The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing spam, and tracing /usr/bin/sendmail -t

Discussion in 'E-mail Discussions' started by fcastro86, May 17, 2013.

  1. fcastro86

    fcastro86 Member

    Joined:
    Mar 20, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

    exim_main_log have entries like this

    2013-05-17 12:55:05 1UdPo1-0005gA-0k <= motoco21@titan.***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for hcoommontest@***.com
    2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t


    The content of the mail is this:



    Mail Control Data:
    motoco21 596 32007
    <motoco21@titan.***.com>
    1368817023 0
    -ident motoco21
    -received_protocol local
    -body_linecount 3916
    -max_received_linelength 382
    -auth_id motoco21
    -auth_sender motoco21@titan.***.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NN >bonus_chips@bonus-chip.biz:b2is0t@yahoo.com
    1
    b2is0t@yahoo.com






    Date:
    Fri, 17 May 2013 12:57:03 -0600
    From:
    Bonus Chips <bonus_chips@bonus-chip.biz>
    To:
    b2is0t@yahoo.com
    Subject:
    Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
    Content-Type:
    multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
    Message-Id:
    <E1UdPpv-0005xm-Ci@titan.***.com>




    --PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/plain; charset="utf-8""
    Content-Transfer-Encoding: 7bit

    EUROPALACE

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit


    ....
    ....
    .....




    Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

    Thanks in advance.
     
    #1 fcastro86, May 17, 2013
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,320
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.
     
    #2 24x7server, May 20, 2013
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,768
    Likes Received:
    1,144
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

    Thank you.
     
    #3 cPanelMichael, May 20, 2013
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.
     
    #4 storminternet, May 20, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Preventing spam tracing
  1. Bashed

    need help preventing malicious spam .php scripts

    Bashed, Jan 7, 2016, in forum: Security
    Replies:
    11
    Views:
    1,413
    quizknows
    Jan 11, 2016
  2. Chris H

    Preventing users viewing system information

    Chris H, May 5, 2017, in forum: Security
    Replies:
    2
    Views:
    97
    Chris H
    May 5, 2017
  3. Arkaic

    Preventing xlmrpc.php server-side?

    Arkaic, Aug 29, 2016, in forum: Security
    Replies:
    8
    Views:
    652
    cPanelMichael
    Sep 1, 2016
  4. davez0rz

    Preventing WHM From altering IPTables

    davez0rz, May 27, 2016, in forum: Security
    Replies:
    1
    Views:
    414
    cPanelMichael
    Jun 2, 2016
  5. webmasteryoda

    Preventing changes of mailhelo

    webmasteryoda, Feb 3, 2016, in forum: E-mail Discussions
    Replies:
    3
    Views:
    393
    cPanelMichael
    Feb 4, 2016

Share This Page