How can I prevent a user to send emails

Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
On my Server, a lot of emails are being sent using the cpanel default user account of a domain.
I would like to:
1. prevent this account from sending any emails.
2. Understand how and why it happens.

thank you.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem.

If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.
 
Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem.

If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.
I do get a lot of alerts like this one on my server, and even from domains that don't have a website attached to it.

Time: Mon Mar 18 11:23:29 2019 -0400

Account: someusr

Resource: Virtual Memory Size

Exceeded: 474 > 400 (MB)

Executable: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

Command Line: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

PID: 16483 (Parent PID:14428)

Killed: No
 
Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello

1. prevent this account from sending any emails.
You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.

2. Understand how and why it happens.
Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation


Thanks!
 
Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
Hello



You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.



Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation


Thanks!
I have created an ACL here: acl_smtp_rcpt:
Code:
deny condition = ${lookup{$sender_address}nwildlsearch{/path/to/the/restricted_sender}   {yes}}
  domains = !+local_domains
And have created a file named restricted_sender as as following:
upload_2019-3-22_9-0-37.png

The ACL works because when I go to webmail and try to send an email from one of the restricted senders's mailbox, I'm denied.
But despite that, emails are still sent from these users. I don't know how to stop it.

upload_2019-3-22_8-59-44.png
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script.

The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:
Code:
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
 
Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script.

The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:
Code:
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Emails by user:

144 : root
66 : lapaixadmin
51 : mailnull
40 : liellesinvestmen
2 : pitadmin


===================
Total: 303
===================

Email accounts sending out mail:

2 : [email protected]
1 : [email protected]

===================
Total: 3
===================

Directories mail is originating from:


66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html
2 : /home/pitadmin/public_html
1 : /home/liellesinvestmen/public_html/administrator

===================
Total: 107
===================

Top 20 Email Titles:


65 : [Wordfence Alert] lapaix.eu User login blocked for insecure password
44 : Mail delivery failed: returning message to sender
5 : lfd on host.abscomputer.net: WHM/cPanel root access alert from 207.96.147.218 (CA/Canada/-)
5 : lfd on host.abscomputer.net: Suspicious process running under user abscompadmin
4 : lfd on host.abscomputer.net: Suspicious process running under user casheradmin
3 : rkhunter Daily Run on host.abscomputer.net
2 : lfd on host.abscomputer.net: System Integrity checking detected a modified system file
2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (27322 (Parent PID:27160))
2 : lfd on host.abscomputer.net: Excessive resource usage: casheradmin (10084 (Parent PID:27160))
2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (6189 (Parent PID:27160))
2 : lfd on host.abscomputer.net: blocked distributed cpanel attack on account [belexcha]
2 : lfd on host.abscomputer.net: Suspicious process running under user cpaneleximscanner
2 : Nouveau message de votre site internet
2 : Cron <[email protected]> (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (32673 (Parent PID:2642))
1 : Account Details for Esther tried to contact you 6 times [REMOVED]
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (28243 (Parent PID:2642))
1 : lfd on host.abscomputer.net: Excessive resource usage: businessadmin (28305 (Parent PID:2642))
1 : Account Details for Nancy tried to contact you 2 times Εστιατοριο γαληνη χανια
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (12669 (Parent PID:2642))


===================
Total: 304
===================
 
Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:

Code:
66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html
I'd check the scripts present in the public_html for both of these accounts.


Thanks!
 
Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:

Code:
66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html
I'd check the scripts present in the public_html for both of these accounts.


Thanks!
I can't see any.
Could it be in subfolders?
How can I track them?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello @Alain Bensimon

Based on that output no, it'd be coming from a script in the public_html. Keep in mind it could be a legitimate script as well - or could look like one. This is something that would be best suited to a system administrator to assist with further. If you don't have one you might find one here: System Administration Services | cPanel Forums


Thanks!
 
Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
I know that it's a non legitimate one because one of the email sender (lielleinvestment) was sending spams. I went to Joomla and have disabled the php mail for that website within Joomla.
Then it has stopped of course.
I want to find the script, but I only see scripts that looks legitimate to me as you can see in the print capture below.
I really want to find by myself.
Can you help me with that.
Thanks.
upload_2019-3-26_14-4-25.png
 

Attachments

Apr 23, 2017
20
0
51
Canada
cPanel Access Level
Root Administrator
This is the content of index.php
Code:
<?php
/**
 * @package    Joomla.Site
 *
 * @copyright  Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

/**
 * Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
 */
define('JOOMLA_MINIMUM_PHP', '5.3.10');

if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
{
    die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');
}

// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem  = memory_get_usage();

/**
 * Constant that is checked in included files to prevent direct access.
 * define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
 */
define('_JEXEC', 1);

if (file_exists(__DIR__ . '/defines.php'))
{
    include_once __DIR__ . '/defines.php';
}

if (!defined('_JDEFINES'))
{
    define('JPATH_BASE', __DIR__);
    require_once JPATH_BASE . '/includes/defines.php';
}

require_once JPATH_BASE . '/includes/framework.php';

// Set profiler start time and memory usage and mark afterLoad in the profiler.
JDEBUG ? JProfiler::getInstance('Application')->setStart($startTime, $startMem)->mark('afterLoad') : null;

// Instantiate the application.
$app = JFactory::getApplication('site');

// Execute the application.
$app->execute();
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hi @Alain Bensimon

There's no need to post the index.php here but I would suggest looking through all the files present there - including txt files.

But again, this is something that you need to address with your system administrator for further assistance.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
malware scanners such as Linux Malware Detect, ClamAV etc. should be able to do this for you for most compromises, unfortunately they can't and don't claim to be able to catch everything.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello @Alain Bensimon,

1. A third-party solution to consider is to use the LF_SCRIPT_LIMIT option included with CSF:

https://download.configserver.com/csf/readme.txt

Search the above document for "LF_SCRIPT_LIMIT" for information about how this feature can notify you when messages are sent from the server through scripts.

2. As far as finding out how the script was exploited, it's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your server or websites. One could speculate on common methods, but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. Here's a thread with some helpful discussion on this topic:

Log Files To Check After Account Hacked

Thank you.