Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to immediately stop spam users

Discussion in 'E-mail Discussions' started by ruiz, Dec 30, 2017.

Tags:
  1. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    58
    Eventually some of my users get their accounts compromissed, and start sending spams or viruses. To stop then, i'm using a combination of CSF and some scripts.

    The problem is that even tho I detect spam and promptly change their passwords and suspend the account using cpanels UAPI, those accounts keep sending mails for the next 2-10 minutes before stopping. Why is this happening? How can i stop then immediately? Is there some login cache?

    Thanks!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,067
    Likes Received:
    348
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,600
    Likes Received:
    63
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    If they are using SMTP Authentication to send out these messages, then Exim may be relying on a Dovecot cache since it uses Dovecot for the authentication part. Make sure you are restarting Dovecot (and for good measure, I'd restart Exim too) after changing the passwords to see if that has any affect. That should clear out any cache that these systems are using.

    I have noticed something similar in the past with this and this helped me.
     
  4. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    58
    Forgot to say i'm already clearing the queue for that particular domain (because some spammers change the sender to a random name).
    /usr/sbin/exiqgrep -i -r '.$domain.' | xargs exim -Mrm

    Yep they are using smtp authentication. I am already clearing the dovecot auth cache using:
    doveadm auth cache flush

    But i'm still getting messages delivered. I was avoiding a exim/dovecot restart because that could be "traumatic". Maybe there's some other cache i need to clear? Thanks!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,763
    Likes Received:
    1,710
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening?

    Thank you.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,600
    Likes Received:
    63
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    If you know what email account is being used, I would tail the exim_mainlog after you reset the password and clear the dovecot cache and see if the perpetrator is still sending out mail using the SMTP authentication credentials

    tail -f /var/logs/exim_mainlog | grep '%emailaccount%'

    I suppose the %emailaccount% could be user@example.tld or user+example.tld or perhaps something else, so you'd have to know what they are using
     
Loading...

Share This Page