psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
Hi,

My VPS server send spams what causes emails to stuck in Mail Queued, and recently I exceeded the SMTP Relays set to 5000 by godaddy, and they refused to temporary increase it.

Anyway, how can I find the source of spam, it seems from my server (server.my-server.com).
From Mail Queue Manager the message info:

Code:
Date: Mon, 29 Apr 2019 14:17:15 +0300
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: Mail delivery failed: returning message to sender
Auto-Submitted: auto-replied
Content-Type: multipart/report; report-type=delivery-status; boundary=1556536635-eximdsn-1383029932
Message-Id: <[email protected]>
MIME-Version: 1.0
Received: from mailnull by server.my-server.com with local (Exim 4.91)
id 1hL4Hb-0006Zi-I1
for [email protected]; Mon, 29 Apr 2019 14:17:15 +0300
X-Failed-Recipients:[email protected]

In this header info, we can found 2 emails: [email protected] and [email protected], both do not belong to any user on my server.

How can I stop it ?
 
Last edited by a moderator:

keat63

Well-Known Member
Nov 20, 2014
1,387
108
93
cPanel Access Level
Root Administrator
How many accounts do you have on the VPS ?

In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these.
 

keat63

Well-Known Member
Nov 20, 2014
1,387
108
93
cPanel Access Level
Root Administrator
I don't know the answer, but i'd still suggest taking a look in mail delivery reports, click on the magnifying glass and see if these are linked to a user account on the server.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
Alright, may I know some more information please ? I have to learn how to spot the spam source and the solution.

For e.g. this account is on my server k**a.com.lb, have sent 12000 email today, from Mail Delivery Report, I can find those details:

[removed due to use of real domains]

What should I look for and what to do with those information ? is the source of spam my server or user computer or stolen password ? or some other possibilities ?

Regards,
 
Last edited by a moderator:

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
Hello,

The most used subjects

[removed due to use of real SPAM terms]

The most logged in user

Code:
126 __cpanel__service__auth__icontact__
1542 [email protected]****removed.com
12986 [email protected]**removed.lb
The most used mailing script

Code:
9167 /usr/local/cpanel/whostmgr/docroot
The user [email protected]**a.com.lb have sent 12986 email with the subject "removed" and "removed"

But what does it mean if the most used mail script is "/usr/local/cpanel/whostmgr/docroot" ? the spam is sent from my server ? or from the user computer or from Jupiter ?
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
The user [email protected]**a.com.lb have sent 12986 email with the subject "removed" and "removed"
Hello @psytanium,

This means that email account is authentication with the email account's username and password to send out the SPAM email. You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.

Thank you.
 

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
What if there is a malware on my server sending spams from inside. How can I know the source ?

In 10 days, I found 3 different domains sending spams and I got blocked by Godaddy relays 3 times, 24h each.
 

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
When I run the command
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
The out put is
....
24 /home/user/public_html
29 /home/user1/public_html
35 /home/user2/public_html/automatic
35 /home/user3/public_html/insight
53 /home/user4/public_html
9174 /usr/local/cpanel/whostmgr/docroot
Why all regular emails are sent from the home account, but the 9174 spams are sent from /usr/local/cpanel/whostmgr/docroot , what is it ?
 

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
Emails by user:

6761 : mailnull
106 : user1
56 : user2
Email accounts sending out mail:

12986 : [email protected]**a.com.lb
1542 : [email protected]*******hotel.com
128 : __cpanel__service__auth__icontact__g9f89smfbc2ue90x
56 : [email protected]*******er.me
Directories mail is originating from:

56 : /home/user/public_html
35 : /home/user1/public_html/insight
35 : /home/user1/public_html/automatic
Top 20 Email Titles:

9889 : Industrial Control & Supply Inc.
6761 : Mail delivery failed: returning message to sender
3080 : Azzam Purchase Order #107608 --107609
1502 : Response
Thank you
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @psytanium,

6761 : mailnull
6761 : Mail delivery failed: returning message to sender
The "mailnull" user you see in the report is showing you the number of emails that were returned to the sender.

This it the account to focus on. I recommend following the advice from my earlier post to this thread:

You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.
If you're concerned that you're missing something, feel free to open a support ticket so we can take a closer look.

Thank you.
 
