The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help to stop outgoing email SPAM!

Discussion in 'E-mail Discussions' started by bhavikr, Apr 19, 2012.

  1. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello guys

    I've been facing this outgoing email problem since the past 3-4 days, and all my efforts to solve it have resulted in no avail. My hosting company is less than co-operative in helping me out here. Here's the exact problem:

    It appears that outgoing spam in the number of thousands is being sent from the default email address of one of my client's accounts. This appears to be a case of email spoofing, and to prevent it - I did the following things:

    1) Prevented nobody from sending an email in WHM
    2) Installed CLAM AV anti-virus and scanned (no virus found)
    3) Went through my suPHP & suExec logs, as well as my server access logs (couldn't find anything)
    4) Changed all my passwords
    5) Went through the Exim log - couldn't find anything
    6) Limited outgoing emails to 150 per day (couldn't get the account-wise limiting to work - an error would crop up on cPanel)
    7) Implemented SPF (v=spf1 +a +mx +ip4:#myip -all) & DKIP

    None of the above has worked. Spam emails are being sent at the rate of 6000/per hour and there's nothing I can do about it. I would really appreciate any help!

    Thanks,
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In this accounts cPanel, find the Default Address icon in the Mail section. On the Default Address page be sure that all unrouted mail setting is set to Discard. Type in a message: No Such User Here

    and save.

    That should help I think.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just to add here, in WHM:

    WHM > Server Configuration > Tweak Settings, Mail tab, you can set this globally for future newly created accounts.

     
  4. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey Infpro

    Thanks for the quick help! I had actually enabled that option before when that email account was receiving thousands of mail delivery failure notifications, thus consuming all our bandwidth and disk space. The receiving problem was solved, the sending problem still remains. Some spammer still uses our email addresses (somehow!) to send spam to thousands, and that's something I'm finding hard to detect. Is it through a malicious script he has installed on the server (trying to find out that through the Mail-X headers tweak) - or is he just spoofing (which should not happen since SPF is enabled). What else do you think I can do to solve this?

    Thanks again.

    Bhavik
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Send a blank email from that account to this address:
    check-auth@verifier.port25.com

    An email will be sent back, post the summary of results to peek at.
     
  6. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Tried sending this on the default email through webmail - mail sending failed with the following error - maybe because nobody is prevented from sending an email in WHM.

    Code:
    Message not sent. Server replied:
    Requested action not taken: mailbox unavailable
    550 Verification failed for <###@###.com>
    No such person at this address
    Sender verify failed
    Sent it through SMTP, here's the response I got on the default address:


    Code:
    This message is an automatic response from Port25's authentication verifier
    service at verifier.port25.com.  The service allows email senders to perform
    a simple check of various sender authentication mechanisms.  It is provided
    free of charge, in the hope that it is useful to the email community.  While
    it is not officially supported, we welcome any feedback you may have at
    <verifier-feedback@port25.com>.
    
    Thank you for using the verifier,
    
    The Port25 Solutions, Inc. team
    
    ==========================================================
    Summary of Results
    ==========================================================
    SPF check:          neutral
    DomainKeys check:   neutral
    DKIM check:         neutral
    Sender-ID check:    neutral
    SpamAssassin check: ham
    
    ==========================================================
    Details:
    ==========================================================
    
    HELO hostname:  ######.privatedns.com
    Source IP:      64.1#.###.###
    mail-from:      ea####@######.privatedns.com
    
    ----------------------------------------------------------
    SPF check details:
    ----------------------------------------------------------
    Result:         neutral (SPF-Result: None)
    ID(s) verified: smtp.mailfrom=ea####@######.privatedns.com
    DNS record(s):
        ######.privatedns.com. SPF (no records)
        ######.privatedns.com. TXT (no records)
    
    ----------------------------------------------------------
    DomainKeys check details:
    ----------------------------------------------------------
    Result:         neutral (message not signed)
    ID(s) verified: header.From=ea####@######.privatedns.com
    DNS record(s):
    
    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result:         neutral (message not signed)
    ID(s) verified: 
    
    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions.  If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.
    
    ----------------------------------------------------------
    Sender-ID check details:
    ----------------------------------------------------------
    Result:         neutral (SPF-Result: None)
    ID(s) verified: header.From=ea####@######.privatedns.com
    DNS record(s):
        ######.privatedns.com. SPF (no records)
        ######.privatedns.com. TXT (no records)
    
    ----------------------------------------------------------
    SpamAssassin check details:
    ----------------------------------------------------------
    SpamAssassin v3.3.1 (2010-03-16)
    
    Result:         ham  (3.0 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     1.4 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
                                [64.1#.###.### listed in bb.barracudacentral.org]
    -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                                domain
     0.0 HTML_MESSAGE           BODY: HTML included in message
     0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                                [score: 0.5463]
     0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
    
    ==========================================================
    Explanation of the possible results (from RFC 5451)
    ==========================================================
    
    SPF and Sender-ID Results
    =========================
    
    "none"
          No policy records were published at the sender's DNS domain.
    
    "neutral"
          The sender's ADMD has asserted that it cannot or does not
          want to assert whether or not the sending IP address is authorized
          to send mail using the sender's DNS domain.
    
    "pass"
          The client is authorized by the sender's ADMD to inject or
          relay mail on behalf of the sender's DNS domain.
    
    "policy"
         The client is authorized to inject or relay mail on behalf
          of the sender's DNS domain according to the authentication
          method's algorithm, but local policy dictates that the result is
          unacceptable.
    
    "fail"
          This client is explicitly not authorized to inject or
          relay mail using the sender's DNS domain.
    
    "softfail"
          The sender's ADMD believes the client was not authorized
          to inject or relay mail using the sender's DNS domain, but is
          unwilling to make a strong assertion to that effect.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability to
          retrieve a policy record from DNS.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being absent or
          a syntax error in a retrieved DNS TXT record.  A later attempt is
          unlikely to produce a final result.
    
    
    DKIM and DomainKeys Results
    ===========================
    
    "none"
          The message was not signed.
    
    "pass"
          The message was signed, the signature or signatures were
          acceptable to the verifier, and the signature(s) passed
          verification tests.
    
    "fail"
          The message was signed and the signature or signatures were
          acceptable to the verifier, but they failed the verification
          test(s).
    
    "policy"
          The message was signed but the signature or signatures were
          not acceptable to the verifier.
    
    "neutral"
          The message was signed but the signature or signatures
          contained syntax errors or were not otherwise able to be
          processed.  This result SHOULD also be used for other
          failures not covered elsewhere in this list.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability
          to retrieve a public key.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being
          absent. A later attempt is unlikely to produce a final result.
    
    
    ==========================================================
    Original Email
    ==========================================================
    
    Return-Path: <ea####@######.privatedns.com>
    Received: from ######.privatedns.com (64.1#.###.###) by verifier.port25.com
    id hi19ee11u9cg for <check-auth@verifier.port25.com>; Thu, 19 Apr 2012 14:00:48
    -0400 (envelope-from <ea####@######.privatedns.com>)
    Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None)
    smtp.mailfrom=ea####@######.privatedns.com
    Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed)
    header.From=ea####@######.privatedns.com
    Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
    Authentication-Results: verifier.port25.com; sender-id=neutral (SPF-Result: None)
    header.From=ea####@######.privatedns.com
    Received: from ea#### by ######.privatedns.com with local (Exim 4.77)
            (envelope-from <ea####@######.privatedns.com>)
            id 1SKves-0000ix-78; Thu, 19 Apr 2012 23:30:42 +0530
    To: check-auth@verifier.port25.com
    Subject: Test Subject 4
    X-PHP-Originating-Script: 519:testm.php
    MIME-Version: 1.0
    Content-type: text/html; charset=iso-8859-1
    To: TEST <check-auth@verifier.port25.com>
    Message-Id: <E1SKves-0000ix-78@######.privatedns.com>
    From: ea####@######.privatedns.com
    Date: Thu, 19 Apr 2012 23:30:42 +0530
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse
    report
    X-AntiAbuse: Primary Hostname - ######.privatedns.com
    X-AntiAbuse: Original Domain - verifier.port25.com
    X-AntiAbuse: Originator/Caller UID/GID - [519 521] / [47 12]
    X-AntiAbuse: Sender Address Domain - ######.privatedns.com
    
    
    <html>
    <head>
     <title>Test Message 4</title>
    </head>
    <body>
    <p><b>This is the test message 4!</b></p>
    </body>
    </html>
     
  7. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    There's another thing I also noticed. I just enabled the PHP.INI mail header function. On testing with a plain SMTP function, I do get the script name in the headers. I then waited for the spam to start again (it happens every hour), and there's no "X-PHP-Originating-Script: " tag in the headers. So I think that there's no script running on the server that's sending the emails, as previously suspected. Here's the header of the spam emails. Infopro, would be great if you could help me out here..

