How to understand the cPanel mail reports and stop spammers?

[stingray34]

Hi,
Though "SMTP Restrictions" is enabled, yet I see mails from Yahoo to Gmail thruough our Exim mail server. How can I stop them?

Let's say the default email account is [email protected].
In Mail Delivery Reports, when I do a Report Inquiry with abc /user,
Then I see mails from Yahoo to Gmail. Why is that?

Does that mean that the spammer is sneaking in through PHP scripts, because that is what the default email is used for?

By the way, I see only one email ever. So there is no spams or returned mail.

Another thing is, under View Sent Summary, I see abc User with a big amount of mails, and -remote- with a big amount. What does that exactly mean? When someone uses Outlook to send an email, which is it recorded in? Is it different from sending from a smart phone or from a webmail?

I've read this page for general idea about default email address, but it seems more to this:
Email Accounts

Sorry, I am asking too many questions.

Thank you so much for your help!

 

[cPanelMichael]

Hello

Try searching for that same Yahoo address in the /var/log/exim_mainlog file. EX:

exigrep [email protected] /var/log/exim_mainlog

Does this give you any additional information?

The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote.

Thank you.

 

[stingray34]

Michael,
Are you saying this:

-remote-
MyDomain -> OtherDomain
OtherDomain -> MyDomain

local ( -> abc in my example, regardless the actual user that varies)
MyDomain <-> MyDomain

Thanks for your help, Michael.

 

[cPanelMichael]

Yes, any email delivery to/from a non-local address. I recommend clicking on the "-remote-" username that you see in the "View Sent Summary" interface. It will give you a better idea of the emails it's referencing under that username.

Thank you.

 

[stingray34]

Looking at Mail Delivery Report, I see the same entry of local-to-local mail on both -remote- user and 'default email account' user.
There are more emails with '-remote-' than with 'default email account' user.

What am I missing?

 

[quizknows]

Spam is typically sent through either a PHP script, or an SMTP authenticated user. Both of these allow for spoofed "from" addresses.

I would suggest the following (all require root SSH access):

run "exim -bp" to see what is in the mail queue. You can examine individual messages in WHM mail queue manager or with command line options like

exim -Mvh 1VZu8T-0001oa-EU #view headers
exim -Mvb 1VZu8T-0001oa-EU #view body
exim -Mvl 1VZu8T-0001oa-EU #view logs

That exim -Mvl is the important one. If it was sent via SMTP login, you will see "courier_login" or "dovecot_login" in the very first line of output, with the actual e-mail address used to authentiate to send the message.

If that's not it, it's likely a script. You can check directories containing PHP scripts that sent mail with this command:

grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c

If this returns empty, you need to change your exim config to contain +all under the log_selector setting. That can (and should) be done via WHM.

 

[stingray34]

hi, quizknows,
Stupid question - which directory do I run those commands in? I could not find the file "1VZu8T-0001oa-EU".

 

[cPanelMichael]

hi, quizknows,
Stupid question - which directory do I run those commands in? I could not find the file "1VZu8T-0001oa-EU".

The message ids were provided as examples. You would have to find the specific message ids via the "exim -bp" command first.

Thank you.

 

[stingray34]

We had a huge amount of spams going out two months ago, and it stopped a month ago. Then it came back on Halloween Day (only).

Right now it is peaceful, so I cannot fully analyze the spam mails since I only had several in the queue.

Anyway,
All of the queued email had:
"host_auth courier_login" and "auth_id OurDomainUser (same user)"

The result of the script is:
"4 cwd=/home/USERNAME/public_html/store"

Now how can I interpret this?
Thank you so much for your patience!

 

[4m4ndaPu6h]

I hate spam! Thank god its down now

 

[quizknows]

We had a huge amount of spams going out two months ago, and it stopped a month ago. Then it came back on Halloween Day (only).

Right now it is peaceful, so I cannot fully analyze the spam mails since I only had several in the queue.

Anyway,
All of the queued email had:
"host_auth courier_login" and "auth_id OurDomainUser (same user)"

The result of the script is:
"4 cwd=/home/USERNAME/public_html/store"

Now how can I interpret this?
Thank you so much for your patience!

the 4 cwd=/home/USERNAME/public_html/store means that 4 e-mails were sent by PHP scripts in that directory. Since it's a low number, those are probably legitimate e-mail such as customer invoices sent by your application.

The important part here is this:

host_auth courier_login OurDomainUser

Courier login means SMTP/POP/IMAP login was used to send the mail. While some scripts auth this way, for the case of this explanation, most don't, and this means a username/password was used to send mail, same as you'd send it using outlook or thunderbird.

-normally- for courier auth you'll see "[email protected]," but it's not impossible to just be "OurDomainUser." What this means is your cPanel username/password was used for SMTP auth. It's important to remember that cPanel usernames and passwords can send out mail just like an e-mail account username and password could.

In short, they sent the spam mail by logging in to SMTP using your cPanel username and password. Changing your cPanel password would have stopped / will stop the spam. At that point I'd recommend you scan your local machines for any keyloggers or viruses that may have stolen your cPanel password. Also, always log in to cPanel/WHM on the SSL ports.

 

[stingray34]

Thank you so, so much, quizknows for detailed explanation!

It really scared me because according to your word, cPanel password was compromised, and I don't know the password.
So anytime I need an access to cPanel, I go to WHM -> List Accounts -> click on cPanel icon.

Is it possible to change it when I only know the password to WHM?

And changing the password for this domain user that showed up in courier_auth doesn't do you any good?

 

[quizknows]

Thank you so, so much, quizknows for detailed explanation!

It really scared me because according to your word, cPanel password was compromised, and I don't know the password.
So anytime I need an access to cPanel, I go to WHM -> List Accounts -> click on cPanel icon.

Is it possible to change it when I only know the password to WHM?

Yes, you can easily change the password via WHM. When you go to list accounts, click the little + next to the domain which will give you a drop-down where you can create a new password.

And changing the password for this domain user that showed up in courier_auth doesn't do you any good?

It does plenty of good

It will stop it from sending spam if someone has/had the old password, and will stop any other unauthorized access using that password.

Normally when someone sends spam in this fashion they don't mess with anything else (site files, etc.) so you should be in OK shape. A quick search of recently modified files might be in order just to be safe, i.e.

find /home/USERNAME/public_html -type f -mtime -4

this would show you any files modified in the last 4 days. Also run it with ctime instead of mtime just to be sure.

 

[stingray34]

Thank you so much, quizknows, for your kind and detailed answer.
I will start with changing the passwords.