Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mailman spam but no mailman list exists

Discussion in 'E-mail Discussion' started by gkgcpanel, Dec 4, 2012.

  1. gkgcpanel

    gkgcpanel Well-Known Member

    Jun 6, 2007
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Have a very strange problem. Noticed yesterday that a customer was using mailman to relay spam through the server. Several hundred messages went out before I caught it, and suspended the account. The servers load went from 0.79 to 47 in about 6 seconds.

    The customer said he didn't do it, and has no idea what's going on, so I checked and found that he does NOT have any mailman lists in place, but each spam that went out went out through mailman ( from a non-existent mailman bounce email account. How the hell is that possible?

    I changed his password and unsuspended his account and everything was fine. I did NOT give him him his new password and a few hours later it started again. He did NOT log in and there is still no evidence of any mailman lists that are being abused... Had to suspend site again to let the server recover.

    Here's an entry from the log file:

    2012-12-02 20:05:12 1TfLPE-0003zr-0G <= [email protected]=localhost ( []:60796 P=esmtp S=878 [email protected]com T="Se ha dado de baja de la lista de distribuci\363n Gaceta" for [email protected]
    2012-12-02 20:05:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TfLPE-0003zr-0G
    2012-12-02 20:05:12 1TfLPE-0003zr-0G SMTP connection identification H=localhost A= P=60796 M=1TfLPE-0003zr-0G U=mailman ID=509 S=mailman B=authenticated_local_user

    Looking at the cPanel mailing list icon, I see this:

    There are no mailing lists configured for this domain.

    There are no forwarders either:

    There are no forwarders configured for the current domain.

    There are 2 email addresses, but neither are for what is listed in log file.

    So how the hell is this happening?

    Is there a mailman exploit that is going around I don't know about?

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice