The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim_mainlog - e-mail account breached

Discussion in 'E-mail Discussions' started by StelarBlack, Jan 14, 2015.

  1. StelarBlack

    StelarBlack Member

    Joined:
    Dec 7, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, I have noticed strange behaviour reading my exim_mainlog, but not sure what is actually happening. Mail queue is getting full, when I investigated case, I have change e-mail password for suspicious account, and problem is still presented. I have mail queue full of spam messages, like that:

    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      cubanaballer_21@yahoo.com
        Domain [B]myuserdomain.com[/B] has exceeded the max defers and failures per hour (5/5 (17%)) allowed. Message discarded.
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <[B]mailto@suspiciousdomain.org[/B]>
    Received: from [74.208.64.163] (port=51089)
    	by [B]myhostname.example.com[/B] with esmtpa (Exim 4.84)
    	(envelope-from <<[B]mailto@suspiciousdomain.org[/B]>>)
    	id 1YBJnJ-0006h0-6n
    	for cubanaballer_21@yahoo.com; Wed, 14 Jan 2015 09:59:17 +0100
    Content-Type: text/plain; charset="iso-8859-1"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Mail message body
    Subject: Settlement   
    To: cubanaballer_21@yahoo.com
    From: "IMF" <<[B]mailto@suspiciousdomain.org[/B]>>
    Date: Wed, 14 Jan 2015 02:58:45 -0600
    Reply-To: ept19012@r7.com
    And then a lot of similar logs:

    Code:
    [B]2015-01-14 09:57:50 1YBJlu-0006h0-Lz <= [B]mailto@suspiciousdomain.org[/B] H=([74.208.64.163]) [74.208.64.163]:51089 P=esmtpa A=dovecot_login:myuser@myuserdomain.com S=2057 T="Settlement" for cthoj@yahoo.com[/B]
    What is concerning me, I am not sure if that mailbox is brached, and sending a lot of spam to random e-mails, how to find out what is actually happening?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to try running the following command to see if any scripts in your /home directory are sending out email:

    Code:
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    Thank you.
     
Loading...

Share This Page