Block individual email from sending spam from server

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello :)

Do you notice any additional information about the email in the message header or in /var/log/exim_mainlog?

You may also find the following document helpful:

cPanel - Prevent Email Abuse

Thank you.
 

dmacomber

Member
Oct 9, 2014
6
0
1
cPanel Access Level
Root Administrator
I had similar situation. So this is what I did

My immediate action was to put an exim custom filter rule to forward those emails back to me. Most had the same "Pizza Hut Coupon" subject, so they didn't go out anymore.

Turn on php script information to be put in email's header info to point out the offending PHP script. Mine was in that's domains HTML_Public\... folder

Turn on PHP scrpit logging to see what Ip it was coming from and block all access from it in Cpanel. Ideal option would be to correct those bad scripts, but not an option in my case.

Just in the off chance do a search for
Code:
find / -name menu87.php
That was my bad script.
 

Infopro

Well-Known Member
May 20, 2003
17,085
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I have a situation where my email server is being used to spam.
A non existent email address referencing my domain is successfully posting 100s of emails.

It's using something like this
[email protected]

e.g. [email protected]

Is there a (simple) way to stop this?

Any help is appreciated.

Casim.
Not sure if this is helpful here or not, worth a look to make sure its enabled though:
WHM » Service Configuration » Exim Configuration Manager

Reject remote mail sent to the server's hostname [?]
Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target.
 

casim

Member
Dec 5, 2014
5
0
1
cPanel Access Level
Root Administrator
I had similar situation. So this is what I did

My immediate action was to put an exim custom filter rule to forward those emails back to me. Most had the same "Pizza Hut Coupon" subject, so they didn't go out anymore.

Turn on php script information to be put in email's header info to point out the offending PHP script. Mine was in that's domains HTML_Public\... folder

Turn on PHP scrpit logging to see what Ip it was coming from and block all access from it in Cpanel. Ideal option would be to correct those bad scripts, but not an option in my case.

Just in the off chance do a search for
Code:
find / -name menu87.php
That was my bad script.
Firstly, thanks for your post. I'm working through your suggestion.

I'm new to this so I'll be slow but will be responding.

I'm editing the filter file using these directions for anyone else who may read this thread. https://documentation.cpanel.net/display/ALD/Customize+the+Exim+System+Filter+File#CustomizetheEximSystemFilterFile-HowtocreateacustomEximsystemfilterfile
 

casim

Member
Dec 5, 2014
5
0
1
cPanel Access Level
Root Administrator
I had similar situation. So this is what I did

My immediate action was to put an exim custom filter rule to forward those emails back to me. Most had the same "Pizza Hut Coupon" subject, so they didn't go out anymore.

Turn on php script information to be put in email's header info to point out the offending PHP script. Mine was in that's domains HTML_Public\... folder

Turn on PHP scrpit logging to see what Ip it was coming from and block all access from it in Cpanel. Ideal option would be to correct those bad scripts, but not an option in my case.

Just in the off chance do a search for
Code:
find / -name menu87.php
That was my bad script.
HI can you show me the process & code you used to set up the filter?
I'm finding it difficult to wade through all the documentation on the How-To
Thanks in advance.
 

casim

Member
Dec 5, 2014
5
0
1
cPanel Access Level
Root Administrator
I had similar situation. So this is what I did

My immediate action was to put an exim custom filter rule to forward those emails back to me. Most had the same "Pizza Hut Coupon" subject, so they didn't go out anymore.

Turn on php script information to be put in email's header info to point out the offending PHP script. Mine was in that's domains HTML_Public\... folder

Turn on PHP scrpit logging to see what Ip it was coming from and block all access from it in Cpanel. Ideal option would be to correct those bad scripts, but not an option in my case.

Just in the off chance do a search for
Code:
find / -name menu87.php
That was my bad script.
Wow, after a lot of reading and work I have solved my problem. Thank you!

I added the following lines of code to the php.ini

mail.add_x_header = On
mail.log = /var/log/phpmail.log

created the phpmail.log file with write permissions

and there it was in the header - 60 emails generated on each send.

the offending file for me was .info.php in a Moodle directory

The [email protected]#les even had the leading . so it was read as a hidden system file.

Thanks everyone for your help.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
I am happy to see you were able to address the issue. Thank you for updating us with the outcome.