The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Locate Account Sending Spam

Discussion in 'E-mail Discussions' started by Luis Mota, Jan 11, 2016.

  1. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    Our server this weekend started to send a lot of emails from a single user, I've change the password and tweak some settings because We got a email from the server saying that the exim queue was full. But the user continues to send emails.

    What can be done to prevent, and/or discover the source of the problem?


    Thanks in advance.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sounds like the cPanel account, and or email accounts on it are compromised. You might get some clues about the emails from the tools in WHM here:
    WHM »Email »Mail Delivery Reports

    Tough question. If it was just an email account's password that was compromised, changing the password should be helpful. If the site on that account has out of date scripts on it, like a contact form (for example) updating the out of date scripts is important. If the spam is being generated by a malicious script on the account that was uploaded by accessing the cPanel account itself, from an out of date, exploitable wordpress plugin of some sort (for example), that's a whole other thing.

    I'd be inclined to suspend that account for a bit until I can get a more clear idea of whats going on with it.
     
  3. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    I've re-checked the site account now and It seems that this account have a folder named "old" with a flash website and it contains a contact form. ( --') I've zipped the folder let's see if this affects the mails sent from this user.

    I can't suspend this account right now.
    I'm going to wait and see if the user will keep to send emails, but if I got a script inside the user account; How hard is to detect something like this? I've checked the process list and everything seems normal.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can also search /var/log/exim_mainlog to verify if email has been sent from that directory with the following command:

    Code:
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    The output will show a list of all directories within /home that have sent out email from a script.

    Thank you.
     
  5. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    Hi, the mailing fever is still on! o_O

    I've executed the command you mentioned Michael and I don't get any results related to that account. (But thanks anyway, I'm going to keep that command, It's very useful :))

    Today, the user is still sending a lot of emails from the same account.
    This is a Delivery Event Detail from one email, I've just renamed the user account to "userX"

    - Removed -

    I could block the sender ip, but is not always the same.
     
    #5 Luis Mota, Jan 12, 2016
    Last edited by a moderator: Jan 12, 2016
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please don't post output without removing all actual domain names, IPs, and email addresses.

    He's sending spam. He's doing harm to your IP reputation.
     
  7. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    I didn't saw any info related to my ip so I've posted, sorry my bad. :(
    Should I install LDM and perform a scan on the user home folder?

    -Edit-
    Scan done, 0 occurrences.
     
    #7 Luis Mota, Jan 12, 2016
    Last edited: Jan 12, 2016
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Try checking your mail queue to see if additional SPAM messages still exist in the queue:

    "WHM Home » Email » Mail Queue Manager"

    You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script.

    The following document is useful if you want to prevent email abuse:

    cPanel - Prevent Email Abuse

    Thank you.
     
  9. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    I've cleaned the queue, but there is more message there now.
    And I can't see the message headers, sorry for my ignorance but most of the mails are being discarded because they exceeded the max defers and failures per hour, and the others that went successfully I can only see the Delivery Event Details.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Try searching within the account for files that can send out email, or directories with insecure (0777) permissions. This may help you to narrow down which file under the account is utilized for email.

    Thank you.
     
  11. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    tail -f /var/log/exim_mainlog

    and watch the abusing account should be painfully obvious if they are currently making a spam run
     
  12. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    I'm kinda lost, can I post here a portion of the log file?
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There's no need to review the log file if you already know which account is the culprit and there's no information about the path of the script. I suggest reviewing my previous post if you are attempting to determine the source of the email.

    Thank you.
     
  14. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    you should probably hire a system administrator to look into it for you as if your server is spewing out spam your provider is going to null route your IP very surprised they have not all ready as it looks like you been relaying SPAM for over 24 hours now
     
  15. Luis Mota

    Luis Mota Member

    Joined:
    Jun 1, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Porto
    cPanel Access Level:
    Reseller Owner
    I've managed to fix the situation! ;)
    There was no script, just emails accounts compromised and my customer shared the same password across all emails)

    Thank you very much for your time! :)

    ----------------------------

    [Maybe not the right place to ask this, but since is related to the same subject]

    Just one more question,

    Can you guys point me some way to increase my IP reputation, some docs, tips, advices?
    Everything seems OK by now, but I want to play safe.
     
    #15 Luis Mota, Jan 15, 2016
    Last edited: Jan 15, 2016
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page