one account is sending spam with username @ hostname

[Jaro747]

I have a problem

one account is sending spam with username @ hostname

the account has 20 wordpress sites

how to locate which page ( script ) is sending spam


example

2020-10-21 10:33:19 1kV9Yd-00EdgE-8N <= [email protected] U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for [email protected]
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N SMTP connection outbound 1603269199 1kV9Yd-00EdgE-8N arp.webinfocloud.pl [email protected]
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269200 k2si1527418wrq.533 - gsmtp"
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S <= [email protected] U=arp P=local S=1023 T="Page 2019 - Confidential details" for [email protected]
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S SMTP connection outbound 1603269219 1kV9Yx-00Edk5-8S arp.webinfocloud.pl [email protected]
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269220 j5si1562883wrq.31 - gsmtp"
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx <= [email protected] U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for [email protected]
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx SMTP connection outbound 1603269224 1kV9Z2-00Edkt-Kx arp.webinfocloud.pl [email protected]
2020-10-21 10:33:45 1kV9Z2-00Edkt-Kx => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269225 o82si1554517wma.161 - gsmtp"

 

[keat63]

I don't know how to find your problem, but have you considered changing the password on that email account.
It might save you from landing on an RBL in the mean time.

 

[Jaro747]

I don't know how to find your problem, but have you considered changing the password on that email account.
It might save you from landing on an RBL in the mean time.

email was sent from [email protected] ( no email account )


exigrep inixmidoo /var/log/exim_mainlog*

in log no information about script / file location

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 <= [email protected] U=arp P=local S=1060 T="Page 2019 - Confidential details" for [email protected]

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 Sender identification U=arp D=arp.domain.pl S=arp

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 SMTP connection outbound 1603156489 1kUgEj-00Aya7-C4 arp.webinfocloud.pl [email protected]

2020-10-20 03:14:50 1kUgEj-00Aya7-C4 => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [<IPREMOVED>] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1603156490 j9si204179wrn.28 - gsmtp"

2020-10-20 03:14:50 1kUgEj-00Aya7-C4 Completed

 

[andrew.n]

You should read the header of the email. You can do so with:

exim -Mvh 1kUgEj-00Aya7-C4

 

[cPanelLauren]

You should read the header of the email. You can do so with:

exim -Mvh 1kUgEj-00Aya7-C4

This will only work for messages stuck in queue/messages that haven't been delivered yet. But you should be able to view some stats using the following:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Which is something we use internally to quickly identify the source of spam mail

 

[Jaro747]

thank you for

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

script spammer found

 

[keat63]

I'm an advocate of CSF Maiscanner myself.
It's a great tool for things like this, but it's not free.