Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Forwarding spam?

Discussion in 'E-mail Discussion' started by DennisMidjord, Jul 25, 2017.

Tags:
  1. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi,

    For a few weeks, we've been having issues with a spam that gets forwarded. We're using MailChannels, and according to them, the problem is that a compromised account is used for sending (forwarding spam). We've tried changing passwords for everything on one of the accounts, but it just keep coming. Here's one of the emails that we've received from MailChannels:
    The domain [removed] is hosted with us. When we receive one of the alerts, we can see the delivery reports, such as here:
    [​IMG]
    However, I just can't seem to figure our HOW this is sent from multiple of our clients' accounts. Some days we receive 50 different emails saying that spam is being sent.

    Does anyone have a clue?
     
    #1 DennisMidjord, Jul 25, 2017
    Last edited by a moderator: Jul 26, 2017
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi Jcats,

    Thanks! I've already looked through a bunch of threads and I've dealth with tons of spam before. This time, I've spent weeks trying to find the issue, and I haven't gotten one step closer.
    This log is associated with the spam email:
    I don't see anyone log in to the SMTP server. All I see is dovecot_virtual_delivery.

    I literally have no idea how I can get futher in troubleshooting this issue.
     
    #3 DennisMidjord, Jul 25, 2017
    Last edited by a moderator: Jul 26, 2017
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hmm do you have

    WHM > Tweak Settings > Mail authentication via domain owner password > Yes ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    No, that is not enabled.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,822
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Is shell access enabled for the account associated with that domain name? Also, are any cron jobs or scripts uploaded to the account capable of sending email?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi,

    No, shell access is not enabled. For a small amount of the accounts it is, but the majority have shell access disabled. I'm guessing that a lot of the accounts have scripts uploaded that could send mail, but when looking at the exim log, it doesn't seem like the mails are sent via a script.
     
  8. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Also (and this might be stupid): right now, a lot of our customers are on vacation. It's not unlikely that a lot of our clients have set a forwarder in their email client that forwards all emails to another person. Could that be the reason? The holidays started a few weeks back, and we started receiving these alerts in mid May. Could that be the reason?
    Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,822
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, that could in-fact lead to your server forwarding the SPAM message to a remote server. You can enable one of the following options under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor" to help prevent this from happening:

    Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
    Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    165
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    That doesn't fix the issue either. Spam is still forwarded.
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,822
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Those options are only going to work if SpamAssassin detects the incoming email as SPAM. Feel free to open a support ticket using the link in my signature if you want us to take a closer look.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice