The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to understand the cPanel mail reports and stop spammers?

Discussion in 'Security' started by stingray34, Nov 1, 2013.

  1. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,
    Though "SMTP Restrictions" is enabled, yet I see mails from Yahoo to Gmail thruough our Exim mail server. How can I stop them?

    Let's say the default email account is abc@example.com.
    In Mail Delivery Reports, when I do a Report Inquiry with abc /user,
    Then I see mails from Yahoo to Gmail. Why is that?

    Does that mean that the spammer is sneaking in through PHP scripts, because that is what the default email is used for?

    By the way, I see only one email ever. So there is no spams or returned mail.

    Another thing is, under View Sent Summary, I see abc User with a big amount of mails, and -remote- with a big amount. What does that exactly mean? When someone uses Outlook to send an email, which is it recorded in? Is it different from sending from a smart phone or from a webmail?

    I've read this page for general idea about default email address, but it seems more to this:
    Email Accounts

    Sorry, I am asking too many questions.

    Thank you so much for your help!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Try searching for that same Yahoo address in the /var/log/exim_mainlog file. EX:

    Code:
    exigrep user@yahoo /var/log/exim_mainlog
    Does this give you any additional information?

    The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote.

    Thank you.
     
  3. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Michael,
    Are you saying this:

    -remote-
    MyDomain -> OtherDomain
    OtherDomain -> MyDomain

    local ( -> abc in my example, regardless the actual user that varies)
    MyDomain <-> MyDomain

    Thanks for your help, Michael.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, any email delivery to/from a non-local address. I recommend clicking on the "-remote-" username that you see in the "View Sent Summary" interface. It will give you a better idea of the emails it's referencing under that username.

    Thank you.
     
  5. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Looking at Mail Delivery Report, I see the same entry of local-to-local mail on both -remote- user and 'default email account' user.
    There are more emails with '-remote-' than with 'default email account' user.

    What am I missing?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Spam is typically sent through either a PHP script, or an SMTP authenticated user. Both of these allow for spoofed "from" addresses.

    I would suggest the following (all require root SSH access):

    run "exim -bp" to see what is in the mail queue. You can examine individual messages in WHM mail queue manager or with command line options like

    exim -Mvh 1VZu8T-0001oa-EU #view headers
    exim -Mvb 1VZu8T-0001oa-EU #view body
    exim -Mvl 1VZu8T-0001oa-EU #view logs

    That exim -Mvl is the important one. If it was sent via SMTP login, you will see "courier_login" or "dovecot_login" in the very first line of output, with the actual e-mail address used to authentiate to send the message.

    If that's not it, it's likely a script. You can check directories containing PHP scripts that sent mail with this command:

    Code:
    grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c
    
    If this returns empty, you need to change your exim config to contain +all under the log_selector setting. That can (and should) be done via WHM.
     
  7. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    hi, quizknows,
    Stupid question - which directory do I run those commands in? I could not find the file "1VZu8T-0001oa-EU".
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The message ids were provided as examples. You would have to find the specific message ids via the "exim -bp" command first.

    Thank you.
     
  9. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We had a huge amount of spams going out two months ago, and it stopped a month ago. Then it came back on Halloween Day (only).

    Right now it is peaceful, so I cannot fully analyze the spam mails since I only had several in the queue.

    Anyway,
    All of the queued email had:
    "host_auth courier_login" and "auth_id OurDomainUser (same user)"

    The result of the script is:
    "4 cwd=/home/USERNAME/public_html/store"

    Now how can I interpret this?
    Thank you so much for your patience!
     
  10. 4m4ndaPu6h

    4m4ndaPu6h Registered

    Joined:
    Nov 4, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I hate spam! Thank god its down now
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    the 4 cwd=/home/USERNAME/public_html/store means that 4 e-mails were sent by PHP scripts in that directory. Since it's a low number, those are probably legitimate e-mail such as customer invoices sent by your application.

    The important part here is this:
    Code:
    host_auth courier_login OurDomainUser 
    Courier login means SMTP/POP/IMAP login was used to send the mail. While some scripts auth this way, for the case of this explanation, most don't, and this means a username/password was used to send mail, same as you'd send it using outlook or thunderbird.

    -normally- for courier auth you'll see "user@domain.com," but it's not impossible to just be "OurDomainUser." What this means is your cPanel username/password was used for SMTP auth. It's important to remember that cPanel usernames and passwords can send out mail just like an e-mail account username and password could.

    In short, they sent the spam mail by logging in to SMTP using your cPanel username and password. Changing your cPanel password would have stopped / will stop the spam. At that point I'd recommend you scan your local machines for any keyloggers or viruses that may have stolen your cPanel password. Also, always log in to cPanel/WHM on the SSL ports.
     
    #11 quizknows, Nov 4, 2013
    Last edited: Nov 4, 2013
  12. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you so, so much, quizknows for detailed explanation!

    It really scared me because according to your word, cPanel password was compromised, and I don't know the password.
    So anytime I need an access to cPanel, I go to WHM -> List Accounts -> click on cPanel icon.

    Is it possible to change it when I only know the password to WHM?

    And changing the password for this domain user that showed up in courier_auth doesn't do you any good?
     
  13. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yes, you can easily change the password via WHM. When you go to list accounts, click the little + next to the domain which will give you a drop-down where you can create a new password.

    It does plenty of good :)

    It will stop it from sending spam if someone has/had the old password, and will stop any other unauthorized access using that password.

    Normally when someone sends spam in this fashion they don't mess with anything else (site files, etc.) so you should be in OK shape. A quick search of recently modified files might be in order just to be safe, i.e.
    Code:
    find /home/USERNAME/public_html -type f -mtime -4 
    this would show you any files modified in the last 4 days. Also run it with ctime instead of mtime just to be sure.
     
  14. stingray34

    stingray34 Member

    Joined:
    Sep 6, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you so much, quizknows, for your kind and detailed answer.
    I will start with changing the passwords.
     
Loading...

Share This Page