Email spammers even with csf security hints all checked

[marm]

I have a centosOS server with WHM 11.42.0 installed on it. I also have csf 6.47. My MTA is Exim.

When I click on "Check Server Security" in csf, everything is OK, I have done every hint to make my server secure. Especially for the mail section (SMTP_BLOCK set to 1 and everything).

It was good for a couple months, no spammers were connecting successfully. I always received some emails notifications for too many login attempt to SMTP server, but always blocked.

Recently, some spammers somehow successfully breach my server's security and is sending emails from it. Every emails he sends come from mail accounts that doesn't exists, but with one of my domains (i.e: [email protected]).

So what I want is blocking every outgoing emails, except those from some trusted ip and from my php scripts (php mail function and PEAR mail_queue). I also want to block every outgoing email with the from header set to a non-existing mail account.

How can I perform these things with csf, cpanel or via SSH access?

 

[quizknows]

Well if SMTP_BLOCK is on, the mail is probably using exim, most likely through a PHP script similiar to how your legitimate mail looks.

Check the exim_mainlog in /var/log for the cwd's of recent mail.

 

[marm]

Well if SMTP_BLOCK is on, the mail is probably using exim, most likely through a PHP script similiar to how your legitimate mail looks.

Check the exim_mainlog in /var/log for the cwd's of recent mail.

I'm pretty sure my php scripts are secure on that.
Here is an example of my "exim_mainlog" entries:

2014-03-27 15:22:14 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
2014-03-27 15:22:14 => CPANELUSER <[email protected]> F=<> R=localuser T=local_delivery S=9907

What does it means?

 

[cPanelPeter]

Hello,

That part of the exim_mainlog indicates that a message was received to the CPANELUSER. From your original description, it sounds like you may be the victim of a Joe Job.

Do you have Default Address set to deliver to the cPanel username? If so, try setting it to Discard with message "No such user here". That may help.

 

[quizknows]

Peter with all due respect I think you're wrong here. He's not getting misdirected bounces (typical of a Joe Job), his server is sending the messages to begin with, with forged "from" addresses. I see this like 10 times a day from compromised CMS software.

The cwd's in the exim_mainlog should show the directory containing the spam script(s).

 

[marm]

Thanks a lot guys for your responses.

If I understand, the following exim_mainlog entry is a delivery failure I received from the email recipient. (It is a similar entry than in my other post. I received tons of delevery failures originally sent from a non-existing account on my domain.)

2014-03-28 10:34:13 SMTP connection from [REMOTE IP]:51508 I=[MY IP]:25 (TCP/IP connection count = 1)
2014-03-28 10:34:16 1WTXrM-0006y0-El <= <> H=REMOTE-IP.dedicated.abac.net [REMOTE IP]:51508 I=[MY IP]:25 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=4505 T="failure notice" from <> for b$
2014-03-28 10:34:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WTXrM-0006y0-El
2014-03-28 10:34:16 1WTXrM-0006y0-El => CPANELUSER <[email protected]> F=<> R=localuser T=local_delivery S=4617
2014-03-28 10:34:16 1WTXrM-0006y0-El Completed
2014-03-28 10:34:16 SMTP connection from REMOTE-IP.dedicated.abac.net [REMOTE IP]:51508 I=[MY IP]:25 closed by QUIT

I received that "failure notice" message and in the header of the original message it had clearly been sent by "[email protected]". Unfortunately, I can't find the original message log in my exim_mainlog (it is quite a big file...).

So I have a couple of questions here:
- What is a Joe Job attack and how to prevent it?
- Is there a way to quickly find the cwd of spammers in exim_mainlog?
- And also my original question, is there a way to block every outgoing email where the from header is not an existing email account?

And again, thanks a lot guys for your help.

 

[quizknows]

You're probably not dealing with a joe job; that is where someone not on your server sends mail with your "From" address so you get the angry bouncebacks/replies.

This one-liner should show you any directories on /home/ which have sent mail using exim, and how many messages per directory:

awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n

In my case part of the output contains this:

98 cwd=/home/USERNAME/public_html/blog

That means that 98 e-mails came from PHP scripts in /home/USERNAME/public_html/blog/

If you can't figure this out or find the original messages then you might be dealing with a joe job, but again, i doubt that. Make sure to check rotated log files. If you got the original message ID from the bounce, let's say it was 1WST5t-0008BR-75, then you'd try this:

zgrep 1WST5t-0008BR-75 /var/log/exim_mainlog*