Overloaded with outgoing spams, ip blacklisted.

psytanium

Well-Known Member
Jun 6, 2014
322
20
68
Lebanon
cPanel Access Level
Root Administrator
My IP is blacklisted. i requested a delist, and now i'm investigating the spam sources. Please I need your help here, I did read many documentations, but i'm a beginner with all this spam mess.

Using the "Mail Delivery Reports" i found out that almost all my accounts are sending spams. some of them are not CMS, or even do not have mailing scripts, just html and css.

i attached this img
spams.jpg
spams1.jpg

where do they come from ?
how can i treat it?
does this status (Sender verify failed) is the cause of blacklisting my IP ?

I appreciate your help.
 
Last edited by a moderator:

psytanium

Well-Known Member
Jun 6, 2014
322
20
68
Lebanon
cPanel Access Level
Root Administrator
here you have the current situation.

all my clients are complaining about the email stoppage, hundreds of emails waiting in the queue since 3 days, server still sending tons of spams, lashback blacklist don't answer my phone calls or reply to my emails, cpanel moderators not responding.

What should i do now ?
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
While youre waiting for someone to come along with a definitive answer.
PYXSOFT offer a 7 day trial on their WHM AntiMalware software.
Maybe this might help.
Be careful though, don't just delete everything that it detects, as some detections may be false positives.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Try checking your mail queue to see if additional SPAM messages still exist in the queue:

"WHM Home » Email » Mail Queue Manager"

You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script.

The following document is useful if you want to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.
 

psytanium

Well-Known Member
Jun 6, 2014
322
20
68
Lebanon
cPanel Access Level
Root Administrator
Hello :)

Try checking your mail queue to see if additional SPAM messages still exist in the queue:

"WHM Home » Email » Mail Queue Manager"

You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script.

The following document is useful if you want to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.
I found the source, 1 of my accounts was (automatically) sending ~ 3000 emails daily, all of them to yahoo.
the emails are generated randomly like this:

- Removed -
etc...


i changed all [email protected] passwords. now there is nothing queued, i think it is stopped.

My current situation: my IP is delisted from lashback barracuda and Trend Micro. still waiting for Yahoo.

Question 1:

How can I prevent similar situations in the future ?
i mean, many users don't know what is a phishing email or a spam, they click, open and download anything, then my IP will be blacklisted with many ISPs, and my accounts (hotels, online stores, etc...) unable to send emails for several days.

all this without me knowing what happened.

I don't want to know about this problem from my users calling me, i should know about it from the ISPs or server notifications.

Also I cannot sit 24/24h 365 day a year monitoring the delivery reports.

Question 2:

How can someuser @ example.com send emails from my server ? is this a spoofing problem ? if yes, the sender IP should be banned not mine. right ?

Thank you, I appreciate your assistance.

Note: I'm new and learning all these stuff, I only need your help when I'm facing a serious problem. Hope you understand.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Did you review the document referenced in my previous post for information on how to prevent outgoing SPAM on your system?

Thank you.
 

psytanium

Well-Known Member
Jun 6, 2014
322
20
68
Lebanon
cPanel Access Level
Root Administrator
Hello :)

Did you review the document referenced in my previous post for information on how to prevent outgoing SPAM on your system?

Thank you.
Yes i applied what is advised in the documentation you sent me. Many of them before my IP blacklisted.

Before the spam happened:
DKIM and SPF on all account by default (enabled)
SMTP restriction (enabled)
Minimum password strength (100)
Restrict the nobody (enabled)
Initial default/catch-all forwarder destination (Fail)

After the spam:
max hourly emails settings to 100
Enables spam assassin on all accounts - Incoming emails - (Enabled)
Enables spam assassin on all accounts - Outgoing emails - (Enabled)

Still not configured:
EXPERIMENTAL: Rewrite From: header to match actual sender (What should I chose ? Disable, All, Remote)
Maximum percentage of failed or deferred messages a domain may send per hour (Didn't understand it, I appreciate an e.g. if you can)
Enable suPHP (currently its fcgi)

=======================================

Please let me know what else should I do.


Scenario
If a user on my system is a 70 years old archaeologist, he open and dig deep any spam attachment he receive => his email start sending bulk emails => ISPs blacklist my IP => My server is handicapped for 4 days.

My question to you
How can I receive a notification whenever an account start sending bulk emails ?

Thank you, I appreciate if you can follow this case to the end. so I won't bother you with another thread.
 

psytanium

Well-Known Member
Jun 6, 2014
322
20
68
Lebanon
cPanel Access Level
Root Administrator
I tested my relays on rbl.jp, mxtoolbox.com and mailradar.com
All tested completed! No relays accepted by remote host!

but as you can see in the 1st attachment (Opening post), my server is sending spoof emails ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
It's really a matter of detecting the source of SPAM and suspending the account or removing the offending script. The following command may help you better determine where the email is coming from:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list the source and the number of messages from each source.

Thank you.