The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Overloaded with outgoing spams, ip blacklisted.

Discussion in 'E-mail Discussions' started by psytanium, Jan 28, 2015.

  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    My IP is blacklisted. i requested a delist, and now i'm investigating the spam sources. Please I need your help here, I did read many documentations, but i'm a beginner with all this spam mess.

    Using the "Mail Delivery Reports" i found out that almost all my accounts are sending spams. some of them are not CMS, or even do not have mailing scripts, just html and css.

    i attached this img
    spams.jpg
    spams1.jpg

    where do they come from ?
    how can i treat it?
    does this status (Sender verify failed) is the cause of blacklisting my IP ?

    I appreciate your help.
     
    #1 psytanium, Jan 28, 2015
    Last edited by a moderator: Jan 13, 2016
  2. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    here you have the current situation.

    all my clients are complaining about the email stoppage, hundreds of emails waiting in the queue since 3 days, server still sending tons of spams, lashback blacklist don't answer my phone calls or reply to my emails, cpanel moderators not responding.

    What should i do now ?
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    While youre waiting for someone to come along with a definitive answer.
    PYXSOFT offer a 7 day trial on their WHM AntiMalware software.
    Maybe this might help.
    Be careful though, don't just delete everything that it detects, as some detections may be false positives.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Try checking your mail queue to see if additional SPAM messages still exist in the queue:

    "WHM Home » Email » Mail Queue Manager"

    You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script.

    The following document is useful if you want to prevent email abuse:

    cPanel - Prevent Email Abuse

    Thank you.
     
  5. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I found the source, 1 of my accounts was (automatically) sending ~ 3000 emails daily, all of them to yahoo.
    the emails are generated randomly like this:

    - Removed -
    etc...


    i changed all emails@mydomain.com passwords. now there is nothing queued, i think it is stopped.

    My current situation: my IP is delisted from lashback barracuda and Trend Micro. still waiting for Yahoo.

    Question 1:

    How can I prevent similar situations in the future ?
    i mean, many users don't know what is a phishing email or a spam, they click, open and download anything, then my IP will be blacklisted with many ISPs, and my accounts (hotels, online stores, etc...) unable to send emails for several days.

    all this without me knowing what happened.

    I don't want to know about this problem from my users calling me, i should know about it from the ISPs or server notifications.

    Also I cannot sit 24/24h 365 day a year monitoring the delivery reports.

    Question 2:

    How can someuser @ example.com send emails from my server ? is this a spoofing problem ? if yes, the sender IP should be banned not mine. right ?

    Thank you, I appreciate your assistance.

    Note: I'm new and learning all these stuff, I only need your help when I'm facing a serious problem. Hope you understand.
     
    #5 psytanium, Jan 29, 2015
    Last edited by a moderator: Jan 13, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Did you review the document referenced in my previous post for information on how to prevent outgoing SPAM on your system?

    Thank you.
     
  7. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Yes i applied what is advised in the documentation you sent me. Many of them before my IP blacklisted.

    Before the spam happened:
    DKIM and SPF on all account by default (enabled)
    SMTP restriction (enabled)
    Minimum password strength (100)
    Restrict the nobody (enabled)
    Initial default/catch-all forwarder destination (Fail)

    After the spam:
    max hourly emails settings to 100
    Enables spam assassin on all accounts - Incoming emails - (Enabled)
    Enables spam assassin on all accounts - Outgoing emails - (Enabled)

    Still not configured:
    EXPERIMENTAL: Rewrite From: header to match actual sender (What should I chose ? Disable, All, Remote)
    Maximum percentage of failed or deferred messages a domain may send per hour (Didn't understand it, I appreciate an e.g. if you can)
    Enable suPHP (currently its fcgi)

    =======================================

    Please let me know what else should I do.


    Scenario
    If a user on my system is a 70 years old archaeologist, he open and dig deep any spam attachment he receive => his email start sending bulk emails => ISPs blacklist my IP => My server is handicapped for 4 days.

    My question to you
    How can I receive a notification whenever an account start sending bulk emails ?

    Thank you, I appreciate if you can follow this case to the end. so I won't bother you with another thread.
     
  8. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I tested my relays on rbl.jp, mxtoolbox.com and mailradar.com
    All tested completed! No relays accepted by remote host!

    but as you can see in the 1st attachment (Opening post), my server is sending spoof emails ?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's really a matter of detecting the source of SPAM and suspending the account or removing the offending script. The following command may help you better determine where the email is coming from:

    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    This will list the source and the number of messages from each source.

    Thank you.
     
Loading...

Share This Page