Match local SMTP connection to proper log file/entry?

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,

i wanted to ask if following log entry in exim_mainlog is the reswult of someone accessed a .php file

2017-01-03 17:20:40 SMTP connection from [::1]:48527 (TCP/IP connection count = 1)
2017-01-03 17:20:41 SMTP connection identification H=localhost A=::1 P=48527 U=example ID=553 S=example B=identify_local_connection
or is it that someone know my mail account password and using SMTP? Or means something else?

because i am unable to find any suspicious entries in apache access logs around that date and time: cat /home/example/access-logs/*|grep "03/Jan/2017:17:20"

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n|grep example
is not helpful this time

My aim is to stop these connections, find bad script or hole that is abused to initiate these connections.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,

someone is sending spam out of one of the cPanel accounts and the sender e-mail is set to e-mail address of a domain that is hosted on different cpanel account (same server).

I would like to prevent mail server to process e-mails where the claimed sender e-mail address has domain not hosted on the cpanel account from which mail is sent. How to achieve this?

Thank You
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
i wanted to ask if following log entry in exim_mainlog is the reswult of someone accessed a .php file
H=localhost
Hello,

This means the email originates on the cPanel server, however it doesn't have to be from a PHP script. Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication.

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

This is documented at:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Thank you.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication.
Even if that user does not know the cpanel password? Because i resetted that cpanel password several times and used quite long, random characters (alphanumeric) password, and this SPAM issue happen. So i assume it is because of a PHP script? But as i mentioned in my initial post, i do not see any accesses around that time in access logs..

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).
I already have this option enabled and set to "remote"

EXPERIMENTAL: Rewrite From: header to match actual sender [?]
If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

Feel free to open a support ticket using the link in my signature if you'd like us to access the affected system to take a closer look. You can post the ticket number here and we will update this thread with the outcome.

Thank you.