The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious Emails sent from account

Discussion in 'E-mail Discussions' started by codegirl42, May 14, 2007.

  1. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I'm sure that at least one person has gone through this...so here goes:

    One of the accounts on our server is being used by spammers *not by the account holder* to send "Replica Watch* emails. We receive all of the bounced emails from those who have blocked it. Is there any way to stop the malicious emails from being sent?

    Thanks for your help!

    HEADERS:

    extcom@space-cargo.com,extdir@space-cargo.com,extexpress@space-cargo.com,extit@space-cargo.com,
    extlog@space-cargo.com,extocean@space-cargo.com,extroad@space-cargo.com,extsvccliente@space-cargo.com,
    fayna.verdugo@space-cargo.com,fernando.garcia@space-cargo.com,fernando.herranz@space-cargo.com,fernando.pozo@space-cargo.com,
    fjavier.pellegero@space-cargo.com,fonso.valenzuela@space-cargo.com,fran.barbero@space-cargo.com,galadu@space-cargo.com,
    galcom@space-cargo.com
    Received: from 64.253.12.206.dyn-cm-pool82.pool.pool.hargray.net (unknown [64.253.12.206])
    by fwmail.space-cargo.com (Spam Firewall) with SMTP
    id DFC002C078; Mon, 14 May 2007 17:24:47 +0200 (CEST)
    X-Originating-IP: 96.219.163.8 by smtp.64.253.12.206; Mon, 14 May 2007 08:24:38 -0800
    Message-ID: <yahluCJEOUKeusroad@space-cargo.com>
    From: "Herschel Steiner" <eusroad@space-cargo.com>
    Reply-To: "Herschel Steiner" <eusroad@space-cargo.com>
    To: eusroad@space-cargo.com
    Subject: Order Royal repl1ca w4tches Online
    Date: Mon, 14 May 2007 08:24:38 -0800
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7Bit
     
  2. AlexV.

    AlexV. Well-Known Member

    Joined:
    Jun 15, 2006
    Messages:
    212
    Likes Received:
    1
    Trophy Points:
    16
  3. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Hi!

    Thank you for that...

    We've done all of these:

    ● Enable suExec
    ● Enable phpSuExec
    ● Prevent the user “nobody” from being able to
    send out email
    ● Adding X-source headers
    ● Include a list of POP before SMTP headers
    when relaying email

    But the issue is that someone is using an account as a "REPLY TO" "SENT FROM" address, so we just receive the bounces.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
  5. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
  6. steinar

    steinar Registered

    Joined:
    Feb 20, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Howto find the account...

    To locate the account and directory the malicious emails are being sent from on your server, try:

    cat /var/log/exim_mainlog | grep cwd=\/home\/ | cut -d' ' -f3 | sort -n | uniq -c

    The output of the above command will give you a sort where you'll see from which user account and even from which directory in that account the malicious emails was sent from, and also a count how many emails in each account/ directory.

    When you find the account, suspend it or delete the directory that is abused.
     
    #6 steinar, Jul 17, 2007
    Last edited: Jul 17, 2007
  7. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Cool ! Thanks for that.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That will only work if you enabled extended exim logging with the +arguments switch.
     
  9. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    what if it isnt enabled? is there a version of that command that WILL work?
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, you need to enable it in the exim configuration editor, in the first box add:

    log_selector = +arguments +subject
     
Loading...

Share This Page