Other servers using my server to send emails

Operating System & Version
CLOUDLINUX 7.7 [host]
cPanel & WHM Version
v84.0.21

hugowhs

Member
Aug 14, 2019
7
0
1
Brazil
cPanel Access Level
Root Administrator
I have a problem where other people are using my server to send spam, I checked the email queue for some emails that are not on my server but are using it to send spam. I would like to know if there is any configuration in the WHM that defines that only those on the server can send from the server.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,754
315
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
You most likely have a compromised email account password OR a comprised site that is sending spam. You'll need to look at the logs or the view email relayers report in WHM to get a handle on where it is coming from exactly.

In general, cPanel does only allow mail to be sent from authenticated users on your system or via php.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I guess there are only 3 ways this can happen.

1. Compromised email accounts where the user name and passwords have been leaked.
2. A maalicious script somewhere on the server
3. Your server is an open relay.

Ideally you need to try and determine where these are coming from.
 

hugowhs

Member
Aug 14, 2019
7
0
1
Brazil
cPanel Access Level
Root Administrator
Every day from several emails, I have 154 domains. Whenever I change the password or block the sender's ip it stops sending but not for a long time it starts shooting from another account in the domain and this occurs in several domains.

I try the Mxtoolbox and he say :


SMTP Reverse DNS Mismatch OK - xx.xxx.xxx.xx resolves to host.xxxxxxxx.com.br
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.687 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 3.502 seconds - Good on Transaction Time
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,754
315
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I would start with view relayers kin WHM, and you can look at your mail queue in whm using mail queue manager. lastly the mail logs are at /var/log/exim_mainlog
 

hugowhs

Member
Aug 14, 2019
7
0
1
Brazil
cPanel Access Level
Root Administrator
But the problem is that they are using my domain to send e-mails and if I block the ip they use another one and if I block the e-mail they change the domain. I was wondering if there is any option to put that only whoever is on my server can send emails.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Can you please show me the headers of the email as well as the full transaction in the exim logs for one of them. You can get this information if you know the message ID (MID) and run the following:

exigrep <MID> /var/log/exim_mainlog
 

rackaid

Well-Known Member
Jan 18, 2003
89
28
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
Have you changed the cPanel account password? I have worked on cases where the attackers have access to cPanel. They simply loop through the email accounts sending spam. When you change a password, they move onto a new account.

As @cPanelLauren says, you need to trace an email through your logs to see how it was injected into the system. If they are using a web form to inject the email, changing passwords will not help.
 

hugowhs

Member
Aug 14, 2019
7
0
1
Brazil
cPanel Access Level
Root Administrator
cPanelLauren


[email protected] has no auto response and did not send to [email protected]

Code:
exigrep 1j1SPv-0000ii-8S /var/log/exim_mainlog

2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S

+++ 1j1SPv-0000ii-8S has not completed +++
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]
2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br [email protected]
2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == [email protected] R=lookuph:...skipping...
2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S

+++ 1j1SPv-0000ii-8S has not completed +++
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]
2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br [email protected]
2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br [email protected]
2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == [email protected] R=lookuphost defer (-1): host lookup did not complete
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
This transaction looks like [email protected] is authenticating with your server using dovecot from the host named BrunaPC (the local PC name is used when accessing using a mail client like Outlook or Thunderbird)

Code:
2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= [email protected] H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:[email protected] S=2632 M8S=0 RT=0.558s [email protected] T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - [email protected]" from <[email protected]> for [email protected]
and attempting to send mail to [email protected] but the host lookup isn't completing, meaning that the server isn't able to resolve the domain, this can be a result of a couple of things but in this instance its a result of the domain actually not resolving to an IP address (I performed a dig query on the domain before removing it)

This transaction does not show any behavior that based on the information you've provided thus far would lead me to believe there is some sort of issue on your server. This doesn't look like spam nor does it appear to be malicious.