    Code:
    1SKw6I-0001os-FZ-H
    eakbar 519 521
    <ea###@####.privatedns.com>
    1334860142 0
    -ident ea###
    -received_protocol local
    -body_linecount 3
    -max_received_linelength 30
    -auth_id ea###
    -auth_sender ea####@###########.privatedns.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    alla.y.bazhenova@gmail.com
    
    218P Received: from ea### by ######.privatedns.com with local (Exim 4.77)
    	(envelope-from <ea##@####.privatedns.com>)
    	id 1SKw6I-0001os-FZ
    	for alla.y.bazhenova@gmail.com; Thu, 19 Apr 2012 23:59:02 +0530
    021F From: root@localhost
    031T To: alla.y.bazhenova@gmail.com
    030  Subject: Test mail 1578253403
    061I Message-Id: <E1SKw6I-0001os-FZ@####.privatedns.com>
    038  Date: Thu, 19 Apr 2012 23:59:02 +0530
    thanks man!
     
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    There might not be a PHP script on the server, but there might be a CGI (.cgi / .pl for example) in a cgi-bin, or somewhere else. I've also heard tails recently [via these forums] that if you allow SSH and you have TCP Forwarding allowed in your SSH config, then somebody can connect via SSH and forward spam out that way.

    The next time the spam run starts, see if anybody is logged in via SSH besides you. IF so, boot them off and see if the spam stops.

    It looks to me like somebody just might be SMTP-authenticating as a valid user on your server and then sending mail out . All it takes is for one user's POP3 credentials to be guessed / stolen, and then anyone can connect to your server, authenticate as that user, and relay mail. Actually, no it doesn't look like anyone is SMTP authenticating to send that.

    grep '1SKw6I-0001os-FZ' /var/log/exim_mainlog and see what all Exim is showing. You might not want to post it here unless you obsfuscate everything.

    I'd ask you to PM me the results and I'd try to help you out, but you don't know me and thus you cannot trust me :)

    Mike
     
    #8 mtindor, Apr 19, 2012
    Last edited: Apr 19, 2012
  9. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

    Just a theory, don't put too much weight behind it.
     
  10. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

    Just a theory, don't put too much weight behind it :)
     
  11. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Mike :)

    I'm pasting the result here anyways, after censoring some of the important information.

    Code:
     ^Y^Y2012-04-19 23:59:02 1SKw6I-0001os-FZ <= ea###r@#####l.privatedns.com U=ea### P=local S=442 T="Test mail 1578253403" for alla.y.bazhenova@gmail.com
    2012-04-19 23:59:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1SKw6I-0001os-FZ
    2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP connection outbound 1334860142 1SKw6I-0001os-FZ emperorakbar.com alla.y.bazhenova@gmail.com
    2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host gmail-smtp-in.l.google.com [173.194.76.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 1si3157130qaf.56
    2012-04-19 23:59:03 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt1.gmail-smtp-in.l.google.com [173.194.67.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 gf10si3787221wib.19
    2012-04-19 23:59:04 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt2.gmail-smtp-in.l.google.com [173.194.65.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 d51si913578eea.159
    2012-04-19 23:59:05 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt3.gmail-smtp-in.l.google.com [173.194.70.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 y43si3353910weq.132
    2012-04-19 23:59:06 1SKw6I-0001os-FZ == alla.y.bazhenova@gmail.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt4.gmail-smtp-in.l.google.com [173.194.69.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 tj4si1216257bkb.89
    2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1SKw6I-0001os-FZ
    2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1SKw6I-0001os-FZ
    2012-04-20 00:11:13 1SKw6I-0001os-FZ ** alla.y.bazhenova@gmail.com R=enforce_mail_permissions: Domain emperorakbar.com has exceeded the max emails per hour (55/50 (110%)) allowed.  Message discarded.
    2012-04-20 00:11:13 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1SKw6I-0001os-FZ
    2012-04-20 00:11:13 1SKwI5-0004i0-Gn <= <> R=1SKw6I-0001os-FZ U=mailnull P=local S=1437 T="Mail delivery failed: returning message to sender" for ea###r@#####l.privatedns.com
    2012-04-20 00:11:13 1SKw6I-0001os-FZ Completed
    
    

    Thanks again for your help! =)
     
  12. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Mike :)

    I'm pasting the result here anyways, after censoring some of the important information.

