My server is sending spam

[psytanium]

Hi,

My VPS server send spams what causes emails to stuck in Mail Queued, and recently I exceeded the SMTP Relays set to 5000 by godaddy, and they refused to temporary increase it.

Anyway, how can I find the source of spam, it seems from my server (server.my-server.com).
From Mail Queue Manager the message info:

Date: Mon, 29 Apr 2019 14:17:15 +0300
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: Mail delivery failed: returning message to sender
Auto-Submitted: auto-replied
Content-Type: multipart/report; report-type=delivery-status; boundary=1556536635-eximdsn-1383029932
Message-Id: <[email protected]>
MIME-Version: 1.0
Received: from mailnull by server.my-server.com with local (Exim 4.91)
id 1hL4Hb-0006Zi-I1
for [email protected]; Mon, 29 Apr 2019 14:17:15 +0300
X-Failed-Recipients:[email protected]

In this header info, we can found 2 emails: [email protected] and [email protected], both do not belong to any user on my server.

How can I stop it ?

 

[keat63]

How many accounts do you have on the VPS ?

In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these.

 

[psytanium]

How many accounts do you have on the VPS ?

In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these.

I have 65 accounts, the header indicate the message is sent from my server
[email protected]-server.com

 

[keat63]

I don't know the answer, but i'd still suggest taking a look in mail delivery reports, click on the magnifying glass and see if these are linked to a user account on the server.

 

[kernow]

Checkout this website and scroll down to the "Outbound spam from compromised scripts"
ConfigServer Services - Searching for Spammers

 

[cPanelMichael]

Hello @psytanium,

The following document is a good place to start in terms of preventing users from sending out SPAM and enabling the options to better detect when it happens:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Additionally, the following thread offer some useful tips for investigating the source of SPAM messages:

Need to catch the Spamming Source

Let me know if this helps.

Thank you.

 

[psytanium]

Alright, may I know some more information please ? I have to learn how to spot the spam source and the solution.

For e.g. this account is on my server k**a.com.lb, have sent 12000 email today, from Mail Delivery Report, I can find those details:

[removed due to use of real domains]

What should I look for and what to do with those information ? is the source of spam my server or user computer or stolen password ? or some other possibilities ?

Regards,

 

[psytanium]

Hello,

The most used subjects

[removed due to use of real SPAM terms]

The most logged in user

126 __cpanel__service__auth__icontact__
1542 [email protected]****removed.com
12986 [email protected]**removed.lb

The most used mailing script

9167 /usr/local/cpanel/whostmgr/docroot

The user [email protected]**a.com.lb have sent 12986 email with the subject "removed" and "removed"

But what does it mean if the most used mail script is "/usr/local/cpanel/whostmgr/docroot" ? the spam is sent from my server ? or from the user computer or from Jupiter ?

 

[cPanelMichael]

The user [email protected]**a.com.lb have sent 12986 email with the subject "removed" and "removed"

Hello @psytanium,

This means that email account is authentication with the email account's username and password to send out the SPAM email. You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.

Thank you.

 

[psytanium]

What if there is a malware on my server sending spams from inside. How can I know the source ?

In 10 days, I found 3 different domains sending spams and I got blocked by Godaddy relays 3 times, 24h each.

 

[psytanium]

When I run the command

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

The out put is

....
24 /home/user/public_html
29 /home/user1/public_html
35 /home/user2/public_html/automatic
35 /home/user3/public_html/insight
53 /home/user4/public_html
9174 /usr/local/cpanel/whostmgr/docroot

Why all regular emails are sent from the home account, but the 9174 spams are sent from /usr/local/cpanel/whostmgr/docroot , what is it ?

 

[cPanelMichael]

Hello @psytanium,

Can you run the following command instead and let us know the output?

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Thank you.

 

[psytanium]

Emails by user:

6761 : mailnull
106 : user1
56 : user2

Email accounts sending out mail:

12986 : [email protected]**a.com.lb
1542 : [email protected]*******hotel.com
128 : __cpanel__service__auth__icontact__g9f89smfbc2ue90x
56 : [email protected]*******er.me

Directories mail is originating from:

56 : /home/user/public_html
35 : /home/user1/public_html/insight
35 : /home/user1/public_html/automatic

Top 20 Email Titles:

9889 : Industrial Control & Supply Inc.
6761 : Mail delivery failed: returning message to sender
3080 : Azzam Purchase Order #107608 --107609
1502 : Response

Thank you

 

[cPanelMichael]

Hello @psytanium,

6761 : mailnull

6761 : Mail delivery failed: returning message to sender

The "mailnull" user you see in the report is showing you the number of emails that were returned to the sender.

12986 : [email protected]**a.com.lb

This it the account to focus on. I recommend following the advice from my earlier post to this thread:

You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.

If you're concerned that you're missing something, feel free to open a support ticket so we can take a closer look.

Thank you.

 

[psytanium]

Thank you for the explanation, the missing point is clear now.

What is more important is how to make sure I receive a notification email before my server get blocked by Godaddy or blacklisted. This discussion is opened in another topic in this forums.

Thanks again

 

[rafhelp]

I have a shared hosting with GoDaddy.

It hosts numerous WP installations/websites.

Yesterday on the cpanel i noticed file usage had maxed out, gone past limit of 250K

I contacted GoDaddy who tried to sell me upgrades to the hosting. I declined then started deleting loads of files and old plugins. Got it down to 50% usage.

Today i noticed the file usage had gone up again. So I checked ftp folders and in a folder located here:
"home/mysite/mail/new/"

There are like 1500 new files with names similar to this:
15.4P421231.example.prod.ams1.secureserver.net,S=4411,W=4490

This is the content of one of those files:

Return-Path: <>
Delivered-To: [email protected]
Received: from example.prod.ams1.secureserver.net
   by examle.prod.ams1.secureserver.net with LMTP
   id YHdzMlGmLV1vbQYAqVQW0Q
   (envelope-from <>)
   for <[email protected]>; Tue, 16 Jul 2019 03:26:25 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Tue, 16 Jul 2019 03:26:25 -0700
Received: from mailnull by example.prod.ams1.secureserver.net with local (Exim 4.92)
   id 1hnKfB-001mvT-Oo
   for [email protected]; Tue, 16 Jul 2019 03:26:25 -0700
X-Failed-Recipients: [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Content-Type: multipart/report; report-type=delivery-status; boundary=1563272785-eximdsn-224566932
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Tue, 16 Jul 2019 03:26:25 -0700

--1563272785-eximdsn-224566932
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    host n1nlshrout-v02.shr.prod.ams1.secureserver.net [188.121.43.247]
    SMTP error from remote mail server after end of data:
    552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content ::
    Please include this entire message when contacting support ::
    v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 ::
    100.00

--1563272785-eximdsn-224566932
Content-type: message/delivery-status

Reporting-MTA: dns; example.prod.ams1.secureserver.net

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; n1nlshrout-example.prod.ams1.secureserver.net
Diagnostic-Code: smtp; 552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content :: Please include this entire message when contacting support :: v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 :: 100.00

--1563272785-eximdsn-224566932
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from mysite by example.prod.ams1.secureserver.net with local (Exim 4.92)
   (envelope-from <[email protected]>)
   id 1hnKfB-001muY-GU
   for [email protected]; Tue, 16 Jul 2019 03:26:25 -0700
To: [email protected]
Subject: =?UTF-8?Q?Sample_Site_1_"some test here_=D0=93?=  =?UTF-8?Q?=C2=some test here"?=
X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx
Date: Tue, 16 Jul 2019 10:26:25 +0000
From: WordPress <[email protected]>
Reply-To: [email protected]
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.22 ([URL='https://github.com/PHPMailer/PHPMailer']PHPMailer/PHPMailer[/URL])
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Kei***ix <terr**[email protected]>
Subject: some test here

Message Body:
some more text here: - Removed-


--1563272785-eximdsn-224566932--

I Need To Know How Do I Find Out If These Emails Are Being Sent From My Server By Say A Script/hacker/virus Or Malware? Or Are They Being Sent To Me From Outside I Dont Know, I Need To Find The Php Mail Sent Log File But I Cant See One.

Thanks

 

[Ovidiu Sopa]

If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner.

X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx

 

[cPanelMichael]

Hello @rafhelp,

I moved your thread into this one so you can see the advice offered in the past to someone facing a similar issue.

Thank you.

 

[edwardjuntak]

already set the conf per Something is sending spam emails from random generated emails @mydomain


but still my company domain do get received from customer using from to ( forwarder list email account [email protected] ) whom cant be directly accessed by / using like pop account , but still theyre using it

how come theyre still able using it

 

[rafhelp]

If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner.

X-PHP-Script: [URL='http://www.example.com/index.php' for 134.90.xxx.xxx
X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx

but on mine the file is index.php and it has no additional code in it just the original wp code.

are you saying this file has a virus on it or something?

X-PHP-Script: www.example.com/index.php for 77.243.xxx.xx
X-PHP-Filename: /home/maindomain/public_html/example.com/index.php REMOTE_ADDR: 77.243.xxx.xx