Exim sending spam as relay authenticated by deleted account?

[robertjw]

My server has been sending spam this morning and I'm stumped as to where it's coming from. Log entries' look like this

2014-04-21 12:53:03 1WcIOs-00006Q-Hl <= [email protected] H=(foo.com) [190.18.xx.xx]:2578 P=esmtpa [email protected] S=5777 T="Fw: News" for [email protected] [email protected] [email protected] etc...

[email protected] was an address on an account, but those email addresses have all been moved to outlook.com and deleted from cpanel.

Tried the following:

Changed foo.com password
Restarted Exim
Blocked IP addresses - mail keeps being sent out from new IPs
Reviewed mail headers from queue

I can't understand why it is showing authentication from a removed address? Any thoughts?

Thanks!

 

[vanessa]

Just curious - when you're on this server, what happens when you send an email to [email protected]?

 

[cPanelMichael]

[email protected] was an address on an account, but those email addresses have all been moved to outlook.com and deleted from cpanel.

Have you verified those email addresses have been deleted, and the email address you see in the logs is not the account username?

Thank you.

 

[robertjw]

I verified the email addresses were removed from the cPanel interface. Is there another way to verify the addresses have been deleted?

I sent a test email from the server and the exim log files show it being delivered to outlook.com (1cb6093de6c287409c0b8e7755b434.pamx1.hotmail.com) as it should be.

I fixed the problem by adding the account back in and changing the password. That disabled the spammers access.

Does that account somehow still exist if it has been deleted in the cPanel? There is still old mail in that account now that I have reactivated it. Is there a way to completely delete an email account?

 

[cPanelMichael]

SMTP authentication should fail if the email account does not exist. Have you been able to verify that SMTP authentication is possible with the deleted email accounts, and that the sent messages are not simply spoofing the address?

Thank you.

 

[robertjw]

The address has been added back in and password reset, so I can't test to see if I can authenticate this email again.

If the A parameter in the Exim log lists the [email protected] address, doesn't that verify it was working?

A=dovecot_plain:[email protected]

Spam was being relayed through my server, it popped up on my Spamcop monitor. Spoofing should allow mail to be relayed. After adding the account back in and setting a new password the relaying has stopped. I've had this message in the log files 58 times since then (for a variety of IP addresses).

2014-04-22 17:20:15 dovecot_plain authenticator failed for (foo.com) [78.188.35.189]:4612: 535 Incorrect authentication data ([email protected])

I attempted to login to one of the other old accounts on this domain and was not able to, but I may not have accurate password data. These accounts were all moved off this server over a year ago.

 

[cPanelMichael]

I have not been able to reproduce the ability to authenticate with a deleted email account. Feel free to let us know if you can reproduce this issue with other email accounts on your system. You can open a support ticket and we can take a closer look.

Thank you.