The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Auth Relay Spam

Discussion in 'E-mail Discussions' started by petru, Apr 18, 2017.

Tags:
  1. petru

    petru Active Member

    Joined:
    Jul 12, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi Guys,

    I've read through various other posts which are similar to this but I can't seem to point the finger on what is causing this. One of my accounts randomly started sending out emails from all over the world. I don't believe the account has been compromised though. Not only because I can't find any suspicius logins in the event log but there is also nothing on the account. just email accounts. No files which could be hosting PHP mailers or anything.
    I have checked WHM's "Most Relayed Emails" area and found that this account has already sent out 900+ emails in a matter of minutes. But can't seem to stop it without suspending the email account itself. How is this happening?


    Code:
    Mail Control Data:
    mailnull 47 12
    <something@someone.com>
    1492519511 0
    -helo_name [127.0.0.1]
    -host_address 190.24.207.54.50212
    -host_name static-190-24-207-54.static.etb.net.co
    -host_auth dovecot_plain
    -interface_address "ServerIP".587
    -received_protocol esmtpa
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 2
    -max_received_linelength 67
    -auth_id something@someone.com
    -deliver_firsttime
    -spam_bar +++
    -spam_score 3.5
    -spam_score_int 35
    XX
    12
    jg65807@aol.com
    charvell51@aol.com
    mmullenlaw42@aol.com
    penfieldbuilders@aol.com
    pimmsno1@aol.com
    jg65807@aol.com
    mikjul69@aol.com
    ljr282@aol.com
    penfieldbuilders@aol.com
    tlgilmore2@aol.com
    jtrwsmset@aol.com
    kspurlin63@aol.com
    Date:   
    Tue, 18 Apr 2017 14:45:09 +0200
    From:   
    something@someone.com
    To:   
    jg65807@aol.com
    Subject:   
    The video card also known as the?
    Cc:   
    charvell51@aol.com, mmullenlaw42@aol.com
    Content-Transfer-Encoding:   
    quoted-printable
    Content-Type:   
    text/plain; charset=UTF-8
    Message-Id:   
    <AF0C26BD-8336-7748-30AE-A59AC15CA9BF@ptnetworx.com.au>
    Mime-Version:   
    1.0 (1.0)
    Received:   
    from static-190-24-207-54.static.etb.net.co ([190.24.207.54]:50212 helo=[127.0.0.1])
     by theservername.com with esmtpa (Exim 4.88)
     (envelope-from <something@someone.com>)
     id 1d0SVL-0003jp-SI; Tue, 18 Apr 2017 22:45:16 +1000
    X-Mailer:   
    iPad Mail (13E238)
    X-OutGoing-Spam-Status:   
    No, score=3.5
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you tried changing the password of the cPanel account, and any email addresses added under the account? If not, try that and let us know if the issue persists. Additionally, browse to "WHM Home » Security Center » SMTP Restrictions" and verify if this option is enabled.

    As far as the messages, you should also try searching /var/log/exim_mainlog for some of the CC'd email addresses to see how the message is processed. EX:

    Code:
    exigrep user@remote-domain /var/log/exim_mainlog
    Thank you.
     
  3. petru

    petru Active Member

    Joined:
    Jul 12, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    After changing my password it seemed to have stopped. My Password is quite secure and highly doubt that it could've been bruteforced. Does this mean the password was compromised or did they get in via some other method?

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    If changing the password resolved the issue, then it suggests the password may have been compromised (sometimes through exploits on a local workstation used to access the server). I recommend monitoring the situation to see if the activity resumes again, or if changing the password corrected the problem.

    Thank you.
     
Loading...

Share This Page