The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Odd spam - looks as if directly injected via IMAP

Discussion in 'E-mail Discussions' started by John Schmerold, Apr 21, 2014.

  1. John Schmerold

    John Schmerold Active Member

    Joined:
    Apr 21, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    Lately, I have been getting odd spam, not many a few every couple of days. What's odd is that these messages seem to be bypassing EXIM and going directly into my inbox. Any idea what could be happening? Here is a complete sample message - headers & all, I did a cat "1398108485.M798601P32163.server.example.com,S=1435,W=1470:2,S" to get this text, so it's everything:
    Code:
    Return-Path: <sam.jackson@domain.org>
    Reply-To: <sam.jackson@domain.org>
    From: "sam.jackson" <sam.jackson@domain.org>
    To: <sam.jackson@example.net>
    Subject: [!! SPAM]  Good day sam.jackson
    Date: Thu, 17 Apr 2014 03:53:30 -0500
    Message-ID: <16743057840.7868339057@f27.domain.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary="----=_NextPart_000_0213_01CF5D6D.E6754FE0"
    X-Mailer: Microsoft Outlook 15.0
    Thread-Index: AQIBAkL7D5ntWpPQn9OKhED6Rz1UVw==
    X-OlkEid: 000000007620C495434813499EF33BE633B1F9100700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C101009F6300000000946360344$
    
    This is a multipart message in MIME format.
    
    ------=_NextPart_000_0213_01CF5D6D.E6754FE0
    Content-Type: text/plain;
            charset="utf-8"
    Content-Transfer-Encoding: 7bit
    
    TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. One year after
    she returned, Miriam Lahnstein was expecting her second child which lead to
    leaving the show once again.
    
    ------=_NextPart_000_0213_01CF5D6D.E6754FE0
    Content-Type: text/html;
            boundary="--ALT--223d9cb261e6442998";
            charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    
    <HTML><BODY>TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. =
    One year after she returned, Miriam Lahnstein was expecting her second =
    child which lead to leaving the show once again.</BODY></HTML>
    ------=_NextPart_000_0213_01CF5D6D.E6754FE0--
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Check for this email in /var/log/exim_mainlog and post the relevant log contents, please. If it was sent from your server, it should exist in that log.
     
  3. John Schmerold

    John Schmerold Active Member

    Joined:
    Apr 21, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    Glad you had me double check, there were two messages, they came in on the 17th, so the log was zipped up and I didn't see it in my original search.

    It did come in on the 17th, it is spam, now for the oddities:
    1) I have received at least four copies of each of the two messages
    2) When I look at the headers, there are no Mailscanner or Spamassassin headers in any of the four copies

    So, the good news is that we must have something misconfigured (&/or a rights issue) on our server, there doesn't seem to be some malware doing this to me. I think I should increase the logging level of mailscanner to see what it tells me since I am not seeing much in exim_mainlog except the delivery of the original two messages.

    Any other ideas?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Were you able to determine any details about the source of the message from /var/log/exim_mainlog? Note that increasing the log level through your MailScanner application might be the best way to determine the source.

    Thank you.
     
  5. John Schmerold

    John Schmerold Active Member

    Joined:
    Apr 21, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    exim_main tells me they came in via a traditional route - we filter all email before it hits the cPanel box, so these messages got passed by the spam filter to the mail server - no big deal, it happens.

    But, once again today, the exact same messages presented themselves in my inbox. They are not logged in exim_main

    Perhaps I should open a ticket. I posted this information here thinking it was broadly applicable and that there would be a ready solution. Now I am thinking it is some isolated fluke that is best handled by cPanel technicians.

    Thoughts? I won't have time to open a ticket until later today or perhaps Thursday.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You are welcome to submit a support ticket so we can take a closer look. Note that you will need to disable MailScanner before we can troubleshoot the issue as it's a third-party application that will need to be ruled out as the source of the problem. Remember to post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. John Schmerold

    John Schmerold Active Member

    Joined:
    Apr 21, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    Outlook 2013 was the evil-doer. Odd, very odd.
     
  8. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    You realize...that headers are set by the mail client (aka whatever is sending the email) and are easily fabricated, right?

    PHP: mail - Manual
     
  9. TraderStf

    TraderStf Member

    Joined:
    Feb 27, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    Root Administrator
    I am wondering if it is not the "same" problem.

    I have several small spams with a small zip that are passing through.
    If you verify the zip on virustotal.com, it always contains "old" known virus...

    The only thing special is that the email that receives it is just an forwarder, not a real mailboxes.
    That forwarder sends the incoming mail to 3 real mailboxes.

    Could it be that forward that bypass the scanner?

    Thanks,
     
    #9 TraderStf, May 13, 2014
    Last edited by a moderator: May 13, 2014
Loading...

Share This Page