The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop this spammer?

Discussion in 'E-mail Discussions' started by tejli009, May 12, 2015.

  1. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    Hello Guys.

    Am not able to locate the user that is sending thousend of emails to one email address. He is sending mails per remote (I have already restricted it).

    Here how it looks:

    s14.postimg.org/j3oh5csox/Unbenannt.png

    Thank you!
     
    #1 tejli009, May 12, 2015
    Last edited by a moderator: May 12, 2015
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I thought <> was the system ?
     
  3. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    No, there are different sender IP's
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you review the message headers of some of those messages to see if you notice any additional information? Also, try reviewing /var/log/exim_mainlog for more details on the potential source of the mail.

    Thank you.
     
  5. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    Here is one of the email headers:

    Code:
    Date:  
    Tue, 12 May 2015 17:57:31 +0000 (UTC)
    From:  
    MAILER-DAEMON@yahoo.com
    To:  
    noelmcgrathnoel@somedomain.com.au
    Subject:  
    Delivery failure
    Delivery-date:  
    Tue, 12 May 2015 19:57:40 +0200
    DKIM-Signature:  
    v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1431453451; bh=n304UVi/eq91NvQQeV7cY3AGsb8RKf87EVI4X+yI3jY=; h=Date:From:To:Subject:From:Subject; b=i4WBHnROeRNou55ATh7sc950j9EKyMivLJupYWeRtPDwhiSU4JxEk+tXEtuBSweKHo192V4zraDNvSIS/xrb3SC3N9fleTOj56G6+mxG7+y9IWLDW/xaYyEMoAznQXRuO8yv6gr5+1fDxFZtf+Kee0Q9X/S39fJa0xz5tMwI4iNiV+hwn0GM1BseGgSWfIoCJ+5eiqIr+OPh/XK57VqauFb1ihMWkeuYf0jfD01TOn63ufvTseehYwFMe17UF9zbzRhBpt06KE4MBvTKKFOXXD5HZxGb0MCuI5aM7inY6n8AwDGrKKtWI/oiNKJKovjZJMQivRkU+p2lpL+lj+maWg==
    Envelope-to:  
    noelmcgrathnoel@somedomain.com.au
    Message-ID:  
    <150607.77793.bm@omp1015.mail.gq1.yahoo.com>
    Received:  
    from nm10-vm6.bullet.mail.gq1.yahoo.com ([98.136.218.141]:38313)
    by cpanel.server07.ovh with esmtps (TLSv1:RC4-SHA:128)
    (Exim 4.85)
    id 1YsEQu-0006CK-Ox
    for noelmcgrathnoel@somedomain.com.au; Tue, 12 May 2015 19:57:40 +0200
    Received:  
    from [98.137.12.175] by nm10.bullet.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000
    Received:  
    from [98.137.12.207] by tm14.bullet.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000
    Received:  
    from [127.0.0.1] by omp1015.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000
    Return-path:  
    <>
    X-Ham-Report:  
    Spam detection software, running on the system "cpanel.server09.ovh",
    has NOT identified this incoming email as spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    root\@localhost for details.
    Content preview:  Message from yahoo.com. Unable to deliver message to the following
    address(es). : Sorry your message to hamedshafipor@yahoo.com cannot be delivered.
    This account has been disabled or discontinued [#102]. [...]
    Content analysis details:   (-0.1 points, 5.0 required)
    pts rule name              description
    ---- ---------------------- --------------------------------------------------
    0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: somedomain.com.au]
    0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
    (mailer-daemon[at]yahoo.com)
    -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
    [98.136.218.141 listed in wl.mailspike.net]
    -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
    domain
    0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
    -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
    X-Loop:  
    MAILER-DAEMON@yahoo.com
    X-Rocket-Delivery:  
    9xtDVgE3bBsJKEJ1rNM3QQM7uYsLrYfCBrRPaYKWgKQRtJ01n3m8AOVurvYY11dbgH47uu7B7Ysk65Toyp8fRYG9bHuDIiVkONdFcCt6nVtppRrZIxz0ZDLDOuvrvmUN8CpR.1lJajkWnY5WRym9BNCSF1ncsaV6OEP7Qr79cHUwweY8uf9rOzkeTQKYFuZRIoLg4a2_FVHmZpOtLcmzXlrR.Uwsz1kFjw--
    X-RocketRCL:  
    ;;;639
    X-RocketSRV:  
    s_ip=210.164.134.2;d_t=1431453421;Retro=Y;SgrnP=N;FolderOfDelivery=                    ;msgid=1431453415.972961.87623@mta1634.mail.gq1.yahoo.com#0;
    X-RocketTIP:  
    210.164.134.2 ; NO_TIP_HEADER_ALLOWED ;
    X-Spam-Bar:  
    /
    X-Spam-Flag:  
    NO
    X-Spam-Score:  
    0
    X-Spam-Status:  
    No, score=-0.1
    X-Yahoo-Newman-Id:  
    150607.77793.bm@omp1015.mail.gq1.yahoo.com
    X-Yahoo-Newman-Property:  
    ymail-5
    Message from yahoo.com.
    Unable to deliver message to the following address(es).
    
    <hamedshafipor@yahoo.com>:
    Sorry your message to hamedshafipor@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    <hamedsky36@yahoo.com>:
    Sorry your message to hamedsky36@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    <hamedvolet@yahoo.com>:
    Sorry your message to hamedvolet@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    <hameed.mohd89@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed.mohd89@yahoo.com) [-5]
    
    <hameed.umer@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed.umer@yahoo.com) [-5]
    
    <hameed179@yahoo.com>:
    Sorry your message to hameed179@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    <hameed386@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed386@yahoo.com) [-5]
    
    <hameed@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed@yahoo.com) [-5]
    
    <hameed_a62@yahoo.com>:
    Sorry your message to hameed_a62@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    <hameed_pm007@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed_pm007@yahoo.com) [0]
    
    <hameed_varpat@yahoo.com>:
    This user doesn't have a yahoo.com account (hameed_varpat@yahoo.com) [-5]
    
    <hameedbhat@yahoo.com>:
    Sorry your message to hameedbhat@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].
    
    --- Original message follows.
    
    The original message is over 5K. Message truncated.
    
    Return-Path: <noelmcgrathnoel@somedomain.com.au>
    X-YahooFilteredBulk: 210.164.134.2
    Received-SPF: none (domain of somedomain.com.au does not designate permitted sender hosts)
    X-YMailISG: 2tJhMoMWLDshezeSImngf.XSq1Ry8GREcxlxq2qgXV06eBdz
    5GNjq0ZkXjym99Bsih67VkCOCHuWXXJOyrmlKNxfVt9fcsBwA7VPjIkvZt.M
    yz3nN8RwT.nBz4CJDdGwc5a2uQqk0AewwYqRO9TIdJIVF9w0ltVr1H4PgGVi
    HzcvBHYr3KKI3qPMcy8mMHRFjGE2FJFzLJXjvHCVYwh7wpMe6.9N5qJA.xdV
    .zzc3qY0G6iyMQbvjHvwIUKsZU9QPRFffqQePolGGw5ztQ0ev31f2CcIhgJV
    bmqdQq6DAWJrpxrB6XqOE_TnyxvvM0Tru5dh0.cNtghCm577hdLGmrPGpHZk
    .sJt86laeADVgQAj7f.8z48n39xjDe14UD2.9Geag.zpT9dbABUEzo8cBPY1
    0BA5rBLbIQXyMWdlW1ulnABahur8Q_kKNbmVucpZ4zhr3ASWMmg0aC5UMYBF
    lIphu_LCi9gZMmgT8rNNt_hHAxryMuUtkSNv0v762SmBbwO3s_umTkibSS6a
    M0Sy8Imx3ddStRQNC.YhbPLCoYcKr4v.jHwGe1_m4Xja0x7dGBUtdLu5EGDN
    XC6FvQCfW_k_aaNzJngGvmjk.AsbmvnQkPAMnO.adgjQwN9pcNufPqQsZZdH
    dhZk0.SyGXV30eUWD9SCPczgRSj4k2JKL7o0NnDlyd24uKoyx_g7hKxK0qfu
    DDZ2lgbsbn_fOOIMDHxrhuvZ9Y3GdULeEhn2fKwNRIVi.hBGjBveHt5XnC8e
    ceyrBk42vSNYV_gCbb3JpCAffNaBMa2JKWN2rdueh6G_WBbWv2ZpJTOgCqDx
    acWzkpm_rHyNYhxf_xsaBRBCzXC_6H11FVgxKf2kWN3ZVOgwDpx6OmYP798Y
    J2V3GsKXlHJIcf8re8NVwhhO0uCNSNzqSLo2MMH83lXt1



    somedomain.com.au is hosted with me but that email address do not exists. I have enable to ask for halo before delivery but this did not happend in this account.
     
  6. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    Here is some more info:

    Code:
    Event:    success success
    Sender User:    -remote-
    Sender Domain:   
    Sender:    <>
    Sent Time:    May 12, 2015 7:57:19 PM
    Sender Host:    nm10-vm6.bullet.mail.gq1.yahoo.com
    Sender IP:    98.136.218.141
    Authentication:    localdelivery
    Spam Score:    -0.1
    Recipient:    noelmcgrathnoel@somedomain.com.au
    Delivered To:    crystal1@somedomain.com.au
    deliveryuser:    crystal1
    deliverydomain:    somedomain.com.au
    Router:    localuser
    Transport:    local_delivery
    Out Time:    May 12, 2015 7:57:19 PM
    ID:    1YsEQu-0006CK-Ox
    Delivery Host:    localhost
    Delivery IP:    127.0.0.1
    Size:    7.5 KB
    Result:    Message accepted
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Try running the following command:

    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    This will list the source and the number of messages from each source.

    Thank you.
     
  8. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    Ok i got this:

    Code:
    12879 cwd=/var/spool/exim
    1851 cwd=/home/laboneme
    1145 cwd=/etc/csf
    866 cwd=/
    795 cwd=/home/lawebdechile
    795 cwd=/home/hostsclc
    
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. tejli009

    tejli009 Member

    Joined:
    May 12, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Website Owner
    I have suspended that account and still emails get sent. Any other option?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you sure new messages have been sent out? Have you removed the existing messages from the mail queue so they are not retried? If so, try searching for "somedomain.com.au" in /var/log/exim_mainlog to see if you can find out more information. EX:

    Code:
    exigrep somedomain.com.au /var/log/exim_mainlog
    Thank you.
     
Loading...

Share This Page