The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious Emails sent from account

Discussion in 'E-mail Discussions' started by codegirl42, May 14, 2007.

  1. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    156
    Hello,

    I'm sure that at least one person has gone through this...so here goes:

    One of the accounts on our server is being used by spammers *not by the account holder* to send "Replica Watch* emails. We receive all of the bounced emails from those who have blocked it. Is there any way to stop the malicious emails from being sent?

    Thanks for your help!

    HEADERS:

    extcom@space-cargo.com,extdir@space-cargo.com,extexpress@space-cargo.com,extit@space-cargo.com,
    extlog@space-cargo.com,extocean@space-cargo.com,extroad@space-cargo.com,extsvccliente@space-cargo.com,
    fayna.verdugo@space-cargo.com,fernando.garcia@space-cargo.com,fernando.herranz@space-cargo.com,fernando.pozo@space-cargo.com,
    fjavier.pellegero@space-cargo.com,fonso.valenzuela@space-cargo.com,fran.barbero@space-cargo.com,galadu@space-cargo.com,
    galcom@space-cargo.com
    Received: from 64.253.12.206.dyn-cm-pool82.pool.pool.hargray.net (unknown [64.253.12.206])
    by fwmail.space-cargo.com (Spam Firewall) with SMTP
    id DFC002C078; Mon, 14 May 2007 17:24:47 +0200 (CEST)
    X-Originating-IP: 96.219.163.8 by smtp.64.253.12.206; Mon, 14 May 2007 08:24:38 -0800
    Message-ID: <yahluCJEOUKeusroad@space-cargo.com>
    From: "Herschel Steiner" <eusroad@space-cargo.com>
    Reply-To: "Herschel Steiner" <eusroad@space-cargo.com>
    To: eusroad@space-cargo.com
    Subject: Order Royal repl1ca w4tches Online
    Date: Mon, 14 May 2007 08:24:38 -0800
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7Bit
     
  2. AlexV.

    AlexV. Well-Known Member

    Joined:
    Jun 15, 2006
    Messages:
    212
    Likes Received:
    1
    Trophy Points:
    168
  3. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    156
    Hi!

    Thank you for that...

    We've done all of these:

    ● Enable suExec
    ● Enable phpSuExec
    ● Prevent the user “nobody” from being able to
    send out email
    ● Adding X-source headers
    ● Include a list of POP before SMTP headers
    when relaying email

    But the issue is that someone is using an account as a "REPLY TO" "SENT FROM" address, so we just receive the bounces.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,277
    Likes Received:
    9
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
  5. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    156
  6. steinar

    steinar Registered

    Joined:
    Feb 20, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    Howto find the account...

    To locate the account and directory the malicious emails are being sent from on your server, try:

    cat /var/log/exim_mainlog | grep cwd=\/home\/ | cut -d' ' -f3 | sort -n | uniq -c

    The output of the above command will give you a sort where you'll see from which user account and even from which directory in that account the malicious emails was sent from, and also a count how many emails in each account/ directory.

    When you find the account, suspend it or delete the directory that is abused.
     
    #6 steinar, Jul 17, 2007
    Last edited: Jul 17, 2007
  7. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    897
    Likes Received:
    12
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Cool ! Thanks for that.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    That will only work if you enabled extended exim logging with the +arguments switch.
     
  9. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    156
    what if it isnt enabled? is there a version of that command that WILL work?
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    No, you need to enable it in the exim configuration editor, in the first box add:

    log_selector = +arguments +subject
     
Loading...

Share This Page