    Code:
     ^Y^Y2012-04-19 23:59:02 1SKw6I-0001os-FZ <= ea###r@#####l.privatedns.com U=ea### P=local S=442 T="Test mail 1578253403" for alla.y.bazhenova@gmail.com
    2012-04-19 23:59:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1SKw6I-0001os-FZ
    2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP connection outbound 1334860142 1SKw6I-0001os-FZ emperorakbar.com alla.y.bazhenova@gmail.com
    2012-04-19 23:59:02 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host gmail-smtp-in.l.google.com [173.194.76.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 1si3157130qaf.56
    2012-04-19 23:59:03 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt1.gmail-smtp-in.l.google.com [173.194.67.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 gf10si3787221wib.19
    2012-04-19 23:59:04 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt2.gmail-smtp-in.l.google.com [173.194.65.27]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 d51si913578eea.159
    2012-04-19 23:59:05 1SKw6I-0001os-FZ SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt3.gmail-smtp-in.l.google.com [173.194.70.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 y43si3353910weq.132
    2012-04-19 23:59:06 1SKw6I-0001os-FZ == alla.y.bazhenova@gmail.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<alla.y.bazhenova@gmail.com>: host alt4.gmail-smtp-in.l.google.com [173.194.69.26]: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that\n450-4.2.1 prevents additional messages from being delivered. Please resend your\n450-4.2.1 message at a later time. If the user is able to receive mail at that\n450-4.2.1 time, your message will be delivered. For more information, please\n450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 tj4si1216257bkb.89
    2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1SKw6I-0001os-FZ
    2012-04-20 00:08:03 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1SKw6I-0001os-FZ
    2012-04-20 00:11:13 1SKw6I-0001os-FZ ** alla.y.bazhenova@gmail.com R=enforce_mail_permissions: Domain emperorakbar.com has exceeded the max emails per hour (55/50 (110%)) allowed.  Message discarded.
    2012-04-20 00:11:13 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1SKw6I-0001os-FZ
    2012-04-20 00:11:13 1SKwI5-0004i0-Gn <= <> R=1SKw6I-0001os-FZ U=mailnull P=local S=1437 T="Mail delivery failed: returning message to sender" for ea###r@#####l.privatedns.com
    2012-04-20 00:11:13 1SKw6I-0001os-FZ Completed
    
    

    Thanks again for your help!
     
  13. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I replied to this but somehow it went to the moderation queue - I'm just sending a PM to you!
     
  14. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Just checked it - it's not on the PBL list. But almost all mail providers have blocked my IP - need to do some damage control fast now..
     
  15. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    check to see if your root host is on spamhaus's PBL list - If they are, you're SMTP is more or less open to exploitation, something that can be done relatively silently. As far as the where the logs of such actions would be? Because of the volume, if their is an attacker, they may be just flooding your logs with extra traffic to amke them harder to analyze.

    Just a theory, don't put too much weight behind it :)
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What you want to see is this though:

    Code:
    ==========================================================
    Summary of Results
    ==========================================================
    SPF check:          pass
    DomainKeys check:   neutral
    DKIM check:         pass
    Sender-ID check:    pass
    SpamAssassin check: ham
    This is the command you might want to run to enable DKIM:
    Enable Dkim for my existing account WHM 11.32
     
  17. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey Infopro

    Thanks for the help - but it appears it wasn't a spoof after all. The spammer had gained access to the SSH somehow and was able to install a malicious PERL script that sent all the emails. The tricky part was that they deleted the script immediately after executing it - thus making it difficult for us to detect it. They had a process running all the time that went through the process of re-executing & deletion every 1 hour, making life hell for us.

    Many thanks to Mike (Mmtindor) for all his help in this. Would have been practically impossible to solve without his help. It's great to see such good samaritan's on this forum.

    For people looking at this thread and after tried almost everything to solve this problem, run this command -

    grep ssh /var/log/secure|grep Accepted

    If you see someone besides yourself in that list, there's the problem.
     
  18. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    hope your problem is solved.

    This line made it very clear as to which user account had been compromised:

    You may also want to clear out your mail queue for any leftover mails.

    Also, if as you are saying that they have "a process running every hour" I think you should identify that process and get to the root of the problem.

    You can also check the last few logins by:

    If you have a firewall you may want to block our that IP.

    CSF also alerts you when a user logs into SSH. This could have been crucial in your case.
     
    #18 ruzbehraja, Apr 20, 2012
    Last edited: Apr 20, 2012
  19. bhavikr

    bhavikr Member

    Joined:
    Apr 19, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes, the problem is now solved. We have installed CSF now & hope this doesn't happen again. It was clear which account was compromised, but couldn't find out how. I had made a limitation on their emails and that did work upto some extent but also prevented legitimate communication. Turns out ultimately, they had actually installed the script on the root account.

    We've killed the process and now that all passwords have been changed, it should be good now.



     
  20. nuno.magalhaes

    Joined:
    Apr 30, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Mike

    i think I have the same problem

    What do you do on php.ini

    I noted that someone login on my server. How did you find a script?

    At this moment any body login to my server except me? But steal have the problem?
     
Loading...

Share This Page