The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/etc/userdomains

Discussion in 'E-mail Discussions' started by Paul Jimerson, Dec 25, 2016.

Tags:
  1. Paul Jimerson

    Paul Jimerson Registered

    Joined:
    Dec 24, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    San Francisco, CA USA
    cPanel Access Level:
    Website Owner
    Greetings All,
    I've been having a problem with remote IPs connecting to my smtp server trying to send spam through it. So far my spamassassin is blocking almost all of it but ideally I would prefer not to have them be able to connect at all. My eximstats log lists the vast majority of remote smtp connections as unauthorized. I have been looking through files referenced in WHM's exim advanced configuration page trying to determine how they can connect without authenticating. My searches eventually came to /etc/userdomains which contained a line with my domain and profile preceded by the following line:

    *: nobody

    This seemed to me to be exactly the kind of entry that could allow unauthorized connections from any ip. I am a linux newbie, obviously. I am hoping that someone here will lend me their knowledge and experience and tell me:
    1) Am I correct about this ... would the line above allow unauthorized connections from any IP?
    2) What other files should I look at?

    So far I've just been going through every file referenced in Exim's Advanced Configuration page. I also recently changed exim's config so that the log settings were set to +all, so everything that can be logged should end up being logged to /var/log/exim_mainlog
    Thanks in advance.
    :)
    pjimerson
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's likely the messages are coming through a PHP script. Could you verify which PHP handler is enabled (E.g. suPHP, DSO) on the instance of PHP installed on your system?

    Note the following document is the best place to start when attempting to prevent email abuse:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  3. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hello,

    Do you have shell access? If so, please run the following script

    grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
    NB:This will check the script that will originate spam mails.

    NB:It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 15 connection you can block it in the server firewall.

    #netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

    NB:The following script will give the summary of mails in the mail queue.

    exim -bpr | exiqsumm -c | head

    Thank you,
     
Loading...

Share This Page