one account is sending spam with username @ hostname

Jaro747

Member
Jan 23, 2018
15
1
3
Polska
cPanel Access Level
Root Administrator
I have a problem

one account is sending spam with username @ hostname

the account has 20 wordpress sites

how to locate which page ( script ) is sending spam


example
Code:
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N <= [email protected] U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for [email protected]
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N SMTP connection outbound 1603269199 1kV9Yd-00EdgE-8N arp.webinfocloud.pl [email protected]
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269200 k2si1527418wrq.533 - gsmtp"
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S <= [email protected] U=arp P=local S=1023 T="Page 2019 - Confidential details" for [email protected]
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S SMTP connection outbound 1603269219 1kV9Yx-00Edk5-8S arp.webinfocloud.pl [email protected]
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269220 j5si1562883wrq.31 - gsmtp"
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx <= [email protected] U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for [email protected]
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx SMTP connection outbound 1603269224 1kV9Z2-00Edkt-Kx arp.webinfocloud.pl [email protected]
2020-10-21 10:33:45 1kV9Z2-00Edkt-Kx => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269225 o82si1554517wma.161 - gsmtp"
 

keat63

Well-Known Member
Nov 20, 2014
1,843
221
93
cPanel Access Level
Root Administrator
I don't know how to find your problem, but have you considered changing the password on that email account.
It might save you from landing on an RBL in the mean time.
 
  • Like
Reactions: cPanelLauren

Jaro747

Member
Jan 23, 2018
15
1
3
Polska
cPanel Access Level
Root Administrator
I don't know how to find your problem, but have you considered changing the password on that email account.
It might save you from landing on an RBL in the mean time.
email was sent from [email protected] ( no email account )


exigrep inixmidoo /var/log/exim_mainlog*

in log no information about script / file location

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 <= [email protected] U=arp P=local S=1060 T="Page 2019 - Confidential details" for [email protected]

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 Sender identification U=arp D=arp.domain.pl S=arp

2020-10-20 03:14:49 1kUgEj-00Aya7-C4 SMTP connection outbound 1603156489 1kUgEj-00Aya7-C4 arp.webinfocloud.pl [email protected]

2020-10-20 03:14:50 1kUgEj-00Aya7-C4 => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [<IPREMOVED>] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1603156490 j9si204179wrn.28 - gsmtp"

2020-10-20 03:14:50 1kUgEj-00Aya7-C4 Completed
 
Last edited by a moderator:

andrew.n

Well-Known Member
Jun 9, 2020
314
68
28
EU
cPanel Access Level
Root Administrator
You should read the header of the email. You can do so with:

exim -Mvh 1kUgEj-00Aya7-C4
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
You should read the header of the email. You can do so with:

exim -Mvh 1kUgEj-00Aya7-C4
This will only work for messages stuck in queue/messages that haven't been delivered yet. But you should be able to view some stats using the following:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Which is something we use internally to quickly identify the source of spam mail
 
  • Like
Reactions: kodeslogic