The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mailman spam but no mailman list exists

Discussion in 'E-mail Discussions' started by gkgcpanel, Dec 4, 2012.

  1. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Have a very strange problem. Noticed yesterday that a customer was using mailman to relay spam through the server. Several hundred messages went out before I caught it, and suspended the account. The servers load went from 0.79 to 47 in about 6 seconds.

    The customer said he didn't do it, and has no idea what's going on, so I checked and found that he does NOT have any mailman lists in place, but each spam that went out went out through mailman (127.0.0.1) from a non-existent mailman bounce email account. How the hell is that possible?

    I changed his password and unsuspended his account and everything was fine. I did NOT give him him his new password and a few hours later it started again. He did NOT log in and there is still no evidence of any mailman lists that are being abused... Had to suspend site again to let the server recover.

    Here's an entry from the log file:

    2012-12-02 20:05:12 1TfLPE-0003zr-0G <= gaceta-bounces@xxxxxxxxxxxxx.comH=localhost (web.nnnnnnn.xxx) [127.0.0.1]:60796 P=esmtp S=878 id=mailman.22.1354500308.29895.gaceta_xxxxxxxxxx.com@xxxxxxxxxx.com T="Se ha dado de baja de la lista de distribuci\363n Gaceta" for xxxxxxxx@xxxxxxxxxxxx.com
    2012-12-02 20:05:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TfLPE-0003zr-0G
    2012-12-02 20:05:12 1TfLPE-0003zr-0G SMTP connection identification H=localhost A=127.0.0.1 P=60796 M=1TfLPE-0003zr-0G U=mailman ID=509 S=mailman B=authenticated_local_user

    Looking at the cPanel mailing list icon, I see this:

    There are no mailing lists configured for this domain.

    There are no forwarders either:

    There are no forwarders configured for the current domain.

    There are 2 email addresses, but neither are for what is listed in log file.

    So how the hell is this happening?

    Is there a mailman exploit that is going around I don't know about?
     
Loading...

Share This Page