DennisMidjord

Well-Known Member
Sep 27, 2016
268
35
28
Denmark
cPanel Access Level
Root Administrator
Hi,

For a few weeks, we've been having issues with a spam that gets forwarded. We're using MailChannels, and according to them, the problem is that a compromised account is used for sending (forwarding spam). We've tried changing passwords for everything on one of the accounts, but it just keep coming. Here's one of the emails that we've received from MailChannels:
This is an alert about the Sender ID, _forwarded-from|205.201.xxx.51, on your network. The sender_forwarded-from|205.201.xxx.51 is sending SPAM. Some additional information that may assist in trackingdown the problem follows.

Time: 1501010136
Originator: _forwarded-from|205.201.xxx.51
Originator Type: Sender ID
Sender ID: _forwarded-from|205.201.xxx.51
Envelope Sender: bounce-mc.us1_92282.339701-info=[removed]
IP: <Our server IP>
Condition: _forwarded-from|205.201.xxx.51 is sending SPAM
The domain [removed] is hosted with us. When we receive one of the alerts, we can see the delivery reports, such as here:

However, I just can't seem to figure our HOW this is sent from multiple of our clients' accounts. Some days we receive 50 different emails saying that spam is being sent.

Does anyone have a clue?
 
Last edited by a moderator:

DennisMidjord

Well-Known Member
Sep 27, 2016
268
35
28
Denmark
cPanel Access Level
Root Administrator
Hi Jcats,

Thanks! I've already looked through a bunch of threads and I've dealth with tons of spam before. This time, I've spent weeks trying to find the issue, and I haven't gotten one step closer.
This log is associated with the spam email:
2017-07-25 21:15:28 no host name found for IP address 103.79.141.91
2017-07-25 21:15:33 1da5Ir-0000Yx-FL H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 Warning: Message has been scanned: no virus or other harmful content was found
2017-07-25 21:15:33 1da5Ir-0000Yx-FL <= bounce-mc.us1_92282.339701-info=[removed]@mail51.atl31.mcdlv.net H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 P=esmtp S=35958 id=53a1e972a043d1264ed08$
2017-07-25 21:15:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Ir-0000Yx-FL
2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection identification D=[removed] [email protected][removed] [email protected][removed] M=1da5Ir-0000Yx-FL U=hikeshop ID=1037 B=redirect_resolver
2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection outbound 1501010133 1da5Ir-0000Yx-FL [removed]
2017-07-25 21:15:33 1da5Ir-0000Yx-FL => info <[removed]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[removed]> uR8qMNWYd1n0CQAAHE1msQ Saved"
2017-07-25 21:15:33 SMTP connection from mail51.atl31.mcdlv.net [205.201.134.51]:3935 closed by QUIT
2017-07-25 21:15:36 1da5Ir-0000Yx-FL ** [removed][removed]R=remoteserver_route T=mailchannels_smtp H=smtp.mailchannels.net [54.70.85.142] X=TLSv1.2:DHE-RSA$
2017-07-25 21:15:36 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1da5Ir-0000Yx-FL
2017-07-25 21:15:36 1da5Iu-0000tm-JG <= <> R=1da5Ir-0000Yx-FL U=mailnull P=local S=37922 T="Mail delivery failed: returning message to sender" for bounce-mc.us1_92282.339701-[removed]
2017-07-25 21:15:36 1da5Ir-0000Yx-FL Completed
2017-07-25 21:15:36 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Iu-0000tm-JG
I don't see anyone log in to the SMTP server. All I see is dovecot_virtual_delivery.

I literally have no idea how I can get futher in troubleshooting this issue.
 
Last edited by a moderator:

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Hmm do you have

WHM > Tweak Settings > Mail authentication via domain owner password > Yes ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Is shell access enabled for the account associated with that domain name? Also, are any cron jobs or scripts uploaded to the account capable of sending email?

Thank you.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
268
35
28
Denmark
cPanel Access Level
Root Administrator
Hi,

No, shell access is not enabled. For a small amount of the accounts it is, but the majority have shell access disabled. I'm guessing that a lot of the accounts have scripts uploaded that could send mail, but when looking at the exim log, it doesn't seem like the mails are sent via a script.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
268
35
28
Denmark
cPanel Access Level
Root Administrator
Also (and this might be stupid): right now, a lot of our customers are on vacation. It's not unlikely that a lot of our clients have set a forwarder in their email client that forwards all emails to another person. Could that be the reason? The holidays started a few weeks back, and we started receiving these alerts in mid May. Could that be the reason?
Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
Yes, that could in-fact lead to your server forwarding the SPAM message to a remote server. You can enable one of the following options under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor" to help prevent this from happening:

Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
That doesn't fix the issue either. Spam is still forwarded.
Those options are only going to work if SpamAssassin detects the incoming email as SPAM. Feel free to open a support ticket using the link in my signature if you want us to take a closer look.

Thank you.