The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compromised Email Accounts..

Discussion in 'E-mail Discussions' started by thespudman, Jan 6, 2015.

  1. thespudman

    thespudman Registered

    Joined:
    Jan 6, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi All,

    After banging my head over a few weeks I decided to see if the community had seen anything like this. We have several CPanel servers and are experiencing the following unusual behaviour with different accounts. Occasionally an account will randomly send out emails like the 2 following examples :

    Email addresses have been removed to protect users.
    ---------------
    Code:
    -interface_address 127.0.0.1.125
     -received_protocol esmtpa
     -body_linecount 1
     -max_received_linelength 781
     -auth_id XXXXXXXX
     YY XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     YN XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     YY XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
     YN XXXXXXXXXXXXX
     NN XXXXXXXXXXXXX
    
    To: "mlblum" , "dharwig2000" , "chiari" , "the1amigo" , "mlortez" , "l bellhotmom2" , "happilyamused" , "rector" , "rkatzev" , "poor tom83" , "sednaimports" , "karmazin" , "angelina g hare" , "bbaars" , "Cory" , "Polly Hancock" , "Matt Richardson" , "vilmaz" , "Justin" 
    
    Hi! How are you?
    Breaking news link to a random dodgy website. it works!
    
    
    ---------------
    To: "jock28" , "ivyjock0" , "psifn" , "elongobard" , "latinprmen" , "ukywildcatfan1" , "chilledguy68" , "rsteve81" , "camperdudenh" , "pmichaud1" , "polarisclassic2000" , "toggleming" , "hotbizguy" , "andrewhuebner" , "firetravel69" , "jvieira87" , "nrthshrhottie" , "gmstone01" , "petermurphy1975" , "Musclekunt4u" 
    
    Hi!
    How are you? link to a random dodgy website.  Oprah says it works!
    M R
    ---------------

    Hyperlinks removed as they are probably dangerous.

    These emails are generated from a user that is fully authenticated and after checking the log files they just present the username and password and send the emails via multiple ip addresses. We run brute force protection, ASSP Deluxe and other security measures. Now is it more likely to be client side something capturing the password viruses etc or do we have a real issue here. It only effects 2 - 3 accounts every month or so. Also something to be noted, the spammer is being very sneaky when sending out the emails as they will only send about 20 emails per ip and then it finishes, I assume to avoid detection.

    I have outbound spam filtering enabled and this does stop it. Having checked all the log files none of the ips that connect have ever been near the server before they send the emails as above. Your thoughts would be greatly appreciated.

    thespudman
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following document offers some advice on preventing email abuse:

    How To Prevent Email Abuse

    However, you may need to convey the seriousness of the matter to individual clients that may have an exploited workstation if it's continuing to happen on the same accounts.

    Thank you.
     
Loading...

Share This Page