The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email spammers even with csf security hints all checked

Discussion in 'Security' started by marm, Mar 27, 2014.

  1. marm

    marm Member

    Joined:
    Oct 4, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a centosOS server with WHM 11.42.0 installed on it. I also have csf 6.47. My MTA is Exim.

    When I click on "Check Server Security" in csf, everything is OK, I have done every hint to make my server secure. Especially for the mail section (SMTP_BLOCK set to 1 and everything).

    It was good for a couple months, no spammers were connecting successfully. I always received some emails notifications for too many login attempt to SMTP server, but always blocked.

    Recently, some spammers somehow successfully breach my server's security and is sending emails from it. Every emails he sends come from mail accounts that doesn't exists, but with one of my domains (i.e: fakename@mydomain.com).

    So what I want is blocking every outgoing emails, except those from some trusted ip and from my php scripts (php mail function and PEAR mail_queue). I also want to block every outgoing email with the from header set to a non-existing mail account.

    How can I perform these things with csf, cpanel or via SSH access?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Well if SMTP_BLOCK is on, the mail is probably using exim, most likely through a PHP script similiar to how your legitimate mail looks.

    Check the exim_mainlog in /var/log for the cwd's of recent mail.
     
  3. marm

    marm Member

    Joined:
    Oct 4, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm pretty sure my php scripts are secure on that.
    Here is an example of my "exim_mainlog" entries:

    2014-03-27 15:22:14 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
    2014-03-27 15:22:14 => CPANELUSER <1bf3e543@mydomain.com> F=<> R=localuser T=local_delivery S=9907

    What does it means?
     
  4. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    That part of the exim_mainlog indicates that a message was received to the CPANELUSER. From your original description, it sounds like you may be the victim of a Joe Job.

    Do you have Default Address set to deliver to the cPanel username? If so, try setting it to Discard with message "No such user here". That may help.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Peter with all due respect I think you're wrong here. He's not getting misdirected bounces (typical of a Joe Job), his server is sending the messages to begin with, with forged "from" addresses. I see this like 10 times a day from compromised CMS software.

    The cwd's in the exim_mainlog should show the directory containing the spam script(s).
     
  6. marm

    marm Member

    Joined:
    Oct 4, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks a lot guys for your responses.

    If I understand, the following exim_mainlog entry is a delivery failure I received from the email recipient. (It is a similar entry than in my other post. I received tons of delevery failures originally sent from a non-existing account on my domain.)

    I received that "failure notice" message and in the header of the original message it had clearly been sent by "brian.bostockd@mydomain.com". Unfortunately, I can't find the original message log in my exim_mainlog (it is quite a big file...).

    So I have a couple of questions here:
    - What is a Joe Job attack and how to prevent it?
    - Is there a way to quickly find the cwd of spammers in exim_mainlog?
    - And also my original question, is there a way to block every outgoing email where the from header is not an existing email account?

    And again, thanks a lot guys for your help.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You're probably not dealing with a joe job; that is where someone not on your server sends mail with your "From" address so you get the angry bouncebacks/replies.

    This one-liner should show you any directories on /home/ which have sent mail using exim, and how many messages per directory:

    Code:
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    
    In my case part of the output contains this:

    98 cwd=/home/USERNAME/public_html/blog

    That means that 98 e-mails came from PHP scripts in /home/USERNAME/public_html/blog/

    If you can't figure this out or find the original messages then you might be dealing with a joe job, but again, i doubt that. Make sure to check rotated log files. If you got the original message ID from the bounce, let's say it was 1WST5t-0008BR-75, then you'd try this:
    Code:
    zgrep 1WST5t-0008BR-75 /var/log/exim_mainlog*
    
     
Loading...

Share This Page