The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Customer sending spam via -remote- user, but how?

Discussion in 'E-mail Discussions' started by domeneas, Jun 5, 2014.

  1. domeneas

    domeneas Active Member

    Joined:
    Sep 20, 2013
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    so I discovered I have a customer that is sending very large amounts of email. I have all the rate limits on in Tweak Settings, so outgoing spam i normally stopped very quickly and i monitor PHP scripts.

    While fiddling about in the "Email" section in WHM looking at the mail queue I notice that a certain customer, lets call his domain "spammer.com" has 3 messages queued, but each has a metric ton of recipients. Alarm bells go off, and I search for email sent by mail@spammer.com and find 4000 just in the last few days. Some fail (many more than Tweak Settings allows) and some are delivered. I find it very odd as this has not happened before.

    To find exactly how much mail it is, I go to "View Sent Summary" expecting to find the spammer.com domain at the top of the list. He isn't even on the list.

    Fast forward a few confusing minutes, and I see that all the emails are being sent with the user -remote-, not the actual username like everyone else.

    I have coped and pasted the Delivery Event Details below:

    Code:
    Event: success success
    User: -remote-
    Domain:
    Sender: mail@spammer.com
    Sent Time: Jun 4, 2014 11:37:11 AM
    Sender Host: 192.x.x.x
    Sender IP: 64.x.x.x
    Authentication: localdelivery
    Spam Score:
    Recipient: mail@receipient.com
    Delivered To: mail@receipient.com
    Delivery User: -remote-
    Delivery Domain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: Jun 4, 2014 11:42:11 AM
    ID: 1Ws7dS-0001Aa-AS
    Delivery Host: receipient.com.mail.eo.outlook.com
    Delivery IP: 213.x.x.x
    Size: 2.41 MB
    Result: Message accepted
    How is he doing this? I don't think I understand enough about the -remote- user to know what is going on. I see the sender host and sender IP is not my servers address and they are different. In most cases they point to the same address.

    Thanks for any explanations.

    EDIT: I should add I have seen this explanation to the -remote- user several places, but it does not make sense to me that a sender can be remote. All other users sending from their local Outlook installations etc (I would guess is a remote user? As opposed to a local user sending from web mail?) are identified with their account name as "user" and show up in all logs and follow my anti-spam rules, but this -remote- seems to get around all that:

    "The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote."
     
    #1 domeneas, Jun 5, 2014
    Last edited: Jun 5, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you been able to isolate the offending account in /var/log/exim_mainlog? If so, what method was used to send out the emails? Was it through SMTP authentication or through a script? The following document is helpful in the event you have not already enabled the suggested options:

    How to Prevent Email Abuse

    Thank you.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Change this users email password as well.
     
  4. domeneas

    domeneas Active Member

    Joined:
    Sep 20, 2013
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi,

    everything in that link you posted was done beforehand and has served me well. For some reason this user is bypassing all these rules, and the difference from him to anyone else is that he is listed as using the -remote- user.

    mail@spammer.com is the account he is using and it is hosted on my server. I can find all his traffic in the exim_mainlog, but I am unsure exactly what you want me to look for there.

    The first line in one batch email he tried to send out is:
    Code:
    2014-06-04 13:06:18 1Ws91N-0002MZ-Ry <= mail@spammer.com H=([192.x.x.x]) [64.x.x.x]:59295 P=esmtp S=2531604 id=11A39226-5134-4975-A93F-FADB0609DAF2@spammer.com T="TOPIC OF SPAM EMAIL" for <insert 100 or so recipients here>
    The mail log in WHM shows 785 email sent at the same time, 400+ were delivered, and my system has a 200 pr hour limit that has held up nicely for other customers.

    If I GREP for the minute all these emails were sent in the exim_mainlog I also find this hundreds of times, with a different domain after "routed_domain=" each time. Each of these domains seems to be one of the recipients:

    Code:
    2014-06-04 13:06:42 1Ws91N-0002MZ-Ry SMTP connection identification H= A=64.x.x.xP=59295 M=1Ws91N-0002MZ-Ry U= ID= S= B=relayhosts_domain
    2014-06-04 13:06:42 1Ws91N-0002MZ-Ry check_mail_permissions could not determine the sender domain [routed_domain=strXX.com message_exim_id=1Ws91N-0002MZ-Ry sender_host_address=64.x.x.xrecipients_count=588]
    @Infopro I'd just call them up and tell them we have to cancel their account normally, but I'm too curious as to what is actually happening here to do that yet.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    In "Tweak Settings", under the "Mail" tab, what do you have configured for these options below?

