The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to prevent spammers sending as cpanel user?

Discussion in 'Security' started by kazar, Nov 23, 2014.

  1. kazar

    kazar Active Member

    Joined:
    May 18, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NYC/Earth
    cPanel Access Level:
    Root Administrator
    Hi everyone --

    Please be gentle as I am NOT a professional (maybe not even amateur) web server administrator. I simply host a website and email services as a volunteer for a local community garden.

    I started getting forwarded messages from my hosting provider that the domain is being reported as a spammer. I have done everything on my server I feel safe enough (as someone who could easily completely screw up a server) to do -- i.e., just using WHM control panel interface and following _some_ of the recommendations that came up when I ran the Security Advisor tool.

    It's clear that spammers are sending, or trying to send, email as the domain user svgarden. (server host name is vm1.bubbleup.us) How can they do this? At my hosting provider's recommendation I already changed the user's pw over a week ago and it is not even written anywhere on a piece of paper and my connections are always via secure ports. So I don't think the domain user's password is the issue.

    What I need to know if anyone can help with answers to these 3 Q's. I have already spent significant time trying to solve this on my own (by reading Cpanel docs that are usually way over my head, and googling around for answers) but I don't think I have:

    1. Is my server still being used for spam? I do not know how to decipher the exim log (pasted in below)?

    2. If answer to #1 is "yes", what else do I need to do on my server to stop this from happening? (I have also pasted in below my notes re what I have changed so far on my server)

    3. I enabled the ClamAV connector and ran a virus scan for the domain that is experiencing this problem, but where can I see the results? I have looked all over the WHM and cpanel screens and can't see whether the scan was clean or whether any infected files were found.

    My hosting provider recommended I use a third-party service to look into the situation, but the cost is $350 which I cannot pay, I already pay for the VPS for the garden's website & email and for other small community groups.
    I would so appreciate any help!! Thanks in advance!

    kazar


    ===========SAMPLE RECENT ENTRIES FROM EXIM_MAINLOG=============
    ======(ENTRIES ARE *AFTER* THE CHANGES I MADE ON SERVER THAT ARE NOTED BELOW)===
    =========ARE SPAMMERS STILL SENDING MAIL THROUGH MY SERVER?=======

    - Removed -

    ==========================================
    My notes of what changes I made on my server before the above Exim log items were written
    Do I need to do anything else?
    ==========================================

    In Tweak Settings
    Prevented "nobody" from sending mail

    Enabled SMTP restrictions

    Jailed all user shells

    Tweak Settings / Mail -- changed initial default/catch-all forwarder destination to Fail

    NOTE: Mail authentication via domain owner password was already OFF so how is someone sending as svgarden@vm1

    Track email origin via X-Source email headers - turned ON

    Max hourly emails per domain: 50

    Maximum percentage of failed or deferred messages a domain may send per hour - set to 5%

    In Exim Configuration Manager - Basic Editor
    ACL Options

    Reject remote mail sent to the server's hostname - turned ON

    [?]Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target.

    Mail

    Log sender rates in the exim mainlog. - turned ON

    Set SMTP Sender: headers - turned ON

    [?](-f flag passed to sendmail) This will create "On behalf of" notices in Microsoft® Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message.

    Security

    Scan outgoing messages for malware - turned ON

    Apache Spam-Assassin options

    Apache SpamAssassin™: Forced Global ON - turned on

    Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting - turned ON
     
    #1 kazar, Nov 23, 2014
    Last edited by a moderator: Nov 23, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. kazar

    kazar Active Member

    Joined:
    May 18, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NYC/Earth
    cPanel Access Level:
    Root Administrator
    Thanks much. I had already followed everything in that page except for suPHP ... I felt stuck (and newbie-scared) because I would not know whether to enable suPHP vs mod_suPHP vs mod_ruid2. The server has a few tiny domains (small, low-traffic) with sites running on Drupal and WP.

    I think the suPHP is key, though, because I notice in exim_mainlog that there are references to a "media" plug-in in the CKeditor module of the site, which (even though I know next to nothing) I imagine is being exploited by having php somehow send out emails.

    Any recommendation re suPHP vs the other two?

    Thanks again!!

    kazar
     
  4. kazar

    kazar Active Member

    Joined:
    May 18, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NYC/Earth
    cPanel Access Level:
    Root Administrator
    [for now I just removed ckeditor/plugins/media/ -- really seems there is some sort of big hole in that plugin]
     
  5. kazar

    kazar Active Member

    Joined:
    May 18, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NYC/Earth
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page