The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attempting to block spam

Discussion in 'E-mail Discussions' started by pstallings, Feb 24, 2014.

  1. pstallings

    pstallings Registered

    Joined:
    Feb 24, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a problem on our server at work at the moment. We have a few accounts with just a few place holder domains and separate web site templates. The accounts are setup with default settings, did not add any accounts. However we are having a problem with spammers sending unauthorized emails through our servers. thousands of emails coming from <RandomName>@<ourdomain>.com. however this account does not exist.

    They all seem to have something along this in the Mail Control Data:

    Code:
    **** 505 505
    <kristy_house@<OurDomain>.com
    1393281041 0
    -ident *****
    -received_protocol local
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 3
    -max_received_linelength 162
    -auth_id *****
    -auth_sender *********
    [B]-allow_unqualified_recipient
    -allow_unqualified_sender[/B]
    -local
    -spam_score_int 35
    -sender_set_untrusted
    XX
    I have a few questions:
    - How can I find the IP address submitting these emails to blacklist them?
    - How can I disable the option for the two above options?
    - How else could I prevent these issues?

    Thanks for any help!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The mail header you provided does not provide enough information to pinpoint how exactly the email was sent out. Have you reviewed /var/log/exim_mainlog for the offending email address to see if you notice any additional information? Did you check the account associated with the offending domain name to see if any scripts with the ability to send out email are installed? In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" header, there are a couple of options you can enable to help determine the source of new emails sent out:

    "EXPERIMENTAL: Rewrite From: header to match actual sender"
    "Set SMTP Sender: headers"

    The following document provides information on how to prevent email abuse:

    cPanel - Prevent Email Abuse

    Thank you.
     
  3. pstallings

    pstallings Registered

    Joined:
    Feb 24, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

    For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:
    Code:
    2014-02-23 04:11:28 cwd=/home/****/public_html/wp-content/themes/twentythirteen/css 4 args: /usr/sbin/sendmail -t -i -fberta_benton@****.com
    2014-02-23 04:11:28 1WHV5s-0003Np-2l SMTP connection outbound 1393146688 1WHV5s-0003Np-2l ****.com ***@yahoo.com
    2014-02-23 04:11:28 1WHV5s-0003Nw-4y <= berta_benton@****.com U=graven01 P=local S=824 T="RE: whats for dinner?" for ****@yahoo.com
    2014-02-23 04:11:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WHV5s-0003Nt-3x
    2014-02-23 04:11:28 1WHV5s-0003Nt-3x => ****<berta_benton@****.com> R=localuser T=local_delivery
    We have removed this script, and others scattered around, and the problem is solved. Thank you.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
  5. Atomas

    Atomas Registered

    Joined:
    Mar 4, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Thanks!. Your post was my soltuion after 4-5 hours of work. :D
     
Loading...

Share This Page