The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mail continuing to be sent

Discussion in 'E-mail Discussions' started by sharkufc, Oct 2, 2016.

Tags:
  1. sharkufc

    sharkufc Registered

    Joined:
    Sep 24, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dublin
    cPanel Access Level:
    Root Administrator
    Hi guys,
    I was noticing that, as usual I had the eximstat database full (6GB).
    After I flushed it, I discover that the number of rows were increasing again, and I decided to investigate.
    I then tried to tail the mail log, and that's the output:

    Code:
    Oct  2 12:29:49 server dovecot: lmtp(15555): Connect from local
    Oct  2 12:29:50 server dovecot: lmtp(colpo@ns.example.it): c6kWG/w18VfFPAAAdYhRpA: msgid=<E1bqje8-0004Vy-Py@ns.example.it>: saved mail to INBOX
    Oct  2 12:29:50 server dovecot: lmtp(15557): Disconnect from local: Successful quit
    Every second I have a couple of this kind of connection.
    It seems that someone is using the local mailserver (from inside) to continuously send email.
    So I start thinking that maybe one of the websites I host was hacked, but I don't know how to spot where the mail are sent from (account, script, etc).
    Anyone can help me?
     
    #1 sharkufc, Oct 2, 2016
    Last edited by a moderator: Oct 2, 2016
  2. sharkufc

    sharkufc Registered

    Joined:
    Sep 24, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dublin
    cPanel Access Level:
    Root Administrator
    ok, maybe I found a solution:
    Code:
    ps -C exim -fH eww | grep home
    this command shows the user and the script from which the email is being creating
     
  3. sharkufc

    sharkufc Registered

    Joined:
    Sep 24, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dublin
    cPanel Access Level:
    Root Administrator
    I continue to update this thread.
    What I found out is that if I check the emixstats tables, I have a lot of rows in defers table such this one:
    Code:
    2016-10-03 08:22:06    1bqjjE-0005P1-7G    tc@yahoo.com    remote_smtp    mta6.am0.yahoodns.net    63.250.192.45    SMTP error from remote mail server after MAIL FROM:<betsy@mydomain.com> SIZE=2334: 421 4.7.1 [TS03] All messages from 176.56.238.108 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.htm    lookuphost            864376
    It seems that something is going on but I cannot understand if someone is trying to send email from within the server of from outside.
    Is there anyone that faced the same issue?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The output in your last response shows messages sent to Yahoo from:

    Are the deferred messages coming from the same domain name? If so, you should investigate the cPanel account associated with that domain name to determine if that email account is compromised, or if scripts installed to that account are sending emails.

    The following thread should also help:

    How can I find out if my server is sending spam?

    Thank you.
     
Loading...

Share This Page