pstallings

Registered
Feb 24, 2014
2
0
1
cPanel Access Level
Root Administrator
I have a problem on our server at work at the moment. We have a few accounts with just a few place holder domains and separate web site templates. The accounts are setup with default settings, did not add any accounts. However we are having a problem with spammers sending unauthorized emails through our servers. thousands of emails coming from <RandomName>@<ourdomain>.com. however this account does not exist.

They all seem to have something along this in the Mail Control Data:

Code:
**** 505 505
<[email protected]<OurDomain>.com
1393281041 0
-ident *****
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 3
-max_received_linelength 162
-auth_id *****
-auth_sender *********
[B]-allow_unqualified_recipient
-allow_unqualified_sender[/B]
-local
-spam_score_int 35
-sender_set_untrusted
XX
I have a few questions:
- How can I find the IP address submitting these emails to blacklist them?
- How can I disable the option for the two above options?
- How else could I prevent these issues?

Thanks for any help!
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

The mail header you provided does not provide enough information to pinpoint how exactly the email was sent out. Have you reviewed /var/log/exim_mainlog for the offending email address to see if you notice any additional information? Did you check the account associated with the offending domain name to see if any scripts with the ability to send out email are installed? In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" header, there are a couple of options you can enable to help determine the source of new emails sent out:

"EXPERIMENTAL: Rewrite From: header to match actual sender"
"Set SMTP Sender: headers"

The following document provides information on how to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.
 

pstallings

Registered
Feb 24, 2014
2
0
1
cPanel Access Level
Root Administrator
Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:
Code:
2014-02-23 04:11:28 cwd=/home/****/public_html/wp-content/themes/twentythirteen/css 4 args: /usr/sbin/sendmail -t -i [email protected]****.com
2014-02-23 04:11:28 1WHV5s-0003Np-2l SMTP connection outbound 1393146688 1WHV5s-0003Np-2l ****.com ***@yahoo.com
2014-02-23 04:11:28 1WHV5s-0003Nw-4y <= [email protected]****.com U=graven01 P=local S=824 T="RE: whats for dinner?" for ****@yahoo.com
2014-02-23 04:11:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WHV5s-0003Nt-3x
2014-02-23 04:11:28 1WHV5s-0003Nt-3x => ****<[email protected]****.com> R=localuser T=local_delivery
We have removed this script, and others scattered around, and the problem is solved. Thank you.
 

Atomas

Registered
Mar 4, 2009
1
0
51
Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:



We have removed this script, and others scattered around, and the problem is solved. Thank you.
Thanks!. Your post was my soltuion after 4-5 hours of work. :D