Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to immediately stop spam users

Discussion in 'E-mail Discussion' started by ruiz, Dec 30, 2017.

Tags:
  1. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    41
    Likes Received:
    2
    Trophy Points:
    58
    Eventually some of my users get their accounts compromissed, and start sending spams or viruses. To stop then, i'm using a combination of CSF and some scripts.

    The problem is that even tho I detect spam and promptly change their passwords and suspend the account using cpanels UAPI, those accounts keep sending mails for the next 2-10 minutes before stopping. Why is this happening? How can i stop then immediately? Is there some login cache?

    Thanks!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,440
    Likes Received:
    416
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,761
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    If they are using SMTP Authentication to send out these messages, then Exim may be relying on a Dovecot cache since it uses Dovecot for the authentication part. Make sure you are restarting Dovecot (and for good measure, I'd restart Exim too) after changing the passwords to see if that has any affect. That should clear out any cache that these systems are using.

    I have noticed something similar in the past with this and this helped me.
     
  4. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    41
    Likes Received:
    2
    Trophy Points:
    58
    Forgot to say i'm already clearing the queue for that particular domain (because some spammers change the sender to a random name).
    /usr/sbin/exiqgrep -i -r '.$domain.' | xargs exim -Mrm

    Yep they are using smtp authentication. I am already clearing the dovecot auth cache using:
    doveadm auth cache flush

    But i'm still getting messages delivered. I was avoiding a exim/dovecot restart because that could be "traumatic". Maybe there's some other cache i need to clear? Thanks!
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,896
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,761
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    If you know what email account is being used, I would tail the exim_mainlog after you reset the password and clear the dovecot cache and see if the perpetrator is still sending out mail using the SMTP authentication credentials

    tail -f /var/logs/exim_mainlog | grep '%emailaccount%'

    I suppose the %emailaccount% could be user@example.tld or user+example.tld or perhaps something else, so you'd have to know what they are using
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice