Odd spam - looks as if directly injected via IMAP

John Schmerold

Well-Known Member
Apr 21, 2004
81
6
158
st. louis
cPanel Access Level
Root Administrator
Lately, I have been getting odd spam, not many a few every couple of days. What's odd is that these messages seem to be bypassing EXIM and going directly into my inbox. Any idea what could be happening? Here is a complete sample message - headers & all, I did a cat "1398108485.M798601P32163.server.example.com,S=1435,W=1470:2,S" to get this text, so it's everything:
Code:
Return-Path: <[email protected]>
Reply-To: <[email protected]>
From: "sam.jackson" <[email protected]>
To: <[email protected]>
Subject: [!! SPAM]  Good day sam.jackson
Date: Thu, 17 Apr 2014 03:53:30 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0213_01CF5D6D.E6754FE0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIBAkL7D5ntWpPQn9OKhED6Rz1UVw==
X-OlkEid: 000000007620C495434813499EF33BE633B1F9100700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C101009F6300000000946360344$

This is a multipart message in MIME format.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: 7bit

TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. One year after
she returned, Miriam Lahnstein was expecting her second child which lead to
leaving the show once again.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/html;
        boundary="--ALT--223d9cb261e6442998";
        charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<HTML><BODY>TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. =
One year after she returned, Miriam Lahnstein was expecting her second =
child which lead to leaving the show once again.</BODY></HTML>
------=_NextPart_000_0213_01CF5D6D.E6754FE0--
 

John Schmerold

Well-Known Member
Apr 21, 2004
81
6
158
st. louis
cPanel Access Level
Root Administrator
Glad you had me double check, there were two messages, they came in on the 17th, so the log was zipped up and I didn't see it in my original search.

It did come in on the 17th, it is spam, now for the oddities:
1) I have received at least four copies of each of the two messages
2) When I look at the headers, there are no Mailscanner or Spamassassin headers in any of the four copies

So, the good news is that we must have something misconfigured (&/or a rights issue) on our server, there doesn't seem to be some malware doing this to me. I think I should increase the logging level of mailscanner to see what it tells me since I am not seeing much in exim_mainlog except the delivery of the original two messages.

Any other ideas?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

Were you able to determine any details about the source of the message from /var/log/exim_mainlog? Note that increasing the log level through your MailScanner application might be the best way to determine the source.

Thank you.
 

John Schmerold

Well-Known Member
Apr 21, 2004
81
6
158
st. louis
cPanel Access Level
Root Administrator
exim_main tells me they came in via a traditional route - we filter all email before it hits the cPanel box, so these messages got passed by the spam filter to the mail server - no big deal, it happens.

But, once again today, the exact same messages presented themselves in my inbox. They are not logged in exim_main

Perhaps I should open a ticket. I posted this information here thinking it was broadly applicable and that there would be a ready solution. Now I am thinking it is some isolated fluke that is best handled by cPanel technicians.

Thoughts? I won't have time to open a ticket until later today or perhaps Thursday.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
You are welcome to submit a support ticket so we can take a closer look. Note that you will need to disable MailScanner before we can troubleshoot the issue as it's a third-party application that will need to be ruled out as the source of the problem. Remember to post the ticket number here so we can update this thread with the outcome.

Thank you.
 

TraderStf

Member
Feb 27, 2014
11
0
1
Belgium
cPanel Access Level
Root Administrator
I am wondering if it is not the "same" problem.

I have several small spams with a small zip that are passing through.
If you verify the zip on virustotal.com, it always contains "old" known virus...

The only thing special is that the email that receives it is just an forwarder, not a real mailboxes.
That forwarder sends the incoming mail to 3 real mailboxes.

Could it be that forward that bypass the scanner?

Thanks,
 
Last edited by a moderator: