I have a problem where other people are using my server to send spam, I checked the email queue for some emails that are not on my server but are using it to send spam. I would like to know if there is any configuration in the WHM that defines that only those on the server can send from the server.
You most likely have a compromised email account password OR a comprised site that is sending spam. You'll need to look at the logs or the view email relayers report in WHM to get a handle on where it is coming from exactly.
In general, cPanel does only allow mail to be sent from authenticated users on your system or via php.
In general, cPanel does only allow mail to be sent from authenticated users on your system or via php.
I guess there are only 3 ways this can happen.
1. Compromised email accounts where the user name and passwords have been leaked.
2. A maalicious script somewhere on the server
3. Your server is an open relay.
Ideally you need to try and determine where these are coming from.
1. Compromised email accounts where the user name and passwords have been leaked.
2. A maalicious script somewhere on the server
3. Your server is an open relay.
Ideally you need to try and determine where these are coming from.
Every day from several emails, I have 154 domains. Whenever I change the password or block the sender's ip it stops sending but not for a long time it starts shooting from another account in the domain and this occurs in several domains.
I try the Mxtoolbox and he say :
SMTP Reverse DNS Mismatch OK - xx.xxx.xxx.xx resolves to host.xxxxxxxx.com.br
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.687 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 3.502 seconds - Good on Transaction Time
I try the Mxtoolbox and he say :
SMTP Reverse DNS Mismatch OK - xx.xxx.xxx.xx resolves to host.xxxxxxxx.com.br
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.687 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 3.502 seconds - Good on Transaction Time
I would start with view relayers kin WHM, and you can look at your mail queue in whm using mail queue manager. lastly the mail logs are at /var/log/exim_mainlog
But the problem is that they are using my domain to send e-mails and if I block the ip they use another one and if I block the e-mail they change the domain. I was wondering if there is any option to put that only whoever is on my server can send emails.
Can you please show me the headers of the email as well as the full transaction in the exim logs for one of them. You can get this information if you know the message ID (MID) and run the following:
exigrep <MID> /var/log/exim_mainlog
Have you changed the cPanel account password? I have worked on cases where the attackers have access to cPanel. They simply loop through the email accounts sending spam. When you change a password, they move onto a new account.
As @cPanelLauren says, you need to trace an email through your logs to see how it was injected into the system. If they are using a web form to inject the email, changing passwords will not help.
As @cPanelLauren says, you need to trace an email through your logs to see how it was injected into the system. If they are using a web form to inject the email, changing passwords will not help.
cPanelLauren
[email protected] has no auto response and did not send to [email protected]
[email protected] has no auto response and did not send to [email protected]
Code:
exigrep 1j1SPv-0000ii-8S /var/log/exim_mainlog
2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S
+++ 1j1SPv-0000ii-8S has not completed +++
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]
2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br [email protected]
2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == [email protected] R=lookuph:...skipping...
2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S
+++ 1j1SPv-0000ii-8S has not completed +++
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]
2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br [email protected]
2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
Last edited by a moderator:
This transaction looks like [email protected] is authenticating with your server using dovecot from the host named BrunaPC (the local PC name is used when accessing using a mail client like Outlook or Thunderbird)
and attempting to send mail to [email protected] but the host lookup isn't completing, meaning that the server isn't able to resolve the domain, this can be a result of a couple of things but in this instance its a result of the domain actually not resolving to an IP address (I performed a dig query on the domain before removing it)
This transaction does not show any behavior that based on the information you've provided thus far would lead me to believe there is some sort of issue on your server. This doesn't look like spam nor does it appear to be malicious.
Code:
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]This transaction does not show any behavior that based on the information you've provided thus far would lead me to believe there is some sort of issue on your server. This doesn't look like spam nor does it appear to be malicious.
I have another information:
***From Moderator:***
Please See In Progress - Guide To Opening An Effective Forums Thread for what kind of information is necessary - remove any actual email addresses.
***From Moderator:***
Please See In Progress - Guide To Opening An Effective Forums Thread for what kind of information is necessary - remove any actual email addresses.
Last edited by a moderator:
