Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outgoing Email Spam Issue

Discussion in 'E-mail Discussions' started by liamwestcoast, Jul 11, 2017.

Tags:
  1. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:

    - Ran a clamscan
    - Bought CXS and ran that
    - Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
    - Read & followed the official cPanel guide for "Preventing SMTP Abuse"
    - Prevent sending mail as "nobody"
    - Severely ratelimited the sending mails per hour for all accounts
    - Disabled mail() in PHP
    - Changed the exim flag to +all for more information in the email headers

    The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.

    At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]

    The relevant lines are:
    [Removed]
    So this is the domain/email/whatever the spammer is using to send them.

    If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.

    If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.

    If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.

    At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!

    Thank you so much!


    [Removed]
     
    #1 liamwestcoast, Jul 11, 2017
    Last edited by a moderator: Jul 11, 2017
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,484
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    There could be possibility that someone from your machine is sending mail through a script that is authenticating a mail account. Please have a look again at the /var/log/exim_mainlog file and search in public_html in it and see if you see any area from where the mails are going out from your server..
     
  3. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Hey, thanks so much for the reply! /var/log/exim_mainlog contains no information about the email at all - like I said in the OP if I try to search for the domain it returns no results.
     
  4. webhostuk

    webhostuk Well-Known Member

    Joined:
    Sep 11, 2013
    Messages:
    112
    Likes Received:
    11
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Even check if email account or accounts are not compromised , try changing the password for the accounts that are sending emails.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @liamwestcoast,

    Here are some commands you can use to help determine where the SPAM is coming from:

    1. This command will search for messages sent via a script, and sort from highest to lowest:

    Code:
    grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
    2. This command will search for messages sent via SMTP and sort from highest to lowest:

    Code:
    grep -ho "A=\(.*\)\(@\|+\)\(.*\) S=" /var/log/exim_mainlog-* | sed 's/ S\=//g; s/A\=\(.*\)\://g; /\(.*\)P=\(.*\)/d' | sort | uniq -c | sort -nr
    3. This command will help to search for messages sent with SMTP from localhost (without authentication):

    Code:
    grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
    Thank you.
     
  6. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Thanks a bunch for the reply, I really appreciate your help.

    I've ran these three commands and unfortunately the results don't seem very helpful. The second command you suggested (to search for messages sent from SMTP) does not return any results.

    Code:
    [root@hostname ~]# grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
        880 /etc/csf
        676 /var/spool/exim
          9 /root
          3 /usr/local/cpanel/whostmgr/docroot
    Code:
    [root@hostname ~]# grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
        140 root
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide some more information about one of the offending messages? The initial message was removed because it included real domain names and IP addresses. You can paste the output in CODE tags, and ensure to remove real domain names and any actual URLs.

    Thank you.
     
  8. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Sure thing! I tried to edit the original post to clean up some information (so it's not [Removed] everywhere), but I'm unable to since it says I'm posting "spam".

    Anyway, here's a redacted SpamCop report. I've added "MYSERVERSIP" where the IP matches my WHM's server.

    Code:
    [ SpamCop V4.8.6 ]
    This message is brief for your comfort.  Please use links below for details.
    
    Email from MYSERVERSIP / Tue, 11 Jul 2017 02:46:40 -0700
    
    [ Offending message ]
    DomainKey-Status: good
    Return-Path: <7432-118-20528732-1395-jmelnick=x@x>
    X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on x
    X-Spam-Level: 
    X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,T_REMOTE_IMAGE autolearn=no
    autolearn_force=no version=3.4.0
    X-Original-To: x
    Delivered-To: x
    Received: from x (unknown [MYSERVERSIP])
    by x (Postfix) with ESMTP id 64FA82B755
    for <x>; Tue, 11 Jul 2017 02:46:40 -0700 (PDT)
    Received-SPF: none (no valid SPF record)
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=x;
    h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=BalanceProblemsareGone@x;
    bh=Xz9c9NBVi7N/ZmcL4WmTbmETQAg=;
    b=khA/t9BxjHZhvn/wmPkfXB+zuhTG0GR2Op65R/UXTgE5DjmWraBZ40/rPqHGlCV3w60UEOfE7BLe
      qfrD+qnj0StFHJXI0PekXqIEnvutllTFxP3dIrszU+ofjZOvWWhhTVop5PwfPbHVW6UDcEqPkThJ
      kmR2daV0IlLMaXt5RLg=
    DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=x;
    b=oV62gIlql1RSl2t0EaxzGuS97Z5HpdJ7i+Hx25Hne/16aj2bVGn1mIxxtrmpFR6JSe61qRXgw+Ks
      enf7LSf7zGugpwFyCOht6YjRXpdKKp35j9Mtm1ufU2DQ8a7joru4dJLYjamfIdRfjjphe3hWrsXS
      dj/kTAzXL4p1tUyx7rY=;
    Mime-Version: 1.0
    X-Content-Type: multipart/alternative; boundary="970c7196d55315bef6540a7549ed0622"
    Date: Tue, 11 Jul 2017 05:31:39 -0400
    From: "15 days Secret" < Balance Problems are Gone@x>
    Reply-To: " Balance Problems are Gone" <Fear Of Failing@x>
    Subject: Follow this simple protocol and your balance problems are gone
    To: <x>
    Message-ID: <iopw_________________________________3e5c@x>
    Content-Type: text/html
    X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)
    
    xxxxxxx
    
    <p>&nbsp;</p>
    </td>
    </tr>
    </tbody>
    </table>
    &nbsp;
    
    <p align="center"><a href="xx" target="_blank"><img alt="xx" src="xx" /></a>
    <style type="text/css">xxx
    </style>
    </p>
    <br />
    <br />
    &nbsp;
    <p align="center"><a href="xxx" /></a></p>
    </body>
    </html>
    
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Does this line give you any indication about the account used to send the email?

    Thank you.
     
  10. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Hi,

    This line contains a domain. The domain is different for each abuse report, so there's dozens of domains that they're sending from total. I've searched all mail logs on the WHM web interface, as well as searched the exim mainlog for any mention of the malicious domains, but there are zero occurrences at all!
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Investigating the source of SPAM is generally outside our scope of support, but feel free to open a support ticket using the link in my signature if you'd like us to take a quick look to see if there's any obvious signs of where the source of the SPAM is coming from.

    Thank you.
     
  12. liamwestcoast

    liamwestcoast Member

    Joined:
    Jul 11, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Los Angeles
    cPanel Access Level:
    Root Administrator
    Thank you, I'll open a ticket later and update this thread in the future if I/we find a solution!
     
    cPanelMichael likes this.
Loading...

Share This Page