Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED My server is sending spam

Discussion in 'E-mail Discussion' started by psytanium, Apr 30, 2019.

Tags:
  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Hi,

    My VPS server send spams what causes emails to stuck in Mail Queued, and recently I exceeded the SMTP Relays set to 5000 by godaddy, and they refused to temporary increase it.

    Anyway, how can I find the source of spam, it seems from my server (server.my-server.com).
    From Mail Queue Manager the message info:

    Code:
    Date: Mon, 29 Apr 2019 14:17:15 +0300
    From: Mail Delivery System <Mailer-Daemon@server.my-server.com>
    To: nbocoze@example.com
    Subject: Mail delivery failed: returning message to sender
    Auto-Submitted: auto-replied
    Content-Type: multipart/report; report-type=delivery-status; boundary=1556536635-eximdsn-1383029932
    Message-Id: <E1hL4Hb-0006Zi-I1@server.my-server.com>
    MIME-Version: 1.0
    Received: from mailnull by server.my-server.com with local (Exim 4.91)
    id 1hL4Hb-0006Zi-I1
    for nbocoze@example.com; Mon, 29 Apr 2019 14:17:15 +0300
    X-Failed-Recipients:purchase@example.net
    

    In this header info, we can found 2 emails: nbocoze@example.com and purchase@example.net, both do not belong to any user on my server.

    How can I stop it ?
     
    #1 psytanium, Apr 30, 2019
    Last edited by a moderator: Apr 30, 2019
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    How many accounts do you have on the VPS ?

    In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these.
     
  3. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    I have 65 accounts, the header indicate the message is sent from my server
    Mailer-Daemon@server.my-server.com
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I don't know the answer, but i'd still suggest taking a look in mail delivery reports, click on the magnifying glass and see if these are linked to a user account on the server.
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    951
    Likes Received:
    20
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Alright, may I know some more information please ? I have to learn how to spot the spam source and the solution.

    For e.g. this account is on my server k**a.com.lb, have sent 12000 email today, from Mail Delivery Report, I can find those details:

    [removed due to use of real domains]

    What should I look for and what to do with those information ? is the source of spam my server or user computer or stolen password ? or some other possibilities ?

    Regards,
     
    #7 psytanium, May 2, 2019
    Last edited by a moderator: May 2, 2019
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @psytanium,

    Can you try running the commands on the post below and let us know if that helps you identify the source of the SPAM?

    Locate spam activity

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Hello,

    The most used subjects

    [removed due to use of real SPAM terms]

    The most logged in user

    Code:
    126 __cpanel__service__auth__icontact__
    1542 info@the****removed.com
    12986 ism@k**removed.lb
    
    The most used mailing script

    Code:
    9167 /usr/local/cpanel/whostmgr/docroot
    
    The user ism@k**a.com.lb have sent 12986 email with the subject "removed" and "removed"

    But what does it mean if the most used mail script is "/usr/local/cpanel/whostmgr/docroot" ? the spam is sent from my server ? or from the user computer or from Jupiter ?
     
    #9 psytanium, May 2, 2019
    Last edited by a moderator: May 2, 2019
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @psytanium,

    This means that email account is authentication with the email account's username and password to send out the SPAM email. You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    What if there is a malware on my server sending spams from inside. How can I know the source ?

    In 10 days, I found 3 different domains sending spams and I got blocked by Godaddy relays 3 times, 24h each.
     
  12. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    When I run the command
    The out put is
    Why all regular emails are sent from the home account, but the 9174 spams are sent from /usr/local/cpanel/whostmgr/docroot , what is it ?
     
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @psytanium,

    Can you run the following command instead and let us know the output?

    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Emails by user:

    Email accounts sending out mail:

    Directories mail is originating from:

    Top 20 Email Titles:

    Thank you
     
  15. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @psytanium,

    The "mailnull" user you see in the report is showing you the number of emails that were returned to the sender.

    This it the account to focus on. I recommend following the advice from my earlier post to this thread:

    If you're concerned that you're missing something, feel free to open a support ticket so we can take a closer look.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    psytanium likes this.
  16. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    158
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Thank you for the explanation, the missing point is clear now.

    What is more important is how to make sure I receive a notification email before my server get blocked by Godaddy or blacklisted. This discussion is opened in another topic in this forums.

    Thanks again :)
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice