How are these emails being sent? Is this a virus or malicious script?

[n8_115]

My server seems to be sending out thousands of emails per day from the user " -remote- " with very strange spam-looking sender addresses.

Does anyone know how this might be happening? I've noticed most of the to: addresses are [email protected] - which is an old website which i deleted a week ago when I noticed this issue. That didn't seem to have fixed anything though.


All of my email forwarders / system emails can no longer be sent to Google Apps users (gmail, yahoo, hotmail, etc. are fine - but Google Apps For Business users no longer receive emails from my server).

 

[24x7server]

Hello,

The best thing to do to determine where these are being sent from on your server is to increase exim's verbosity. Put this in the advanced exim configuration area of WHM and check the exim logs.

----------------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
----------------------

 

[cPanelMichael]

Hello

The "-remote-" entry is for incoming and outgoing mails that are not local. Effectively, it's used when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote.

Try searching /var/log/exim_mainlog for the domain name that you terminated. EX:

exigrep terminated-domain.com /var/log/exim_mainlog

Are messages sent out or delivered from this domain name? Note that the following document is useful if you are attempting to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.