Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED How to ensure Exim is only script sending out mail

Discussion in 'E-mail Discussions' started by mikefromnz, Feb 18, 2017.

Tags:
  1. mikefromnz

    mikefromnz Active Member

    Joined:
    Feb 9, 2017
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Hi guys,

    Any suggestions on which logs I can check, or maybe some kind of SSH command that can tell me for sure that Exim is the only one sending out mail on the server?

    We got listed in Spamhaus CSS list, requested removal and they removed us, within hours they listed us again, even though our mail server had literally sent only a handful of emails. The emails were notification type emails received by our server, not marked as SPAM from well regarded, large websites, these were then forwarded to a Gmail address via our server which also did not mark them as SPAM. No other mails were sent according to the cPanel WHM "Mail Delivery Reports".

    I have ClamAV, CHKRootkit and others installed and running, no problems found, have already done Exim hardening including not allowing "nobody" to send out mails etc. As far as I can see setting wise, the only way emails can send is if Exim handles them.

    Getting very hard to solve the issue, as now Spamhaus will not remove us, nor tell us why its listed. So unless someone is fraudulently reporting us, or spoofing our IP, we shouldn't be listed.

    Bit of backstory: We first got listed because a customer of ours who just signed up, sent about 100 emails to his contacts telling them of his new email address, many bounced due to them being old records. I assume due to our server being relatively new with no reputation, this triggered Spamhaus easier than if we already had a good rep.
     
  2. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hi,

    It's seems the mail sending from account using php mail script. I think there is infected file under the account which is sending mails.

    Please try running the following command:

    grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

    Following command that will show you the script which is using script to send the email. If it is from php then use


    # egrep -R "X-PHP-Script" /var/spool/exim/input/*

    Also please check the below article:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation
     
  3. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  4. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    76
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
    guess SMTP restrictions at whm is a nice option
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  6. mikefromnz

    mikefromnz Active Member

    Joined:
    Feb 9, 2017
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Thanks all, logs all checked out OK and SMTP is forced to send out from Exim no matter what the source via our CFS firewall.

    Seems it was some SPF record issues that caused the problem with Spamhaus, all sorted now. Cheers for the help
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
Loading...

Share This Page