How to immediately stop spam users

ruiz

Well-Known Member
Feb 13, 2008
50
4
58
Eventually some of my users get their accounts compromissed, and start sending spams or viruses. To stop then, i'm using a combination of CSF and some scripts.

The problem is that even tho I detect spam and promptly change their passwords and suspend the account using cpanels UAPI, those accounts keep sending mails for the next 2-10 minutes before stopping. Why is this happening? How can i stop then immediately? Is there some login cache?

Thanks!
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
If they are using SMTP Authentication to send out these messages, then Exim may be relying on a Dovecot cache since it uses Dovecot for the authentication part. Make sure you are restarting Dovecot (and for good measure, I'd restart Exim too) after changing the passwords to see if that has any affect. That should clear out any cache that these systems are using.

I have noticed something similar in the past with this and this helped me.
 

ruiz

Well-Known Member
Feb 13, 2008
50
4
58
You might find the email sitting in the queue:
WebHost Manager »Email »Mail Queue Manager
Mail Queue Manager - Version 68 Documentation - cPanel Documentation
Forgot to say i'm already clearing the queue for that particular domain (because some spammers change the sender to a random name).
/usr/sbin/exiqgrep -i -r '.$domain.' | xargs exim -Mrm

If they are using SMTP Authentication to send out these messages, then Exim may be relying on a Dovecot cache since it uses Dovecot for the authentication part. Make sure you are restarting Dovecot (and for good measure, I'd restart Exim too) after changing the passwords to see if that has any affect. That should clear out any cache that these systems are using.

I have noticed something similar in the past with this and this helped me.
Yep they are using smtp authentication. I am already clearing the dovecot auth cache using:
doveadm auth cache flush

But i'm still getting messages delivered. I was avoiding a exim/dovecot restart because that could be "traumatic". Maybe there's some other cache i need to clear? Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening?

Thank you.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
If you know what email account is being used, I would tail the exim_mainlog after you reset the password and clear the dovecot cache and see if the perpetrator is still sending out mail using the SMTP authentication credentials

tail -f /var/logs/exim_mainlog | grep '%emailaccount%'

I suppose the %emailaccount% could be [email protected] or user+example.tld or perhaps something else, so you'd have to know what they are using