Need help to stop outgoing email SPAM!

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Hello guys

I've been facing this outgoing email problem since the past 3-4 days, and all my efforts to solve it have resulted in no avail. My hosting company is less than co-operative in helping me out here. Here's the exact problem:

It appears that outgoing spam in the number of thousands is being sent from the default email address of one of my client's accounts. This appears to be a case of email spoofing, and to prevent it - I did the following things:

1) Prevented nobody from sending an email in WHM
2) Installed CLAM AV anti-virus and scanned (no virus found)
3) Went through my suPHP & suExec logs, as well as my server access logs (couldn't find anything)
4) Changed all my passwords
5) Went through the Exim log - couldn't find anything
6) Limited outgoing emails to 150 per day (couldn't get the account-wise limiting to work - an error would crop up on cPanel)
7) Implemented SPF (v=spf1 +a +mx +ip4:#myip -all) & DKIP

None of the above has worked. Spam emails are being sent at the rate of 6000/per hour and there's nothing I can do about it. I would really appreciate any help!

Thanks,
 

Infopro

Well-Known Member
May 20, 2003
17,113
513
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Just to add here, in WHM:

WHM > Server Configuration > Tweak Settings, Mail tab, you can set this globally for future newly created accounts.

Initial default/catch-all forwarder destination

Forwarding destination for a new account’s catch-all/default address. (Users may modify this value via the Default Address interface in cPanel.) “Fail” rejects the message and notifies the remote SMTP server. This is usually the best choice if you are getting mail attacks. “Blackhole” accepts and processes the message but then silently discards it. This avoids notifying the remote SMTP server but violates SMTP RFC 5321 and generally should not be used.
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Hey Infpro

Thanks for the quick help! I had actually enabled that option before when that email account was receiving thousands of mail delivery failure notifications, thus consuming all our bandwidth and disk space. The receiving problem was solved, the sending problem still remains. Some spammer still uses our email addresses (somehow!) to send spam to thousands, and that's something I'm finding hard to detect. Is it through a malicious script he has installed on the server (trying to find out that through the Mail-X headers tweak) - or is he just spoofing (which should not happen since SPF is enabled). What else do you think I can do to solve this?

Thanks again.

Bhavik
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Tried sending this on the default email through webmail - mail sending failed with the following error - maybe because nobody is prevented from sending an email in WHM.

Code:
Message not sent. Server replied:
Requested action not taken: mailbox unavailable
550 Verification failed for <###@###.com>
No such person at this address
Sender verify failed
Sent it through SMTP, here's the response I got on the default address:


Code:
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
<[email protected]>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    neutral
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  ######.privatedns.com
Source IP:      64.1#.###.###
mail-from:      ea####@######.privatedns.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: None)
ID(s) verified: smtp.mailfrom=ea####@######.privatedns.com
DNS record(s):
    ######.privatedns.com. SPF (no records)
    ######.privatedns.com. TXT (no records)

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=ea####@######.privatedns.com
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: 

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: None)
ID(s) verified: header.From=ea####@######.privatedns.com
DNS record(s):
    ######.privatedns.com. SPF (no records)
    ######.privatedns.com. TXT (no records)

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)

Result:         ham  (3.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.4 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
                            [64.1#.###.### listed in bb.barracudacentral.org]
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5463]
 0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: <ea####@######.privatedns.com>
Received: from ######.privatedns.com (64.1#.###.###) by verifier.port25.com
id hi19ee11u9cg for <[email protected]>; Thu, 19 Apr 2012 14:00:48
-0400 (envelope-from <ea####@######.privatedns.com>)
Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None)
smtp.mailfrom=ea####@######.privatedns.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed)
header.From=ea####@######.privatedns.com
Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
Authentication-Results: verifier.port25.com; sender-id=neutral (SPF-Result: None)
header.From=ea####@######.privatedns.com
Received: from ea#### by ######.privatedns.com with local (Exim 4.77)
        (envelope-from <ea####@######.privatedns.com>)
        id 1SKves-0000ix-78; Thu, 19 Apr 2012 23:30:42 +0530
To: [email protected]
Subject: Test Subject 4
X-PHP-Originating-Script: 519:testm.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
To: TEST <[email protected]>
Message-Id: <[email protected]######.privatedns.com>
From: ea####@######.privatedns.com
Date: Thu, 19 Apr 2012 23:30:42 +0530
X-AntiAbuse: This header was added to track abuse, please include it with any abuse
report
X-AntiAbuse: Primary Hostname - ######.privatedns.com
X-AntiAbuse: Original Domain - verifier.port25.com
X-AntiAbuse: Originator/Caller UID/GID - [519 521] / [47 12]
X-AntiAbuse: Sender Address Domain - ######.privatedns.com


<html>
<head>
 <title>Test Message 4</title>
</head>
<body>
<p><b>This is the test message 4!</b></p>
</body>
</html>
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
There's another thing I also noticed. I just enabled the PHP.INI mail header function. On testing with a plain SMTP function, I do get the script name in the headers. I then waited for the spam to start again (it happens every hour), and there's no "X-PHP-Originating-Script: " tag in the headers. So I think that there's no script running on the server that's sending the emails, as previously suspected. Here's the header of the spam emails. Infopro, would be great if you could help me out here..

Code:
1SKw6I-0001os-FZ-H
eakbar 519 521
<ea###@####.privatedns.com>
1334860142 0
-ident ea###
-received_protocol local
-body_linecount 3
-max_received_linelength 30
-auth_id ea###
-auth_sender ea####@###########.privatedns.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

218P Received: from ea### by ######.privatedns.com with local (Exim 4.77)
	(envelope-from <ea##@####.privatedns.com>)
	id 1SKw6I-0001os-FZ
	for [email protected]; Thu, 19 Apr 2012 23:59:02 +0530
021F From: [email protected]
031T To: [email protected]
030  Subject: Test mail 1578253403
061I Message-Id: <[email protected]####.privatedns.com>
038  Date: Thu, 19 Apr 2012 23:59:02 +0530
thanks man!
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
There might not be a PHP script on the server, but there might be a CGI (.cgi / .pl for example) in a cgi-bin, or somewhere else. I've also heard tails recently [via these forums] that if you allow SSH and you have TCP Forwarding allowed in your SSH config, then somebody can connect via SSH and forward spam out that way.

The next time the spam run starts, see if anybody is logged in via SSH besides you. IF so, boot them off and see if the spam stops.

It looks to me like somebody just might be SMTP-authenticating as a valid user on your server and then sending mail out . All it takes is for one user's POP3 credentials to be guessed / stolen, and then anyone can connect to your server, authenticate as that user, and relay mail. Actually, no it doesn't look like anyone is SMTP authenticating to send that.

grep '1SKw6I-0001os-FZ' /var/log/exim_mainlog and see what all Exim is showing. You might not want to post it here unless you obsfuscate everything.

I'd ask you to PM me the results and I'd try to help you out, but you don't know me and thus you cannot trust me :)

Mike
 
Last edited:

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

Just a theory, don't put too much weight behind it.
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

Just a theory, don't put too much weight behind it :)
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Mike :)

I'm pasting the result here anyways, after censoring some of the important information.

Code:
 ^Y^Y2012-04-19 23:59:02 1SKw6I-0001os-FZ <= ea###[email protected]#####l.privatedns.com U=ea### P=local S=442 T="Test mail 1578253403" for [email protected]
2012-04-19 23:59:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1SKw6I-0001os-FZ
2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP connection outbound 1334860142 1SKw6I-0001os-FZ emperorakbar.com [email protected]
2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host gmail-smtp-in.l.google.com [173.194.76.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 1si3157130qaf.56
2012-04-19 23:59:03 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt1.gmail-smtp-in.l.google.com [173.194.67.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 gf10si3787221wib.19
2012-04-19 23:59:04 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt2.gmail-smtp-in.l.google.com [173.194.65.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 d51si913578eea.159
2012-04-19 23:59:05 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt3.gmail-smtp-in.l.google.com [173.194.70.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 y43si3353910weq.132
2012-04-19 23:59:06 1SKw6I-0001os-FZ == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt4.gmail-smtp-in.l.google.com [173.194.69.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 tj4si1216257bkb.89
2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1SKw6I-0001os-FZ
2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1SKw6I-0001os-FZ
2012-04-20 00:11:13 1SKw6I-0001os-FZ ** [email protected] R=enforce_mail_permissions: Domain emperorakbar.com has exceeded the max emails per hour (55/50 (110%)) allowed.  Message discarded.
2012-04-20 00:11:13 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1SKw6I-0001os-FZ
2012-04-20 00:11:13 1SKwI5-0004i0-Gn <= <> R=1SKw6I-0001os-FZ U=mailnull P=local S=1437 T="Mail delivery failed: returning message to sender" for ea###[email protected]#####l.privatedns.com
2012-04-20 00:11:13 1SKw6I-0001os-FZ Completed

