Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Forwarding spam?

Discussion in 'E-mail Discussions' started by DennisMidjord, Jul 25, 2017.

Tags:
  1. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi,

    For a few weeks, we've been having issues with a spam that gets forwarded. We're using MailChannels, and according to them, the problem is that a compromised account is used for sending (forwarding spam). We've tried changing passwords for everything on one of the accounts, but it just keep coming. Here's one of the emails that we've received from MailChannels:
    The domain [removed] is hosted with us. When we receive one of the alerts, we can see the delivery reports, such as here:
    [​IMG]
    However, I just can't seem to figure our HOW this is sent from multiple of our clients' accounts. Some days we receive 50 different emails saying that spam is being sent.

    Does anyone have a clue?
     
    #1 DennisMidjord, Jul 25, 2017
    Last edited by a moderator: Jul 26, 2017
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  3. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi Jcats,

    Thanks! I've already looked through a bunch of threads and I've dealth with tons of spam before. This time, I've spent weeks trying to find the issue, and I haven't gotten one step closer.
    This log is associated with the spam email:
    I don't see anyone log in to the SMTP server. All I see is dovecot_virtual_delivery.

    I literally have no idea how I can get futher in troubleshooting this issue.
     
    #3 DennisMidjord, Jul 25, 2017
    Last edited by a moderator: Jul 26, 2017
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hmm do you have

    WHM > Tweak Settings > Mail authentication via domain owner password > Yes ?
     
  5. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    No, that is not enabled.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Is shell access enabled for the account associated with that domain name? Also, are any cron jobs or scripts uploaded to the account capable of sending email?

    Thank you.
     
  7. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi,

    No, shell access is not enabled. For a small amount of the accounts it is, but the majority have shell access disabled. I'm guessing that a lot of the accounts have scripts uploaded that could send mail, but when looking at the exim log, it doesn't seem like the mails are sent via a script.
     
  8. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Also (and this might be stupid): right now, a lot of our customers are on vacation. It's not unlikely that a lot of our clients have set a forwarder in their email client that forwards all emails to another person. Could that be the reason? The holidays started a few weeks back, and we started receiving these alerts in mid May. Could that be the reason?
    Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, that could in-fact lead to your server forwarding the SPAM message to a remote server. You can enable one of the following options under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor" to help prevent this from happening:

    Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
    Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score

    Thank you.
     
  10. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    96
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    That doesn't fix the issue either. Spam is still forwarded.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Those options are only going to work if SpamAssassin detects the incoming email as SPAM. Feel free to open a support ticket using the link in my signature if you want us to take a closer look.

    Thank you.
     
Loading...

Share This Page