cPanel admin on Go Daddy being spammed significantly.

Cool_Games

Registered
Jun 27, 2020
4
0
1
Get2020cPanel
cPanel Access Level
Website Owner
This is my first post on the cPanel forum and have not been able to navigate to find answers.

My admin account name was assigned by Go Daddy and has been compromised with lots of spam email but one
sender uses my domain name with uniquely created usernames.
The sender domain is similar to mail chimp allowing bulk sending
but daily I get double digit duplicates from unique addresses of users that appear locally originated but are not valid user accounts.

I have global spam filter and spam assassin but these get though as junk without SPAM marking or status in viewed source.

What other things allow bypassing deleting without delivering of this exploit?

The sender domain is unresponsive even though it asks for complaints
and reporting of abuses.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Hello,


Since this is email for accounts that don't exist it tells me you have the catch-all set to the admin user. To change this I would suggest doing the following -> Go to cPanel>>Email>>Default Address and change the setting from "Forward to your system account" to "Discard the email while your server processes it by SMTP time with an error message."
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I'm a little confused.

"I get double digit duplicates from unique addresses of users that appear locally originated but are not valid user accounts. "

Lets assume that your domain is mydomain.com

Are you receiving emails to [email protected] (where somebody doesn't exist.)
Or are you receving emails from [email protected] (where somebody doesn't exist.)

" The sender domain is unresponsive even though it asks for complaints and reporting of abuses. "
I'm not aware that i've ever seen an abuse complaint taken seriously, we are just small fish.
 

Cool_Games

Registered
Jun 27, 2020
4
0
1
Get2020cPanel
cPanel Access Level
Website Owner
I'm a little confused.

"I get double digit duplicates from unique addresses of users that appear locally originated but are not valid user accounts. "

Lets assume that your domain is mydomain.com

Are you receiving emails to [email protected] (where somebody doesn't exist.)
Or are you receving emails from [email protected] (where somebody doesn't exist.)

" The sender domain is unresponsive even though it asks for complaints and reporting of abuses. "
I'm not aware that i've ever seen an abuse complaint taken seriously, we are just small fish.
The from is an unique name to mydomain.com from [email protected] processed by the-emailer.com.

the-emailer.com is in the header but the unsourced version sees from [email protected] sender [email protected].
Next message sent closely timed is [email protected] as a duplicate of the previous message.

All have valid links in body to unsubscribe with destination not visible to untrained eye that are created to compute into the mailing list of destinations.
The effect is new user can unsubscribe for a one time message then next message is another from [email protected] which may be harvested names
making them appear as real people but as though from mydomain.com.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Don't ever unsubscribe from a spammer.
All you're doing is confirming that someone exists, so they'll spam you more.

Unfortunately, as a web site owner, you don't have a lot of tools to deal with this.
Enabling SPF and DKIM might help, but I doubt it will eradicate these altogether.

Try to find a re-occurring pattern, create a filter based on such, a global filter is probably about the best tool in your arsenal.


eg:
if any header contains the-emailer.com
or
if any header contains paid-domain.com
or
from contains paid-domain.com
then discard

If there are re-occurring phrases in the message body or maybe even a common spelling mistake.
I had one where it the email said something along the lines of 'view in a brower' (misspelt browser), that one was easy to block.
 

Cool_Games

Registered
Jun 27, 2020
4
0
1
Get2020cPanel
cPanel Access Level
Website Owner
My original advice would resolve this if they're sending to [email protected] which it looks like they're doing.
This appears to have worked for the sender that I had been trying to eliminate.


Now wondering why SPAM Filters has remaining messages that are marked SPAM but are being sent to junk folder even with delete set to 5


X-Spam-Status: Yes, score=7.4
X-Spam-Score: 74
X-Spam-Bar: +++++++

Content analysis details: (7.4 points, 4.0 required)

Automatically Delete New Spam (Auto-Delete):
Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam
score that meets or exceeds the Auto-Delete Threshold Score (5).
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Hi @Cool_Games

Do you have any other filters in place? It does indeed look like it would qualify for Auto-Delete. Can you show the email transaction for one of those? You can find the email logs at /var/log/exim_mainlog
 

Cool_Games

Registered
Jun 27, 2020
4
0
1
Get2020cPanel
cPanel Access Level
Website Owner
I can not get easily to cPanel the way GoDaddy has it set up.
Bash:
$ ls /var/log
./  ../

Inversely SPAM filter missed this and delivered to inbox.

Today I got an Apple app receipt that was not possible as I use Android.
I could have sent it but it is a security issue to save "show source" because Chrome removes it if I do "save as" txt.
I needed to cut and paste into offline editor while viewing online.


Code:
Return-path: <[email protected]>

Subject: Re: [Receipt Order] - [14995171] : Your Receipt From Apple - Modern
 Combat Date: Thursday, July 9, 2020 [SDW]


X-Ham-Report: Spam detection software, running on the system "GO_DADDY.secureserver.net",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email
 
 
 Your Receipt are in the attachment,
 
 
 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
    name="INVOICE-Modern-Combat-5-2.docx"
Content-Disposition: attachment; filename="INVOICE-Modern-Combat-5-2.docx"
Content-Transfer-Encoding: base64