    "The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery."
    "Maximum percentage of failed or deferred messages a domain may send per hour"
    "Number of failed or deferred messages a domain may send before protections can be triggered"
    "Count mailman deliveries towards a domain’s Max hourly emails."

    Thank you.
     
  6. domeneas

    domeneas Active Member

    Joined:
    Sep 20, 2013
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    "The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery." 125
    "Maximum percentage of failed or deferred messages a domain may send per hour" 50
    "Number of failed or deferred messages a domain may send before protections can be triggered" 5
    "Count mailman deliveries towards a domain’s Max hourly emails." Off

    I have set the values to 125 - 25% - 5 - ON after I started investigating, but they were as above on June 4th which I am looking into.

    If I widen my search past exactly 13:06 on June 4th, and include a period from 9 AM til 2 PM I get 4306 delivery events in WHM where 2521 were delivered in 4 rounds.

    784 events - 434 delivered 02:06PM
    1954 events - 1093 delivered 12:46PM
    637 events - 435 delivered 11:37AM
    343 events - 224 delivered 10:49AM

    All of those are over the 200 pr hour limit, even counting queues and such.

    And all have -remote- as both sender and recipient. Again, no other emails I've come across has that.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if you would like us to access your server and take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  8. domeneas

    domeneas Active Member

    Joined:
    Sep 20, 2013
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Case 5081447
     
  9. crwilliams

    crwilliams Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Is there anything to add with this case? I'm experiencing the same problem, or a similar one. I have a user on one of my servers who has had two of her email accounts hacked to send spam. I've changed the passwords in the meantime myself. The thing I'm worried about is how the mail bypassed the server limits.

    The mail from the compromised accounts on my server was going out by the thousands, but I have her domain limited to 20 emails per hour. I did only just now include mailman in her total limit, but it doesn't seem as though that has anything to do with it anyway. And just like the other person in this thread, the mail seems to come from a user listed as remote.

    I have 105% as the amount above the limit to queue and retry; percentage of failed or deferred messages per hour at 50%; number of failed messages to send before protections kick in is set to 5. And I have the formerly known as SMTP tweak on.

    So I have no idea how this account managed about 2500 emails in a few hours.

    Any ideas?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Were you able to isolate the offending messages in /var/log/exim_mainlog? If so, what method was used to send out the emails? Was it through SMTP authentication or through a script?

    Thank you.
     
  11. crwilliams

    crwilliams Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    They were sent through SMTP authentication. I had an easy time locating the messages because this server typically only sends a few hundred messages a day in total. So messages by the thousand tend to get noticed. But I did find it odd to see user -remote- in the message details. And I can't understand how they just kept blowing past the limit. I now have CSF setup to permanently block IPs after a set number of emails sent per hour, but that only prevents the one IP from sending and doesn't tell me how the domain limits are being surpassed anyway. I'd appreciate any nudges in the right direction. Thanks!

    Oh and this is what one of the failed messages looked like, after my server limit was reached at the godaddy data center:

    Code:
    Event: failure error
    User: -remote-
    Domain:
    Sender: ni@xxxxxxxxx.com
    Sent Time: Jul 30, 2014 4:25:16 PM
    Sender Host: 192.168.1.97
    Sender IP: 46.216.xx.xx
    Authentication: courier_login
    Spam Score: 0
    Recipient: xxxxxx@hotmail.com
    Delivered To:
    Delivery User:
    Delivery Domain:
    Router: send_to_smart_host
    Transport: remote_smtp
    Out Time: Jul 30, 2014 4:41:16 PM
    ID: 1XCaR1-00038I-0o
    Delivery Host: dedrelay.where.secureserver.net
    Delivery IP: 64.202.xxx.xx
    Size: 653 bytes
    Result: SMTP error from remote mail server after initial connection: host dedrelay.where.secureserver.net [64.202.xxx.xx]: 554 m1plded02-02.prod.mesa1.secureserver.net : DED : YkhD1o0193FgbK901 : DED : You've reached your daily relay quota 
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if you would like us to access your server and take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page