mailman spam but no mailman list exists

gkgcpanel

Well-Known Member
Jun 6, 2007
214
1
166
cPanel Access Level
DataCenter Provider
Have a very strange problem. Noticed yesterday that a customer was using mailman to relay spam through the server. Several hundred messages went out before I caught it, and suspended the account. The servers load went from 0.79 to 47 in about 6 seconds.

The customer said he didn't do it, and has no idea what's going on, so I checked and found that he does NOT have any mailman lists in place, but each spam that went out went out through mailman (127.0.0.1) from a non-existent mailman bounce email account. How the hell is that possible?

I changed his password and unsuspended his account and everything was fine. I did NOT give him him his new password and a few hours later it started again. He did NOT log in and there is still no evidence of any mailman lists that are being abused... Had to suspend site again to let the server recover.

Here's an entry from the log file:

2012-12-02 20:05:12 1TfLPE-0003zr-0G <= [email protected]=localhost (web.nnnnnnn.xxx) [127.0.0.1]:60796 P=esmtp S=878 [email protected]com T="Se ha dado de baja de la lista de distribuci\363n Gaceta" for [email protected]
2012-12-02 20:05:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TfLPE-0003zr-0G
2012-12-02 20:05:12 1TfLPE-0003zr-0G SMTP connection identification H=localhost A=127.0.0.1 P=60796 M=1TfLPE-0003zr-0G U=mailman ID=509 S=mailman B=authenticated_local_user

Looking at the cPanel mailing list icon, I see this:

There are no mailing lists configured for this domain.

There are no forwarders either:

There are no forwarders configured for the current domain.

There are 2 email addresses, but neither are for what is listed in log file.

So how the hell is this happening?

Is there a mailman exploit that is going around I don't know about?
 
Thread starter Similar threads Forum Replies Date
J Email 10
A Email 0
A Email 0
B Email 5
J Email 1