liamwestcoast

Member
Jul 11, 2017
6
1
3
Los Angeles
cPanel Access Level
Root Administrator
Hi guys,

I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:

- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers

The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.

At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]

The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.

If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.

If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.

If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.

At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!

Thank you so much!


[Removed]
 
Last edited by a moderator:

24x7server

Well-Known Member
Apr 17, 2013
1,913
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

There could be possibility that someone from your machine is sending mail through a script that is authenticating a mail account. Please have a look again at the /var/log/exim_mainlog file and search in public_html in it and see if you see any area from where the mails are going out from your server..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello @liamwestcoast,

Here are some commands you can use to help determine where the SPAM is coming from:

1. This command will search for messages sent via a script, and sort from highest to lowest:

Code:
grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
2. This command will search for messages sent via SMTP and sort from highest to lowest:

Code:
grep -ho "A=\(.*\)\(@\|+\)\(.*\) S=" /var/log/exim_mainlog-* | sed 's/ S\=//g; s/A\=\(.*\)\://g; /\(.*\)P=\(.*\)/d' | sort | uniq -c | sort -nr
3. This command will help to search for messages sent with SMTP from localhost (without authentication):

Code:
grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
Thank you.
 

liamwestcoast

Member
Jul 11, 2017
6
1
3
Los Angeles
cPanel Access Level
Root Administrator
Thanks a bunch for the reply, I really appreciate your help.

I've ran these three commands and unfortunately the results don't seem very helpful. The second command you suggested (to search for messages sent from SMTP) does not return any results.

Code:
[[email protected] ~]# grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
    880 /etc/csf
    676 /var/spool/exim
      9 /root
      3 /usr/local/cpanel/whostmgr/docroot
Code:
[[email protected] ~]# grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
    140 root
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Could you provide some more information about one of the offending messages? The initial message was removed because it included real domain names and IP addresses. You can paste the output in CODE tags, and ensure to remove real domain names and any actual URLs.

Thank you.
 

liamwestcoast

Member
Jul 11, 2017
6
1
3
Los Angeles
cPanel Access Level
Root Administrator
Sure thing! I tried to edit the original post to clean up some information (so it's not [Removed] everywhere), but I'm unable to since it says I'm posting "spam".

Anyway, here's a redacted SpamCop report. I've added "MYSERVERSIP" where the IP matches my WHM's server.

Code:
[ SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

Email from MYSERVERSIP / Tue, 11 Jul 2017 02:46:40 -0700

[ Offending message ]
DomainKey-Status: good
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on x
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,T_REMOTE_IMAGE autolearn=no
autolearn_force=no version=3.4.0
X-Original-To: x
Delivered-To: x
Received: from x (unknown [MYSERVERSIP])
by x (Postfix) with ESMTP id 64FA82B755
for <x>; Tue, 11 Jul 2017 02:46:40 -0700 (PDT)
Received-SPF: none (no valid SPF record)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=x;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; [email protected];
bh=Xz9c9NBVi7N/ZmcL4WmTbmETQAg=;
b=khA/t9BxjHZhvn/wmPkfXB+zuhTG0GR2Op65R/UXTgE5DjmWraBZ40/rPqHGlCV3w60UEOfE7BLe
  qfrD+qnj0StFHJXI0PekXqIEnvutllTFxP3dIrszU+ofjZOvWWhhTVop5PwfPbHVW6UDcEqPkThJ
  kmR2daV0IlLMaXt5RLg=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=x;
b=oV62gIlql1RSl2t0EaxzGuS97Z5HpdJ7i+Hx25Hne/16aj2bVGn1mIxxtrmpFR6JSe61qRXgw+Ks
  enf7LSf7zGugpwFyCOht6YjRXpdKKp35j9Mtm1ufU2DQ8a7joru4dJLYjamfIdRfjjphe3hWrsXS
  dj/kTAzXL4p1tUyx7rY=;
Mime-Version: 1.0
X-Content-Type: multipart/alternative; boundary="970c7196d55315bef6540a7549ed0622"
Date: Tue, 11 Jul 2017 05:31:39 -0400
From: "15 days Secret" < Balance Problems are [email protected]>
Reply-To: " Balance Problems are Gone" <Fear Of [email protected]>
Subject: Follow this simple protocol and your balance problems are gone
To: <x>
Message-ID: <[email protected]>
Content-Type: text/html
X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

xxxxxxx

<p>&nbsp;</p>
</td>
</tr>
</tbody>
</table>
&nbsp;

<p align="center"><a href="xx" target="_blank"><img alt="xx" src="xx" /></a>
<style type="text/css">xxx
</style>
</p>
<br />
<br />
&nbsp;
<p align="center"><a href="xxx" /></a></p>
</body>
</html>
 

liamwestcoast

Member
Jul 11, 2017
6
1
3
Los Angeles
cPanel Access Level
Root Administrator
Hi,

This line contains a domain. The domain is different for each abuse report, so there's dozens of domains that they're sending from total. I've searched all mail logs on the WHM web interface, as well as searched the exim mainlog for any mention of the malicious domains, but there are zero occurrences at all!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Investigating the source of SPAM is generally outside our scope of support, but feel free to open a support ticket using the link in my signature if you'd like us to take a quick look to see if there's any obvious signs of where the source of the SPAM is coming from.

Thank you.