The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim sending spam as relay authenticated by deleted account?

Discussion in 'E-mail Discussions' started by robertjw, Apr 21, 2014.

  1. robertjw

    robertjw Member

    Joined:
    Oct 18, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    My server has been sending spam this morning and I'm stumped as to where it's coming from. Log entries' look like this

    Code:
    2014-04-21 12:53:03 1WcIOs-00006Q-Hl <= senderaddress@aol.com H=(foo.com) [190.18.xx.xx]:2578 P=esmtpa A=dovecot_plainlduser@foo.com S=5777 T="Fw: News" for otheruser@hotmail.com otheruser@sbcglobal.net otheruser@yahoo.com etc...
    
    olduser@foo.com was an address on an account, but those email addresses have all been moved to outlook.com and deleted from cpanel.

    Tried the following:

    Changed foo.com password
    Restarted Exim
    Blocked IP addresses - mail keeps being sent out from new IPs
    Reviewed mail headers from queue

    I can't understand why it is showing authentication from a removed address? Any thoughts?

    Thanks!
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Just curious - when you're on this server, what happens when you send an email to olduser@foo.com?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you verified those email addresses have been deleted, and the email address you see in the logs is not the account username?

    Thank you.
     
  4. robertjw

    robertjw Member

    Joined:
    Oct 18, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I verified the email addresses were removed from the cPanel interface. Is there another way to verify the addresses have been deleted?

    I sent a test email from the server and the exim log files show it being delivered to outlook.com (1cb6093de6c287409c0b8e7755b434.pamx1.hotmail.com) as it should be.

    I fixed the problem by adding the account back in and changing the password. That disabled the spammers access.

    Does that account somehow still exist if it has been deleted in the cPanel? There is still old mail in that account now that I have reactivated it. Is there a way to completely delete an email account?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    SMTP authentication should fail if the email account does not exist. Have you been able to verify that SMTP authentication is possible with the deleted email accounts, and that the sent messages are not simply spoofing the address?

    Thank you.
     
  6. robertjw

    robertjw Member

    Joined:
    Oct 18, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The address has been added back in and password reset, so I can't test to see if I can authenticate this email again.

    If the A parameter in the Exim log lists the user@foo.com address, doesn't that verify it was working?

    A=dovecot_plain:user@foo.com

    Spam was being relayed through my server, it popped up on my Spamcop monitor. Spoofing should allow mail to be relayed. After adding the account back in and setting a new password the relaying has stopped. I've had this message in the log files 58 times since then (for a variety of IP addresses).

    2014-04-22 17:20:15 dovecot_plain authenticator failed for (foo.com) [78.188.35.189]:4612: 535 Incorrect authentication data (set_id=user@foo.com)

    I attempted to login to one of the other old accounts on this domain and was not able to, but I may not have accurate password data. These accounts were all moved off this server over a year ago.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I have not been able to reproduce the ability to authenticate with a deleted email account. Feel free to let us know if you can reproduce this issue with other email accounts on your system. You can open a support ticket and we can take a closer look.

    Thank you.
     
Loading...

Share This Page