There might not be a PHP script on the server, but there might be a CGI (.cgi / .pl for example) in a cgi-bin, or somewhere else. I've also heard tails recently [via these forums] that if you allow SSH and you have TCP Forwarding allowed in your SSH config, then somebody can connect via SSH and forward spam out that way.

The next time the spam run starts, see if anybody is logged in via SSH besides you. IF so, boot them off and see if the spam stops.

It looks to me like somebody just might be SMTP-authenticating as a valid user on your server and then sending mail out . All it takes is for one user's POP3 credentials to be guessed / stolen, and then anyone can connect to your server, authenticate as that user, and relay mail. Actually, no it doesn't look like anyone is SMTP authenticating to send that.

grep '1SKw6I-0001os-FZ' /var/log/exim_mainlog and see what all Exim is showing. You might not want to post it here unless you obsfuscate everything.

I'd ask you to PM me the results and I'd try to help you out, but you don't know me and thus you cannot trust me :)

Mike
Thanks again for your help! =)
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Mike :)

I'm pasting the result here anyways, after censoring some of the important information.

Code:
 ^Y^Y2012-04-19 23:59:02 1SKw6I-0001os-FZ <= ea###[email protected]#####l.privatedns.com U=ea### P=local S=442 T="Test mail 1578253403" for [email protected]
2012-04-19 23:59:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1SKw6I-0001os-FZ
2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP connection outbound 1334860142 1SKw6I-0001os-FZ emperorakbar.com [email protected]
2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host gmail-smtp-in.l.google.com [173.194.76.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 1si3157130qaf.56
2012-04-19 23:59:03 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt1.gmail-smtp-in.l.google.com [173.194.67.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 gf10si3787221wib.19
2012-04-19 23:59:04 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt2.gmail-smtp-in.l.google.com [173.194.65.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 d51si913578eea.159
2012-04-19 23:59:05 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt3.gmail-smtp-in.l.google.com [173.194.70.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 y43si3353910weq.132
2012-04-19 23:59:06 1SKw6I-0001os-FZ == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host alt4.gmail-smtp-in.l.google.com [173.194.69.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 tj4si1216257bkb.89
2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1SKw6I-0001os-FZ
2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1SKw6I-0001os-FZ
2012-04-20 00:11:13 1SKw6I-0001os-FZ ** [email protected] R=enforce_mail_permissions: Domain emperorakbar.com has exceeded the max emails per hour (55/50 (110%)) allowed.  Message discarded.
2012-04-20 00:11:13 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1SKw6I-0001os-FZ
2012-04-20 00:11:13 1SKwI5-0004i0-Gn <= <> R=1SKw6I-0001os-FZ U=mailnull P=local S=1437 T="Mail delivery failed: returning message to sender" for ea###[email protected]#####l.privatedns.com
2012-04-20 00:11:13 1SKw6I-0001os-FZ Completed

There might not be a PHP script on the server, but there might be a CGI (.cgi / .pl for example) in a cgi-bin, or somewhere else. I've also heard tails recently [via these forums] that if you allow SSH and you have TCP Forwarding allowed in your SSH config, then somebody can connect via SSH and forward spam out that way.

The next time the spam run starts, see if anybody is logged in via SSH besides you. IF so, boot them off and see if the spam stops.

It looks to me like somebody just might be SMTP-authenticating as a valid user on your server and then sending mail out . All it takes is for one user's POP3 credentials to be guessed / stolen, and then anyone can connect to your server, authenticate as that user, and relay mail. Actually, no it doesn't look like anyone is SMTP authenticating to send that.

grep '1SKw6I-0001os-FZ' /var/log/exim_mainlog and see what all Exim is showing. You might not want to post it here unless you obsfuscate everything.

