The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Configuration Settings to prevent outgoing spam

Discussion in 'Security' started by transcendev, Apr 16, 2014.

  1. transcendev

    transcendev Member

    Joined:
    Apr 16, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've had a some problems in the past few months with my server being used to relay spam messages.

    I made some changes to the Exim configuration that I hope will prevent further issues, but would love to hear some recommendations on what the best settings are in there since even the "basic" settings panel has about a hundred different things you can change.

    I turned on SPF failure rejection and DKIM verification... not sure if that will help anything.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    As far as settings to limit outgoing spam, In WHM >> Tweak Settings >> Mail:

    "Max hourly emails per domain" - (set to a reasonable value higher than you think a legitimate user will send)

    "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" (Turn this on, UNLESS you use CSF, in which case use CSF's SMTP_BLOCK option)

    "Maximum percentage of failed or deferred messages a domain may send per hour" (turn this on, I recommend 30%)

    That being said, I deal with many spam issues on a daily basis. The vast majority of outbound spam I see from cPanel hosts, aside from fraudulent customers who sign up to send spam (and are quickly caught), is done through either weak/stolen e-mail passwords or out-dated CMSes that were hacked. Make sure your users are keeping software up to date.

    I recommend also setting the minimum password strength requirements in WHM to 75% for all services. This helps prevent weak e-mail passwords (like test / test accounts).
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. transcendev

    transcendev Member

    Joined:
    Apr 16, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks guy. I've taken all of these precautions already and still have email being relayed through the server. I have CSF installed and the SMTP_BLOCK option turned on. I even have CSF's mailscanner installed. I've got what most would consider pretty harsh limits for emails per hour set at only 50 per hour. There aren't many sites on the server that actually use it for email service, most use Google Apps.

    I would be inclined to believe that there is a stolen password somewhere, except that the domain the emails are going out on has no email accounts on it. It had some fowarders, which I've deleted. I've also deleted the MX record for the domain since it does not require email service of any kind.

    What I can't understand is how there isn't some sort of simple security setting that can tell the server if the "from" domain name is not on the server, don't send it. All of these emails are being sent "from" @aol.com addresses...which is a domain clearly not on the server.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you reviewed the message headers from any of the messages sent out to determine the source of the SPAM?

    Thank you.
     
  6. transcendev

    transcendev Member

    Joined:
    Apr 16, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I haven't, I've been so concerned with trying to figure out how they're continuing to leave the server. I'm not entirely sure how to prevent emails from leaving with a certain spam score either though. Is that a Spamassassin thing?

    What I have seen is that it appears to be remote smtp connections and they're being "authenticated" using an email account that isn't even on the server. It's an email account for a domain that uses Google Apps. So, I have no idea how the server is allowing that to happen.

    - - - Updated - - -

    This is one of the emails that went out. I've removed the to/from addresses so that I don't expose anyones address.
    Maybe someone else can see something in this information that I'm not seeing.

    Code:
    Date:	
    Wed, 17 Apr 2014 05:18:28 +0100
    From:	
    xxxxxxxxx@aol.com <xxxxxxxxxxx@aol.com>
     To: [there were about 20+ email addresses in the TO field that I removed]
    Subject:	
    Fw: link
    Content-Type:	
    multipart/alternative;
     boundary="----=_NextPart_000_BE72_202A399C.4CB5CF93"
    Importance:	
    Normal
    Message-ID:	
    <4d5e7da5e29c$50b4421a$edc9432a$@aol.com <xxxxxxxxxxxxx@aol.com>
    MIME-Version:	
    1.0
    Received:	
    from [37.105.xx.xx] (port=52446 helo=domain.com)
     by host3.domain.com with esmtpa (Exim 4.82)
     (envelope-from <user@aol.com>)
     id 1Wap1H-002XGG-9h; Thu, 17 Apr 2014 11:18:35 -0500
    X-cPanel-MailScanner:	
    Not scanned: please contact your Internet E-Mail Service Provider for details
    X-cPanel-MailScanner-From:	
    xxxxxxxxxxxx@aol.com
    X-cPanel-MailScanner-ID:	
    1Wap1H-002XGG-9h
    X-cPanel-MailScanner-Information:	
    Please contact the ISP for more information
    X-cPanel-MailScanner-SpamCheck:	
    X-Mailer:	
    Microsoft Windows Live Mail 16.4.3522.110
    X-MimeOLE:	
    Produced By Microsoft MimeOLE V16.4.3522.110
    X-MSMail-Priority:	
    Normal
    X-Priority:	
    3
    X-Spam-Status:	
    No
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You must enable SpamAssassin for outgoing email via the following option in "WHM Home » Service Configuration » Exim Configuration Manager":

    "Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting"

    Thank you.
     
  8. transcendev

    transcendev Member

    Joined:
    Apr 16, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you! I've made that change. Crossing my fingers that it stops this activity.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Code:
    grep 1Wap1H-002XGG-9h /var/log/exim_mainlog 
    The "From" can be spoofed (obviously you don't host AOL). I just saw this same spam attack on another server an hour ago, and it's a compromised e-mail account.

    The first line returned from the above grep command should give you something like courier_login or dovecot_plain with a legitimate e-mail after it. That's the hacked account.

    If the logs rotated out, check zgrep 1Wap1H-002XGG-9h /var/log/exim_mainlog*
     
Loading...

Share This Page