Outgoing Email Spam Issue

Hi guys,

I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:

- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers

The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.

At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]

The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.

If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.

If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.

If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.

At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!

Thank you so much!


[Removed]

 

Hey, thanks so much for the reply! /var/log/exim_mainlog contains no information about the email at all - like I said in the OP if I try to search for the domain it returns no results.

 

Thanks a bunch for the reply, I really appreciate your help.

I've ran these three commands and unfortunately the results don't seem very helpful. The second command you suggested (to search for messages sent from SMTP) does not return any results.

Code:

[[email protected] ~]# grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
    880 /etc/csf
    676 /var/spool/exim
      9 /root
      3 /usr/local/cpanel/whostmgr/docroot

Code:

[[email protected] ~]# grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
    140 root

 

Sure thing! I tried to edit the original post to clean up some information (so it's not [Removed] everywhere), but I'm unable to since it says I'm posting "spam".

Anyway, here's a redacted SpamCop report. I've added "MYSERVERSIP" where the IP matches my WHM's server.

Code:

[ SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

Email from MYSERVERSIP / Tue, 11 Jul 2017 02:46:40 -0700

[ Offending message ]
DomainKey-Status: good
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on x
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,T_REMOTE_IMAGE autolearn=no
autolearn_force=no version=3.4.0
X-Original-To: x
Delivered-To: x
Received: from x (unknown [MYSERVERSIP])
by x (Postfix) with ESMTP id 64FA82B755
for <x>; Tue, 11 Jul 2017 02:46:40 -0700 (PDT)
Received-SPF: none (no valid SPF record)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=x;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; [email protected];
bh=Xz9c9NBVi7N/ZmcL4WmTbmETQAg=;
b=khA/t9BxjHZhvn/wmPkfXB+zuhTG0GR2Op65R/UXTgE5DjmWraBZ40/rPqHGlCV3w60UEOfE7BLe
  qfrD+qnj0StFHJXI0PekXqIEnvutllTFxP3dIrszU+ofjZOvWWhhTVop5PwfPbHVW6UDcEqPkThJ
  kmR2daV0IlLMaXt5RLg=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=x;
b=oV62gIlql1RSl2t0EaxzGuS97Z5HpdJ7i+Hx25Hne/16aj2bVGn1mIxxtrmpFR6JSe61qRXgw+Ks
  enf7LSf7zGugpwFyCOht6YjRXpdKKp35j9Mtm1ufU2DQ8a7joru4dJLYjamfIdRfjjphe3hWrsXS
  dj/kTAzXL4p1tUyx7rY=;
Mime-Version: 1.0
X-Content-Type: multipart/alternative; boundary="970c7196d55315bef6540a7549ed0622"
Date: Tue, 11 Jul 2017 05:31:39 -0400
From: "15 days Secret" < Balance Problems are [email protected]>
Reply-To: " Balance Problems are Gone" <Fear Of [email protected]>
Subject: Follow this simple protocol and your balance problems are gone
To: <x>
Message-ID: <[email protected]>
Content-Type: text/html
X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

xxxxxxx

<p>&nbsp;</p>
</td>
</tr>
</tbody>
</table>
&nbsp;

<p align="center"><a href="xx" target="_blank"><img alt="xx" src="xx" /></a>
<style type="text/css">xxx
</style>
</p>
<br />
<br />
&nbsp;
<p align="center"><a href="xxx" /></a></p>
</body>
</html>

 

Hi,

This line contains a domain. The domain is different for each abuse report, so there's dozens of domains that they're sending from total. I've searched all mail logs on the WHM web interface, as well as searched the exim mainlog for any mention of the malicious domains, but there are zero occurrences at all!

 

Thank you, I'll open a ticket later and update this thread in the future if I/we find a solution!