The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I stop SPAM being sent from my server?

Discussion in 'Security' started by nigelbb, Feb 25, 2013.

  1. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am using WHM/cPAnel to manage a Xen Virtual server with a bunch of domains each with websites & have just been informed by my hosting company that the server is being used to send SPAM. I need to know how to stop it. I don't want to run email on the server at all as those domains that do require email addresses have the MX records pointing elsewhere to the mail servers. When I look in Home » Email » Mail Delivery Reports I can see that two domains are sending thousands of mails from email addresses that don't exist to a whole bunch of email addresses. To stop this as an emergency measure I set Max hourly emails per domain to just 1 so at least the email isn't being sent but I need some help to know how to prevent this happening. Is a script being run on my server to send out all these emails? How can I tell? Is something from outside my server accessing SMTP?

    I tried to Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) but get an error so then I installed CSF & tried SMTP_BLOCK but again I get an error. iptables seems to be installed OK

    Can I disable email totally? If I do will I still be able to have emails sent from a contact form on a website?
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If you know the domain where the spam is sent from, you just suspend that account.
    Problem solved :)
     
  3. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Cannot enable SMTP Restrictions

    I am running a Xen virtual server managed by WHM/cPanel & it has apparently been sending thousands of SPAM emails from two particular domains (there are about 20 domains hosted on the server each running a webserver). So I am trying to tighten up security so tried enabling Home »Security Center »SMTP Restrictions but just get the unhelpful error message "An error occurred attempting to update this setting." If I try using the Tweak Settings interface to do the same thing I get this message:-

    Updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) from Off to On.
    Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) was updated.
    Processing post action for Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):
    There was an error updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):

    How can I find out what is actually failing?
     
  4. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK. That's great as far as it goes. My server is now not sending SPAM but how do I find out how the SPAM was being sent from those domains so that I can prevent it so that I can un-suspend the accounts?
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I suggest you install ConfigServer Firewall:
    ConfigServer Security & Firewall

    at least it will alert you instantly when someone is sending spam, and often it is able to tell what script is sending.

    Also you should learn how to check server's logs, in this case at least:
    /var/log/exim_mainlog
    /var/log/maillog
     
  6. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I already installed ConfigServer Firewall & as I mentioned in my original post I cannot get SMTP_BLOCK enabled.

    It's not because a user is logging in & sending mails as I changed the password on the accounts for those domains & that did not stop the SPAM. The two domains responsible for sending SPAM are running Joomla websites. I suspect that some security hole in Joomla has enabled a script to be uploaded that is sending the SPAM.

    BTW Thanks for your help
     
  7. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    I'll install the CXS from Configserver too, or I scan whatever is uploaded via FTP or WEB for known exploits, or for regular expressions (regex). Add headers to your emails to track UID / GID or X-PHP-Script and X-Souce-Dir headers.

    Can be user a forwader to send spam etc. There are many ways.


    Regards,
    George B.
     
  8. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Dont forget to clear up your mail queue.
    Before clearing up, you may want to check the headers of the mail sent.

    If it was sent via authentication then you should see a header with "auth_id" in the mail giving you the info of the email account used.

    If its done through the nobody user, then you need to prevent nobody user from sending mail by enabling the tweak in WHM > Tweak Settings.

    I guess your CSF SMTP Block failed because your WHM SMTP tweak is enabled. You will need to have either one. I would recommend the CSF one.


    You should read this too:
    How to: Prevent Email Abuse
     
  9. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I chased down the problem which was with a vulnerability in an old version of a Joomla extension that enabled spam to be sent. It took me many hours to run it down but on the bright side I now have csf installed which should warn me about similar future problems. Two accounts were sending approximately 80K spam messages per day between them!

    I still have a problem with enabling WHM SMTP Tweak so will start a new thread on this issue.
     
  10. tagteamcomputin

    tagteamcomputin Registered

    Joined:
    Jan 8, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a similar problem. How were you able to track down which Joomla component was causing the problem?
    Thanks
     
  11. nigelbb

    nigelbb Member

    Joined:
    Feb 25, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I did some research on all the components that were installed & discovered that there was a known vulnerability in old versions of JCE (Joomla Content Editor).
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  13. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Also I will suggest you enabled "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

    And also check your exim log_selector and update the following options.

    ---------------
    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
    ---------------
     
  14. Veeble-Adam

    Veeble-Adam Active Member

    Joined:
    May 7, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
  15. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Following steps can be helpful to monitor the spamming on the server.
    1) monitor the exim logs for home and tmp directory.
    2) check the mail queue with exim –bpr and pickout which email account has send number of emails to different accounts.
    3) also monitor the POST request for the suspicious accounts found in the exim logs or mail queue.
     
  16. basshook

    basshook Active Member

    Joined:
    Jul 27, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I notice that the default in WHM 11.38.2 (build 2) is -retry_defer and you recommend +retry_defer. What is the difference and which should I implement? Also do all your options still carry merit with this version? Thanks in advance.
     
  17. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    With the plus or minus characters you can incease OR reduce your exim logging. And here are the More details of all exim_logs items Log files
     
  18. basshook

    basshook Active Member

    Joined:
    Jul 27, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your reply and the link. I'm still not sure I understand the difference between the plus or minus sign for the retry_defer option, so I left the cpanel default in using the minus sign for -retry_defer instead of using the +retry_defer recommended in the post. I did however use all the other options mentioned in the post and will monitor my logs to see if I can see a difference from before.
     
  19. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Here is the command line which clients is sending spams by root ssh

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
     
Loading...

Share This Page