Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Preventing spam, and tracing /usr/bin/sendmail -t

Discussion in 'E-mail Discussion' started by fcastro86, May 17, 2013.

  1. fcastro86

    fcastro86 Member

    Joined:
    Mar 20, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

    exim_main_log have entries like this

    2013-05-17 12:55:05 1UdPo1-0005gA-0k <= motoco21@titan.***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for hcoommontest@***.com
    2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t


    The content of the mail is this:



    Mail Control Data:
    motoco21 596 32007
    <motoco21@titan.***.com>
    1368817023 0
    -ident motoco21
    -received_protocol local
    -body_linecount 3916
    -max_received_linelength 382
    -auth_id motoco21
    -auth_sender motoco21@titan.***.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NN >bonus_chips@bonus-chip.biz:b2is0t@yahoo.com
    1
    b2is0t@yahoo.com






    Date:
    Fri, 17 May 2013 12:57:03 -0600
    From:
    Bonus Chips <bonus_chips@bonus-chip.biz>
    To:
    b2is0t@yahoo.com
    Subject:
    Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
    Content-Type:
    multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
    Message-Id:
    <E1UdPpv-0005xm-Ci@titan.***.com>




    --PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/plain; charset="utf-8""
    Content-Transfer-Encoding: 7bit

    EUROPALACE

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit


    ....
    ....
    .....




    Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

    Thanks in advance.
     
    #1 fcastro86, May 17, 2013
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,817
    Likes Received:
    84
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 24x7server, May 20, 2013
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,969
    Likes Received:
    1,824
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, May 20, 2013
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 storminternet, May 20, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Preventing spam tracing
  1. bugetarul

    Htaccess preventing file uploads?

    bugetarul, May 19, 2018, in forum: Security
    Replies:
    3
    Views:
    125
    cPanelMichael
    May 21, 2018
  2. toplisek

    Preventing reply for an email account

    toplisek, Jan 13, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    156
    cPanelMichael
    Jan 18, 2018
  3. Chris H

    Preventing users viewing system information

    Chris H, May 5, 2017, in forum: Security
    Replies:
    2
    Views:
    466
    Chris H
    May 5, 2017
  4. Arkaic

    Preventing xlmrpc.php server-side?

    Arkaic, Aug 29, 2016, in forum: Security
    Replies:
    8
    Views:
    1,747
    cPanelMichael
    Sep 1, 2016
  5. mondhost

    New Thread CPanel Email going to spam

    mondhost, Jul 22, 2018 at 12:34 PM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    12
    mondhost
    Jul 22, 2018 at 12:34 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice