Block sending e-mail from defaul address

Nabbello

Active Member
Nov 9, 2016
28
4
3
italy
cPanel Access Level
Root Administrator
@cPanelLauren

This is a delivery report example:
Event:success
success
Sender User:user
Sender Domain:domain.com
From Address:[email protected]
Sender:user
Sent Time:Dec 5, 2019, 12:49:12 PM
Sender Host:localhost
Sender IP:127.0.0.1
Authentication:localuser
Spam Score:
Recipient:[email protected]
Delivered To:[email protected]
Delivery User:-remote-
Delivery Domain:
Router:lookuphost
Transport:remote_smtp
Out Time:Dec 5, 2019, 12:49:12 PM
ID:1icpd1-0004vM-1Q
Delivery Host:gmail-smtp-in.l.google.com
Delivery IP:obscured
Size:3.15 KB
Result:Accepted

and i have many email
Time: Thu Dec 5 09:59:21 2019 +0100
Type: LOCALRELAY, Local Account - obscureduser
Count: 101 emails relayed
Blocked: No
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,421
689
263
Houston
cPanel Access Level
DataCenter Provider
This looks more like the result of an email sent via a PHP Script than anything else to me. What is the output of the following:

Code:
grep "cwd=/home/user" /var/log/exim_mainlog
There are a number of variations of commands like this but ultimately this is going to find emails sent via a script with the current working directory in /home/user

(remove any identifying information like IP addresses and actual domain names)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,421
689
263
Houston
cPanel Access Level
DataCenter Provider
@cPanelLauren

a lot of

2019-12-05 20:54:02 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i
Hello,

I'd check that user's public_html for the script that's sending mail. You may also want to look at running a malware scan on the account. The user is most likely not aware they're sending this mail and it's the result of a malware script.