The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Match local SMTP connection to proper log file/entry?

Discussion in 'E-mail Discussions' started by postcd, Jan 3, 2017.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    653
    Likes Received:
    11
    Trophy Points:
    68
    Hello,

    i wanted to ask if following log entry in exim_mainlog is the reswult of someone accessed a .php file

    or is it that someone know my mail account password and using SMTP? Or means something else?

    because i am unable to find any suspicious entries in apache access logs around that date and time: cat /home/example/access-logs/*|grep "03/Jan/2017:17:20"

    is not helpful this time

    My aim is to stop these connections, find bad script or hole that is abused to initiate these connections.
     
  2. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    653
    Likes Received:
    11
    Trophy Points:
    68
    Hello,

    someone is sending spam out of one of the cPanel accounts and the sender e-mail is set to e-mail address of a domain that is hosted on different cpanel account (same server).

    I would like to prevent mail server to process e-mails where the claimed sender e-mail address has domain not hosted on the cpanel account from which mail is sent. How to achieve this?

    Thank You
     
    #2 postcd, Jan 5, 2017
    Last edited by a moderator: Jan 5, 2017
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This means the email originates on the cPanel server, however it doesn't have to be from a PHP script. Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication.

    To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

    This is documented at:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  4. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    653
    Likes Received:
    11
    Trophy Points:
    68
    Even if that user does not know the cpanel password? Because i resetted that cpanel password several times and used quite long, random characters (alphanumeric) password, and this SPAM issue happen. So i assume it is because of a PHP script? But as i mentioned in my initial post, i do not see any accesses around that time in access logs..

    I already have this option enabled and set to "remote"

    EXPERIMENTAL: Rewrite From: header to match actual sender [?]
    If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to open a support ticket using the link in my signature if you'd like us to access the affected system to take a closer look. You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page