  • Like
Reactions: psytanium

psytanium

Well-Known Member
Jun 6, 2014
183
8
18
Lebanon
cPanel Access Level
Root Administrator
Thank you for the explanation, the missing point is clear now.

What is more important is how to make sure I receive a notification email before my server get blocked by Godaddy or blacklisted. This discussion is opened in another topic in this forums.

Thanks again :)
 
  • Like
Reactions: cPanelMichael

rafhelp

Registered
Jul 16, 2019
3
0
1
united kingdom
cPanel Access Level
Root Administrator
I have a shared hosting with GoDaddy.

It hosts numerous WP installations/websites.

Yesterday on the cpanel i noticed file usage had maxed out, gone past limit of 250K

I contacted GoDaddy who tried to sell me upgrades to the hosting. I declined then started deleting loads of files and old plugins. Got it down to 50% usage.

Today i noticed the file usage had gone up again. So I checked ftp folders and in a folder located here:
"home/mysite/mail/new/"

There are like 1500 new files with names similar to this:
15.4P421231.example.prod.ams1.secureserver.net,S=4411,W=4490

This is the content of one of those files:
Code:
Return-Path: <>
Delivered-To: [email protected]
Received: from example.prod.ams1.secureserver.net
   by examle.prod.ams1.secureserver.net with LMTP
   id YHdzMlGmLV1vbQYAqVQW0Q
   (envelope-from <>)
   for <[email protected]>; Tue, 16 Jul 2019 03:26:25 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Tue, 16 Jul 2019 03:26:25 -0700
Received: from mailnull by example.prod.ams1.secureserver.net with local (Exim 4.92)
   id 1hnKfB-001mvT-Oo
   for [email protected]; Tue, 16 Jul 2019 03:26:25 -0700
X-Failed-Recipients: [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Content-Type: multipart/report; report-type=delivery-status; boundary=1563272785-eximdsn-224566932
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E[email protected]>
Date: Tue, 16 Jul 2019 03:26:25 -0700

--1563272785-eximdsn-224566932
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    host n1nlshrout-v02.shr.prod.ams1.secureserver.net [188.121.43.247]
    SMTP error from remote mail server after end of data:
    552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content ::
    Please include this entire message when contacting support ::
    v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 ::
    100.00

--1563272785-eximdsn-224566932
Content-type: message/delivery-status

Reporting-MTA: dns; example.prod.ams1.secureserver.net

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; n1nlshrout-example.prod.ams1.secureserver.net
Diagnostic-Code: smtp; 552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content :: Please include this entire message when contacting support :: v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 :: 100.00

--1563272785-eximdsn-224566932
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from mysite by example.prod.ams1.secureserver.net with local (Exim 4.92)
   (envelope-from <[email protected]>)
   id 1hnKfB-001muY-GU
   for [email protected]; Tue, 16 Jul 2019 03:26:25 -0700
To: [email protected]
Subject: =?UTF-8?Q?Sample_Site_1_"some test here_=D0=93?=  =?UTF-8?Q?=C2=some test here"?=
X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx
Date: Tue, 16 Jul 2019 10:26:25 +0000
From: WordPress <[email protected]>
Reply-To: [email protected]
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.22 ([URL='https://github.com/PHPMailer/PHPMailer']PHPMailer/PHPMailer[/URL])
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Kei***ix <terr**[email protected]>
Subject: some test here

Message Body:
some more text here: - Removed-


--1563272785-eximdsn-224566932--
I Need To Know How Do I Find Out If These Emails Are Being Sent From My Server By Say A Script/hacker/virus Or Malware? Or Are They Being Sent To Me From Outside I Dont Know, I Need To Find The Php Mail Sent Log File But I Cant See One.

Thanks
 
Last edited by a moderator:

Ovidiu Sopa

Member
Jun 19, 2017
7
1
3
Sibiu, Romania
cPanel Access Level
Root Administrator
If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner.

X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx
 
  • Like
Reactions: rafhelp

rafhelp

Registered
Jul 16, 2019
3
0
1
united kingdom
cPanel Access Level
Root Administrator
If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner.

X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx
but on mine the file is index.php and it has no additional code in it just the original wp code.

are you saying this file has a virus on it or something?

Code:
X-PHP-Script: www.example.com/index.php for 77.243.xxx.xx
X-PHP-Filename: /home/maindomain/public_html/example.com/index.php REMOTE_ADDR: 77.243.xxx.xx
 
Last edited by a moderator: