Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Attempting to block spam

Discussion in 'E-mail Discussion' started by pstallings, Feb 24, 2014.

  1. pstallings

    pstallings Registered

    Joined:
    Feb 24, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a problem on our server at work at the moment. We have a few accounts with just a few place holder domains and separate web site templates. The accounts are setup with default settings, did not add any accounts. However we are having a problem with spammers sending unauthorized emails through our servers. thousands of emails coming from <RandomName>@<ourdomain>.com. however this account does not exist.

    They all seem to have something along this in the Mail Control Data:

    Code:
    **** 505 505
    <kristy_house@<OurDomain>.com
    1393281041 0
    -ident *****
    -received_protocol local
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 3
    -max_received_linelength 162
    -auth_id *****
    -auth_sender *********
    [B]-allow_unqualified_recipient
    -allow_unqualified_sender[/B]
    -local
    -spam_score_int 35
    -sender_set_untrusted
    XX
    I have a few questions:
    - How can I find the IP address submitting these emails to blacklist them?
    - How can I disable the option for the two above options?
    - How else could I prevent these issues?

    Thanks for any help!
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    The mail header you provided does not provide enough information to pinpoint how exactly the email was sent out. Have you reviewed /var/log/exim_mainlog for the offending email address to see if you notice any additional information? Did you check the account associated with the offending domain name to see if any scripts with the ability to send out email are installed? In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" header, there are a couple of options you can enable to help determine the source of new emails sent out:

    "EXPERIMENTAL: Rewrite From: header to match actual sender"
    "Set SMTP Sender: headers"

    The following document provides information on how to prevent email abuse:

    cPanel - Prevent Email Abuse

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. pstallings

    pstallings Registered

    Joined:
    Feb 24, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for your help, I have found the problem and corrected it. It seems someone uploaded a malicious script to our website.

    For anyone else suffering this issue, I looked in the exim_mainlog (Located in /var/log) and saw the following text while searching for an email that I knew was not from us:
    Code:
    2014-02-23 04:11:28 cwd=/home/****/public_html/wp-content/themes/twentythirteen/css 4 args: /usr/sbin/sendmail -t -i -fberta_benton@****.com
    2014-02-23 04:11:28 1WHV5s-0003Np-2l SMTP connection outbound 1393146688 1WHV5s-0003Np-2l ****.com ***@yahoo.com
    2014-02-23 04:11:28 1WHV5s-0003Nw-4y <= berta_benton@****.com U=graven01 P=local S=824 T="RE: whats for dinner?" for ****@yahoo.com
    2014-02-23 04:11:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WHV5s-0003Nt-3x
    2014-02-23 04:11:28 1WHV5s-0003Nt-3x => ****<berta_benton@****.com> R=localuser T=local_delivery
    We have removed this script, and others scattered around, and the problem is solved. Thank you.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Atomas

    Atomas Registered

    Joined:
    Mar 4, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Thanks!. Your post was my soltuion after 4-5 hours of work. :D
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice