How are these emails being sent? Is this a virus or malicious script?

n8_115

Member
May 7, 2009
7
0
51
mail_list.png


My server seems to be sending out thousands of emails per day from the user " -remote- " with very strange spam-looking sender addresses.

Does anyone know how this might be happening? I've noticed most of the to: addresses are [email protected] - which is an old website which i deleted a week ago when I noticed this issue. That didn't seem to have fixed anything though.


All of my email forwarders / system emails can no longer be sent to Google Apps users (gmail, yahoo, hotmail, etc. are fine - but Google Apps For Business users no longer receive emails from my server).
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

The best thing to do to determine where these are being sent from on your server is to increase exim's verbosity. Put this in the advanced exim configuration area of WHM and check the exim logs.

----------------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
----------------------
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello :)

The "-remote-" entry is for incoming and outgoing mails that are not local. Effectively, it's used when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote.

Try searching /var/log/exim_mainlog for the domain name that you terminated. EX:

Code:
exigrep terminated-domain.com /var/log/exim_mainlog
Are messages sent out or delivered from this domain name? Note that the following document is useful if you are attempting to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.