainlog for the offending email address to see if you notice any additional information? Did you check the account associated with the offending domain name to see if any scripts with the ability to send out email are installed? In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" header, there are a couple of options you can enable to help determine the source of new emails sent out:

"EXPERIMENTAL: Rewrite From: header to match actual sender"
"Set SMTP Sender: headers"

The following document provides information on how to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.

 

[pstallings]

Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:

2014-02-23 04:11:28 cwd=/home/****/public_html/wp-content/themes/twentythirteen/css 4 args: /usr/sbin/sendmail -t -i -fberta_benton@****.com
2014-02-23 04:11:28 1WHV5s-0003Np-2l SMTP connection outbound 1393146688 1WHV5s-0003Np-2l ****.com ***@yahoo.com
2014-02-23 04:11:28 1WHV5s-0003Nw-4y <= berta_benton@****.com U=graven01 P=local S=824 T="RE: whats for dinner?" for ****@yahoo.com
2014-02-23 04:11:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WHV5s-0003Nt-3x
2014-02-23 04:11:28 1WHV5s-0003Nt-3x => ****<berta_benton@****.com> R=localuser T=local_delivery

We have removed this script, and others scattered around, and the problem is solved. Thank you.

 

[cPanelMichael]

We have removed this script, and others scattered around, and the problem is solved. Thank you.

I am happy to see the issue is now resolved. Thank you for updating us with the outcome.

 

[Atomas]

Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:



We have removed this script, and others scattered around, and the problem is solved. Thank you.

Thanks!. Your post was my soltuion after 4-5 hours of work. :D