I'd ask you to PM me the results and I'd try to help you out, but you don't know me and thus you cannot trust me :)

Mike
Thanks again for your help!
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

Just a theory, don't put too much weight behind it :)
Just checked it - it's not on the PBL list. But almost all mail providers have blocked my IP - need to do some damage control fast now..
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

Just a theory, don't put too much weight behind it :)
 

Infopro

Well-Known Member
May 20, 2003
17,113
513
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Code:
==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    neutral
SpamAssassin check: ham
What you want to see is this though:

Code:
==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham
This is the command you might want to run to enable DKIM:
Enable Dkim for my existing account WHM 11.32
 

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Hey Infopro

Thanks for the help - but it appears it wasn't a spoof after all. The spammer had gained access to the SSH somehow and was able to install a malicious PERL script that sent all the emails. The tricky part was that they deleted the script immediately after executing it - thus making it difficult for us to detect it. They had a process running all the time that went through the process of re-executing & deletion every 1 hour, making life hell for us.

Many thanks to Mike (Mmtindor) for all his help in this. Would have been practically impossible to solve without his help. It's great to see such good samaritan's on this forum.

For people looking at this thread and after tried almost everything to solve this problem, run this command -

grep ssh /var/log/secure|grep Accepted

If you see someone besides yourself in that list, there's the problem.
 

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
There's another thing I also noticed. I just enabled the PHP.INI mail header function. On testing with a plain SMTP function, I do get the script name in the headers. I then waited for the spam to start again (it happens every hour), and there's no "X-PHP-Originating-Script: " tag in the headers. So I think that there's no script running on the server that's sending the emails, as previously suspected. Here's the header of the spam emails. Infopro, would be great if you could help me out here..

Code:
1SKw6I-0001os-FZ-H
eakbar 519 521
<ea###@####.privatedns.com>
1334860142 0
-ident ea###
-received_protocol local
-body_linecount 3
-max_received_linelength 30
-auth_id ea###
-auth_sender ea####@###########.privatedns.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

218P Received: from ea### by ######.privatedns.com with local (Exim 4.77)
	(envelope-from <ea##@####.privatedns.com>)
	id 1SKw6I-0001os-FZ
	for [email protected]; Thu, 19 Apr 2012 23:59:02 +0530
021F From: [email protected]
031T To: [email protected]
030  Subject: Test mail 1578253403
061I Message-Id: <[email protected]####.privatedns.com>
038  Date: Thu, 19 Apr 2012 23:59:02 +0530
thanks man!
hope your problem is solved.

This line made it very clear as to which user account had been compromised:

-auth_id ea###
-auth_sender ea####@###########.privatedns.com
You may also want to clear out your mail queue for any leftover mails.

Also, if as you are saying that they have "a process running every hour" I think you should identify that process and get to the root of the problem.

You can also check the last few logins by:

last -n 20
If you have a firewall you may want to block our that IP.

CSF also alerts you when a user logs into SSH. This could have been crucial in your case.
 
Last edited:

bhavikr

Member
Apr 19, 2012
10
0
51
cPanel Access Level
Root Administrator
Yes, the problem is now solved. We have installed CSF now & hope this doesn't happen again. It was clear which account was compromised, but couldn't find out how. I had made a limitation on their emails and that did work upto some extent but also prevented legitimate communication. Turns out ultimately, they had actually installed the script on the root account.

We've killed the process and now that all passwords have been changed, it should be good now.



hope your problem is solved.

This line made it very clear as to which user account had been compromised:



You may also want to clear out your mail queue for any leftover mails.

Also, if as you are saying that they have "a process running every hour" I think you should identify that process and get to the root of the problem.

You can also check the last few logins by:



If you have a firewall you may want to block our that IP.

CSF also alerts you when a user logs into SSH. This could have been crucial in your case.
 
Apr 30, 2012
7
0
51
cPanel Access Level
Root Administrator
Hi Mike

i think I have the same problem

What do you do on php.ini

I noted that someone login on my server. How did you find a script?

At this moment any body login to my server except me? But steal have the problem?