Outgoing Email Spam Issue

[liamwestcoast]

Hi guys,

I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:

- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers

The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.

At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]

The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.

If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.

If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.

If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.

At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!

Thank you so much!


[Removed]

 

[24x7server]

Hi,

There could be possibility that someone from your machine is sending mail through a script that is authenticating a mail account. Please have a look again at the /var/log/exim_mainlog file and search in public_html in it and see if you see any area from where the mails are going out from your server..

 

[liamwestcoast]

Hey, thanks so much for the reply! /var/log/exim_mainlog contains no information about the email at all - like I said in the OP if I try to search for the domain it returns no results.

 

[webhostuk]

Even check if email account or accounts are not compromised , try changing the password for the accounts that are sending emails.

 

[cPanelMichael]

Hello @liamwestcoast,

Here are some commands you can use to help determine where the SPAM is coming from:

1. This command will search for messages sent via a script, and sort from highest to lowest:

grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr

2. This command will search for messages sent via SMTP and sort from highest to lowest:

grep -ho "A=\(.*\)\(@\|+\)\(.*\) S=" /var/log/exim_mainlog-* | sed 's/ S\=//g; s/A\=\(.*\)\://g; /\(.*\)P=\(.*\)/d' | sort | uniq -c | sort -nr

3. This command will help to search for messages sent with SMTP from localhost (without authentication):

grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr

Thank you.

 

[liamwestcoast]

Thanks a bunch for the reply, I really appreciate your help.

I've ran these three commands and unfortunately the results don't seem very helpful. The second command you suggested (to search for messages sent from SMTP) does not return any results.

[[email protected] ~]# grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
    880 /etc/csf
    676 /var/spool/exim
      9 /root
      3 /usr/local/cpanel/whostmgr/docroot

[[email protected] ~]# grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
    140 root

 

[cPanelMichael]

Hello,

Could you provide some more information about one of the offending messages? The initial message was removed because it included real domain names and IP addresses. You can paste the output in CODE tags, and ensure to remove real domain names and any actual URLs.

Thank you.

 

[liamwestcoast]

Sure thing! I tried to edit the original post to clean up some information (so it's not [Removed] everywhere), but I'm unable to since it says I'm posting "spam".

Anyway, here's a redacted SpamCop report. I've added "MYSERVERSIP" where the IP matches my WHM's server.

[ SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

Email from MYSERVERSIP / Tue, 11 Jul 2017 02:46:40 -0700

[ Offending message ]
DomainKey-Status: good
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on x
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,T_REMOTE_IMAGE autolearn=no
autolearn_force=no version=3.4.0
X-Original-To: x
Delivered-To: x
Received: from x (unknown [MYSERVERSIP])
by x (Postfix) with ESMTP id 64FA82B755
for <x>; Tue, 11 Jul 2017 02:46:40 -0700 (PDT)
Received-SPF: none (no valid SPF record)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=x;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; [email protected];
bh=Xz9c9NBVi7N/ZmcL4WmTbmETQAg=;
b=khA/t9BxjHZhvn/wmPkfXB+zuhTG0GR2Op65R/UXTgE5DjmWraBZ40/rPqHGlCV3w60UEOfE7BLe
  qfrD+qnj0StFHJXI0PekXqIEnvutllTFxP3dIrszU+ofjZOvWWhhTVop5PwfPbHVW6UDcEqPkThJ
  kmR2daV0IlLMaXt5RLg=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=x;
b=oV62gIlql1RSl2t0EaxzGuS97Z5HpdJ7i+Hx25Hne/16aj2bVGn1mIxxtrmpFR6JSe61qRXgw+Ks
  enf7LSf7zGugpwFyCOht6YjRXpdKKp35j9Mtm1ufU2DQ8a7joru4dJLYjamfIdRfjjphe3hWrsXS
  dj/kTAzXL4p1tUyx7rY=;
Mime-Version: 1.0
X-Content-Type: multipart/alternative; boundary="970c7196d55315bef6540a7549ed0622"
Date: Tue, 11 Jul 2017 05:31:39 -0400
From: "15 days Secret" < Balance Problems are [email protected]>
Reply-To: " Balance Problems are Gone" <Fear Of [email protected]>
Subject: Follow this simple protocol and your balance problems are gone
To: <x>
Message-ID: <[email protected]>
Content-Type: text/html
X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

xxxxxxx

<p>&nbsp;</p>
</td>
</tr>
</tbody>
</table>
&nbsp;

<p align="center"><a href="xx" target="_blank"><img alt="xx" src="xx" /></a>
<style type="text/css">xxx
</style>
</p>
<br />
<br />
&nbsp;
<p align="center"><a href="xxx" /></a></p>
</body>
</html>

 

[cPanelMichael]

Received: from x (unknown [MYSERVERSIP])

Does this line give you any indication about the account used to send the email?

Thank you.

 

[liamwestcoast]

Hi,

This line contains a domain. The domain is different for each abuse report, so there's dozens of domains that they're sending from total. I've searched all mail logs on the WHM web interface, as well as searched the exim mainlog for any mention of the malicious domains, but there are zero occurrences at all!

 

[cPanelMichael]

Hello,

Investigating the source of SPAM is generally outside our scope of support, but feel free to open a support ticket using the link in my signature if you'd like us to take a quick look to see if there's any obvious signs of where the source of the SPAM is coming from.

Thank you.

 

[liamwestcoast]

Thank you, I'll open a ticket later and update this thread in the future if I/we find a solution!