Hundreds of emails being sent from fake email accounts

[techn0guy]

Hello, this week I found that my servers IP is on several blacklists. I checked my mail logs and hundreds of emails are being sent from emails addressed from my FQDN, not even the website that are on the server.

ex.

I have a website called domain.com
My servers FQDN is server.domain.com

Emails are being sent via [email protected]

I have SPF enabled and in my cPanel I had the nobody setting turned on. Yet these emails are still being sent. What can I do to solve this?

 

[cPanelMichael]

Hello

Are you able to view the message header of one of these messages to see if more information is available? For instance, have you reviewed the account to see if any scripts with the ability to send out email have been exploited or are being used for SPAM?

Thank you.

 

[techn0guy]

Hello

Are you able to view the message header of one of these messages to see if more information is available? For instance, have you reviewed the account to see if any scripts with the ability to send out email have been exploited or are being used for SPAM?

Thank you.

Hello,

How can I check the header of the emails? Currently I am looking at the mail deliver reports and the queues and I dont see how to view them there

 

[dmacomber]

I had a very similar situation recently. Just a hunch but look for a menu87.php ( find / -name menu87.php) deep in that domains public_html directory. delete it and restart services.
or do below

If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines:
mail.add_x_header = On
mail.log = /var/log/php_mail.log
to the [mail] section of:
/usr/local/lib/php.ini


D-

 

[cPanelMichael]

Hello,

How can I check the header of the emails? Currently I am looking at the mail deliver reports and the queues and I dont see how to view them there

You can click on a message in the mail queue to view more information about it.

Thank you.

 

[jayharland]

Just chiming in,

In my experience with this kind of situation it's either been a compromised email account (if it's one account in particular sending the spam) or an infected computer sending a ton of spam. Though it could be something like dmacomber said above, a malicious script.

For me I started to see a ton of failed delivery messages being returned to one user in particular. Hundreds of them. So I immediately remotely connected to the infected computer and ran TCPview to see if something was abusing port 25 on their machine. Sure enough, something was. This has happened twice for us at different locations and each time blocking port 25 on the router or firewall stopped the emails from going out. We just made sure to use port 587 for our email afterwards.

If you can view your mail activity you can look for scripts that have sent a lot of mail.
I don't know who your host is, but check out this link here from InmotionHosting. It should give you an idea of how to go about it:
Find spam script location with Exim | InMotion Hosting

If you can see that it's only one account sending the spam, change that accounts password and make sure it's nice and secure.

If you think it's an infected computer, get on that computer then download and run TCPview. This will show you TCP and UDP activity. If there are a ton of SMTP or Port 25 connections being made (green) and then dying (red) you know you've found the problem.
Here is a link to TCPview TCPView for Windows

If it is an infected machine, you can track down which service is sending the emails through TCPview. You're going to have to clean it out thoroughly. I typically run a combination of programs like MalwareBytes, CCleaner, and TDSSKiller.

Getting yourself removed from the blacklists isn't hard but it requires a little time. Also, make sure the problem is resolved before requesting de-listing, otherwise, if you are de-listed and re-listed multiple times they'll just permanently list you.