The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hundreds of emails being sent from fake email accounts

Discussion in 'E-mail Discussions' started by techn0guy, Nov 5, 2014.

  1. techn0guy

    techn0guy Member

    Joined:
    Aug 26, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    North Haven, Connecticut, United States
    cPanel Access Level:
    Website Owner
    Hello, this week I found that my servers IP is on several blacklists. I checked my mail logs and hundreds of emails are being sent from emails addressed from my FQDN, not even the website that are on the server.

    ex.

    I have a website called domain.com
    My servers FQDN is server.domain.com

    Emails are being sent via epochera@server.domain.com

    I have SPF enabled and in my cPanel I had the nobody setting turned on. Yet these emails are still being sent. What can I do to solve this?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you able to view the message header of one of these messages to see if more information is available? For instance, have you reviewed the account to see if any scripts with the ability to send out email have been exploited or are being used for SPAM?

    Thank you.
     
  3. techn0guy

    techn0guy Member

    Joined:
    Aug 26, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    North Haven, Connecticut, United States
    cPanel Access Level:
    Website Owner
    Hello,

    How can I check the header of the emails? Currently I am looking at the mail deliver reports and the queues and I dont see how to view them there
     
  4. dmacomber

    dmacomber Member

    Joined:
    Oct 9, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I had a very similar situation recently. Just a hunch but look for a menu87.php ( find / -name menu87.php) deep in that domains public_html directory. delete it and restart services.
    or do below

    If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines:
    mail.add_x_header = On
    mail.log = /var/log/php_mail.log
    to the [mail] section of:
    /usr/local/lib/php.ini


    D-
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can click on a message in the mail queue to view more information about it.

    Thank you.
     
  6. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Just chiming in,

    In my experience with this kind of situation it's either been a compromised email account (if it's one account in particular sending the spam) or an infected computer sending a ton of spam. Though it could be something like dmacomber said above, a malicious script.

    For me I started to see a ton of failed delivery messages being returned to one user in particular. Hundreds of them. So I immediately remotely connected to the infected computer and ran TCPview to see if something was abusing port 25 on their machine. Sure enough, something was. This has happened twice for us at different locations and each time blocking port 25 on the router or firewall stopped the emails from going out. We just made sure to use port 587 for our email afterwards.

    If you can view your mail activity you can look for scripts that have sent a lot of mail.
    I don't know who your host is, but check out this link here from InmotionHosting. It should give you an idea of how to go about it:
    Find spam script location with Exim | InMotion Hosting

    If you can see that it's only one account sending the spam, change that accounts password and make sure it's nice and secure.

    If you think it's an infected computer, get on that computer then download and run TCPview. This will show you TCP and UDP activity. If there are a ton of SMTP or Port 25 connections being made (green) and then dying (red) you know you've found the problem.
    Here is a link to TCPview TCPView for Windows

    If it is an infected machine, you can track down which service is sending the emails through TCPview. You're going to have to clean it out thoroughly. I typically run a combination of programs like MalwareBytes, CCleaner, and TDSSKiller.

    Getting yourself removed from the blacklists isn't hard but it requires a little time. Also, make sure the problem is resolved before requesting de-listing, otherwise, if you are de-listed and re-listed multiple times they'll just permanently list you.
     
    #6 jayharland, Nov 7, 2014
    Last edited: Nov 7, 2014
Loading...

Share This Page