Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim_mainlog - e-mail account breached

Discussion in 'E-mail Discussions' started by StelarBlack, Jan 14, 2015.

  1. StelarBlack

    StelarBlack Member

    Dec 7, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hi, I have noticed strange behaviour reading my exim_mainlog, but not sure what is actually happening. Mail queue is getting full, when I investigated case, I have change e-mail password for suspicious account, and problem is still presented. I have mail queue full of spam messages, like that:

    This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
        Domain [B][/B] has exceeded the max defers and failures per hour (5/5 (17%)) allowed. Message discarded.
    ------ This is a copy of the message, including all the headers. ------
    Return-path: <[B][/B]>
    Received: from [] (port=51089)
    	by [B][/B] with esmtpa (Exim 4.84)
    	(envelope-from <<[B][/B]>>)
    	id 1YBJnJ-0006h0-6n
    	for; Wed, 14 Jan 2015 09:59:17 +0100
    Content-Type: text/plain; charset="iso-8859-1"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Mail message body
    Subject: Settlement   
    From: "IMF" <<[B][/B]>>
    Date: Wed, 14 Jan 2015 02:58:45 -0600
    And then a lot of similar logs:

    [B]2015-01-14 09:57:50 1YBJlu-0006h0-Lz <= [B][/B] H=([]) []:51089 P=esmtpa S=2057 T="Settlement" for[/B]
    What is concerning me, I am not sure if that mailbox is brached, and sending a lot of spam to random e-mails, how to find out what is actually happening?
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to try running the following command to see if any scripts in your /home directory are sending out email:

    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    Thank you.

Share This Page