Email spammers even with csf security hints all checked

marm

Member
Oct 4, 2013
5
0
1
cPanel Access Level
Root Administrator
I have a centosOS server with WHM 11.42.0 installed on it. I also have csf 6.47. My MTA is Exim.

When I click on "Check Server Security" in csf, everything is OK, I have done every hint to make my server secure. Especially for the mail section (SMTP_BLOCK set to 1 and everything).

It was good for a couple months, no spammers were connecting successfully. I always received some emails notifications for too many login attempt to SMTP server, but always blocked.

Recently, some spammers somehow successfully breach my server's security and is sending emails from it. Every emails he sends come from mail accounts that doesn't exists, but with one of my domains (i.e: [email protected]).

So what I want is blocking every outgoing emails, except those from some trusted ip and from my php scripts (php mail function and PEAR mail_queue). I also want to block every outgoing email with the from header set to a non-existing mail account.

How can I perform these things with csf, cpanel or via SSH access?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Well if SMTP_BLOCK is on, the mail is probably using exim, most likely through a PHP script similiar to how your legitimate mail looks.

Check the exim_mainlog in /var/log for the cwd's of recent mail.
 

marm

Member
Oct 4, 2013
5
0
1
cPanel Access Level
Root Administrator
Well if SMTP_BLOCK is on, the mail is probably using exim, most likely through a PHP script similiar to how your legitimate mail looks.

Check the exim_mainlog in /var/log for the cwd's of recent mail.
I'm pretty sure my php scripts are secure on that.
Here is an example of my "exim_mainlog" entries:

2014-03-27 15:22:14 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
2014-03-27 15:22:14 => CPANELUSER <[email protected]> F=<> R=localuser T=local_delivery S=9907

What does it means?
 

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
575
21
143
cPanel Access Level
Root Administrator
Twitter
Hello,

That part of the exim_mainlog indicates that a message was received to the CPANELUSER. From your original description, it sounds like you may be the victim of a Joe Job.

Do you have Default Address set to deliver to the cPanel username? If so, try setting it to Discard with message "No such user here". That may help.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Peter with all due respect I think you're wrong here. He's not getting misdirected bounces (typical of a Joe Job), his server is sending the messages to begin with, with forged "from" addresses. I see this like 10 times a day from compromised CMS software.

The cwd's in the exim_mainlog should show the directory containing the spam script(s).
 

marm

Member
Oct 4, 2013
5
0
1
cPanel Access Level
Root Administrator
Thanks a lot guys for your responses.

If I understand, the following exim_mainlog entry is a delivery failure I received from the email recipient. (It is a similar entry than in my other post. I received tons of delevery failures originally sent from a non-existing account on my domain.)

2014-03-28 10:34:13 SMTP connection from [REMOTE IP]:51508 I=[MY IP]:25 (TCP/IP connection count = 1)
2014-03-28 10:34:16 1WTXrM-0006y0-El <= <> H=REMOTE-IP.dedicated.abac.net [REMOTE IP]:51508 I=[MY IP]:25 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=4505 T="failure notice" from <> for b$
2014-03-28 10:34:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WTXrM-0006y0-El
2014-03-28 10:34:16 1WTXrM-0006y0-El => CPANELUSER <[email protected]> F=<> R=localuser T=local_delivery S=4617
2014-03-28 10:34:16 1WTXrM-0006y0-El Completed
2014-03-28 10:34:16 SMTP connection from REMOTE-IP.dedicated.abac.net [REMOTE IP]:51508 I=[MY IP]:25 closed by QUIT
I received that "failure notice" message and in the header of the original message it had clearly been sent by "[email protected]". Unfortunately, I can't find the original message log in my exim_mainlog (it is quite a big file...).

So I have a couple of questions here:
- What is a Joe Job attack and how to prevent it?
- Is there a way to quickly find the cwd of spammers in exim_mainlog?
- And also my original question, is there a way to block every outgoing email where the from header is not an existing email account?

And again, thanks a lot guys for your help.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You're probably not dealing with a joe job; that is where someone not on your server sends mail with your "From" address so you get the angry bouncebacks/replies.

This one-liner should show you any directories on /home/ which have sent mail using exim, and how many messages per directory:

Code:
awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
In my case part of the output contains this:

98 cwd=/home/USERNAME/public_html/blog

That means that 98 e-mails came from PHP scripts in /home/USERNAME/public_html/blog/

If you can't figure this out or find the original messages then you might be dealing with a joe job, but again, i doubt that. Make sure to check rotated log files. If you got the original message ID from the bounce, let's say it was 1WST5t-0008BR-75, then you'd try this:
Code:
zgrep 1WST5t-0008BR-75 /var/log/exim_mainlog*