Exim Configuration Settings to prevent outgoing spam

transcendev

Member
Apr 16, 2014
5
0
1
cPanel Access Level
Root Administrator
I've had a some problems in the past few months with my server being used to relay spam messages.

I made some changes to the Exim configuration that I hope will prevent further issues, but would love to hear some recommendations on what the best settings are in there since even the "basic" settings panel has about a hundred different things you can change.

I turned on SPF failure rejection and DKIM verification... not sure if that will help anything.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
As far as settings to limit outgoing spam, In WHM >> Tweak Settings >> Mail:

"Max hourly emails per domain" - (set to a reasonable value higher than you think a legitimate user will send)

"Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" (Turn this on, UNLESS you use CSF, in which case use CSF's SMTP_BLOCK option)

"Maximum percentage of failed or deferred messages a domain may send per hour" (turn this on, I recommend 30%)

That being said, I deal with many spam issues on a daily basis. The vast majority of outbound spam I see from cPanel hosts, aside from fraudulent customers who sign up to send spam (and are quickly caught), is done through either weak/stolen e-mail passwords or out-dated CMSes that were hacked. Make sure your users are keeping software up to date.

I recommend also setting the minimum password strength requirements in WHM to 75% for all services. This helps prevent weak e-mail passwords (like test / test accounts).
 

transcendev

Member
Apr 16, 2014
5
0
1
cPanel Access Level
Root Administrator
Thanks guy. I've taken all of these precautions already and still have email being relayed through the server. I have CSF installed and the SMTP_BLOCK option turned on. I even have CSF's mailscanner installed. I've got what most would consider pretty harsh limits for emails per hour set at only 50 per hour. There aren't many sites on the server that actually use it for email service, most use Google Apps.

I would be inclined to believe that there is a stolen password somewhere, except that the domain the emails are going out on has no email accounts on it. It had some fowarders, which I've deleted. I've also deleted the MX record for the domain since it does not require email service of any kind.

What I can't understand is how there isn't some sort of simple security setting that can tell the server if the "from" domain name is not on the server, don't send it. All of these emails are being sent "from" @aol.com addresses...which is a domain clearly not on the server.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
I would be inclined to believe that there is a stolen password somewhere, except that the domain the emails are going out on has no email accounts on it. It had some fowarders, which I've deleted. I've also deleted the MX record for the domain since it does not require email service of any kind.
Have you reviewed the message headers from any of the messages sent out to determine the source of the SPAM?

Thank you.
 

transcendev

Member
Apr 16, 2014
5
0
1
cPanel Access Level
Root Administrator
Have you reviewed the message headers from any of the messages sent out to determine the source of the SPAM?

Thank you.
I haven't, I've been so concerned with trying to figure out how they're continuing to leave the server. I'm not entirely sure how to prevent emails from leaving with a certain spam score either though. Is that a Spamassassin thing?

What I have seen is that it appears to be remote smtp connections and they're being "authenticated" using an email account that isn't even on the server. It's an email account for a domain that uses Google Apps. So, I have no idea how the server is allowing that to happen.

- - - Updated - - -

This is one of the emails that went out. I've removed the to/from addresses so that I don't expose anyones address.
Maybe someone else can see something in this information that I'm not seeing.

Code:
Date:	
Wed, 17 Apr 2014 05:18:28 +0100
From:	
[email protected] <[email protected]>
 To: [there were about 20+ email addresses in the TO field that I removed]
Subject:	
Fw: link
Content-Type:	
multipart/alternative;
 boundary="----=_NextPart_000_BE72_202A399C.4CB5CF93"
Importance:	
Normal
Message-ID:	
<[email protected] <[email protected]>
MIME-Version:	
1.0
Received:	
from [37.105.xx.xx] (port=52446 helo=domain.com)
 by host3.domain.com with esmtpa (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1Wap1H-002XGG-9h; Thu, 17 Apr 2014 11:18:35 -0500
X-cPanel-MailScanner:	
Not scanned: please contact your Internet E-Mail Service Provider for details
X-cPanel-MailScanner-From:	
[email protected]
X-cPanel-MailScanner-ID:	
1Wap1H-002XGG-9h
X-cPanel-MailScanner-Information:	
Please contact the ISP for more information
X-cPanel-MailScanner-SpamCheck:	
X-Mailer:	
Microsoft Windows Live Mail 16.4.3522.110
X-MimeOLE:	
Produced By Microsoft MimeOLE V16.4.3522.110
X-MSMail-Priority:	
Normal
X-Priority:	
3
X-Spam-Status:	
No
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
I haven't, I've been so concerned with trying to figure out how they're continuing to leave the server. I'm not entirely sure how to prevent emails from leaving with a certain spam score either though. Is that a Spamassassin thing?
You must enable SpamAssassin for outgoing email via the following option in "WHM Home » Service Configuration » Exim Configuration Manager":

"Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting"

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Code:
grep 1Wap1H-002XGG-9h /var/log/exim_mainlog
The "From" can be spoofed (obviously you don't host AOL). I just saw this same spam attack on another server an hour ago, and it's a compromised e-mail account.

The first line returned from the above grep command should give you something like courier_login or dovecot_plain with a legitimate e-mail after it. That's the hacked account.

If the logs rotated out, check zgrep 1Wap1H-002XGG-9h /var/log/exim_mainlog*