Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!


Discussion in 'E-mail Discussion' started by Paul Jimerson, Dec 25, 2016.

  1. Paul Jimerson

    Paul Jimerson Registered

    Dec 24, 2016
    Likes Received:
    Trophy Points:
    San Francisco, CA USA
    cPanel Access Level:
    Website Owner
    Greetings All,
    I've been having a problem with remote IPs connecting to my smtp server trying to send spam through it. So far my spamassassin is blocking almost all of it but ideally I would prefer not to have them be able to connect at all. My eximstats log lists the vast majority of remote smtp connections as unauthorized. I have been looking through files referenced in WHM's exim advanced configuration page trying to determine how they can connect without authenticating. My searches eventually came to /etc/userdomains which contained a line with my domain and profile preceded by the following line:

    *: nobody

    This seemed to me to be exactly the kind of entry that could allow unauthorized connections from any ip. I am a linux newbie, obviously. I am hoping that someone here will lend me their knowledge and experience and tell me:
    1) Am I correct about this ... would the line above allow unauthorized connections from any IP?
    2) What other files should I look at?

    So far I've just been going through every file referenced in Exim's Advanced Configuration page. I also recently changed exim's config so that the log settings were set to +all, so everything that can be logged should end up being logged to /var/log/exim_mainlog
    Thanks in advance.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    It's likely the messages are coming through a PHP script. Could you verify which PHP handler is enabled (E.g. suPHP, DSO) on the instance of PHP installed on your system?

    Note the following document is the best place to start when attempting to prevent email abuse:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Jul 3, 2016
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner

    Do you have shell access? If so, please run the following script

    grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
    NB:This will check the script that will originate spam mails.

    NB:It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 15 connection you can block it in the server firewall.

    #netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

    NB:The following script will give the summary of mails in the mail queue.

    exim -bpr | exiqsumm -c | head

    Thank you,
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Similar Threads - userdomains
  1. plesk4lyf

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice