Can't close out a spammer

Remotech

Member
Nov 12, 2015
15
2
3
UK
cPanel Access Level
Root Administrator
Hi,

Hope this is the correct place for this type of thing.. I am really battling on this one..

Over the last couple of days one account on my server appears to have been used to send spam.. We have changed the password twice but it doesn't appear to stop it.. I have managed to slow the spam by blocking all the IP addresses that have been used but that is not really a permanent solution and I am sure more IP addresses will come alive before long..

It doesn't appear that it's a web script or that it's accessing anything in a home directory, appears to be directly relaying though the Exim server from multiple IP addresses in batches at random intervals.. Usually sending between about 5 and 20 messages and it must be authenticating as the user in order to relay unless it's doing some other magic..

The exim logs show things like "Sender identification U=<username> D=-system- S=<username>" with the "-system-" suggesting it could be Exim itself propagating the messages and the HELO used is always mail.domain.com being the mx of the domain..

Sanitised log example.
Code:
2020-04-09 14:40:01.906 [7143] 1jMXPU-0001rD-St H=(mail.<domain>.com) [90.161.89.141]:54539 I=[<x.x.x.x>]:587 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (4.8/100)"
2020-04-09 14:40:01.939 [7143] 1jMXPU-0001rD-St <= <user>@<domain>.com H=(mail.<domain>.com) [90.161.89.141]:54539 I=[<x.x.x.x>]:587 P=esmtpsa L- X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no SNI="5.188.86.212" A=dovecot_plain:<user> S=787 M8S=0 RT=0.310s [email protected] T="" from <<user>@<domain>.com> for [email protected]
2020-04-09 14:40:01.993 [7430] 1jMXPU-0001rD-St Sender identification U=<user> D=-system- S=<user>
2020-04-09 14:40:02.751 [7430] 1jMXPU-0001rD-St => [email protected] F=<<user>@<domain>.com> P=<<user>@<domain>.com> R=dkim_lookuphost T=dkim_remote_smtp S=2174 H=hotmail-com.olc.protection.outlook.com [104.47.2.33]:25 I=[<x.x.x.x>]:32966 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com" L C="250 2.6.0 <[email protected]> [InternalId=76566382017348, Hostname=DB5EUR01HT150.eop-EUR01.prod.protection.outlook.com] 10637 bytes in 0.373, 27.836 KB/sec Queued mail for delivery -> 250 2.1.5" QT=1.855s DT=0.729s
2020-04-09 14:40:02.751 [7430] 1jMXPU-0001rD-St Completed QT=1.855s
Really looking for any ideas on how to track the issue and close it down?

cPanel is up to date so vulnerabilities should all be patched..

Thanks..