Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim_mainlog - e-mail account breached

Discussion in 'E-mail Discussion' started by StelarBlack, Jan 14, 2015.

  1. StelarBlack

    StelarBlack Member

    Joined:
    Dec 7, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, I have noticed strange behaviour reading my exim_mainlog, but not sure what is actually happening. Mail queue is getting full, when I investigated case, I have change e-mail password for suspicious account, and problem is still presented. I have mail queue full of spam messages, like that:

    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      cubanaballer_21@yahoo.com
        Domain [B]myuserdomain.com[/B] has exceeded the max defers and failures per hour (5/5 (17%)) allowed. Message discarded.
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <[B]mailto@suspiciousdomain.org[/B]>
    Received: from [74.208.64.163] (port=51089)
    	by [B]myhostname.example.com[/B] with esmtpa (Exim 4.84)
    	(envelope-from <<[B]mailto@suspiciousdomain.org[/B]>>)
    	id 1YBJnJ-0006h0-6n
    	for cubanaballer_21@yahoo.com; Wed, 14 Jan 2015 09:59:17 +0100
    Content-Type: text/plain; charset="iso-8859-1"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Mail message body
    Subject: Settlement   
    To: cubanaballer_21@yahoo.com
    From: "IMF" <<[B]mailto@suspiciousdomain.org[/B]>>
    Date: Wed, 14 Jan 2015 02:58:45 -0600
    Reply-To: ept19012@r7.com
    And then a lot of similar logs:

    Code:
    [B]2015-01-14 09:57:50 1YBJlu-0006h0-Lz <= [B]mailto@suspiciousdomain.org[/B] H=([74.208.64.163]) [74.208.64.163]:51089 P=esmtpa A=dovecot_login:myuser@myuserdomain.com S=2057 T="Settlement" for cthoj@yahoo.com[/B]
    What is concerning me, I am not sure if that mailbox is brached, and sending a lot of spam to random e-mails, how to find out what is actually happening?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,441
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    You may want to try running the following command to see if any scripts in your /home directory are sending out email:

    Code:
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice