Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Preventing spam, and tracing /usr/bin/sendmail -t

Discussion in 'E-mail Discussion' started by fcastro86, May 17, 2013.

  1. fcastro86

    fcastro86 Member

    Joined:
    Mar 20, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

    exim_main_log have entries like this

    2013-05-17 12:55:05 1UdPo1-0005gA-0k <= [email protected]***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for [email protected]***.com
    2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t


    The content of the mail is this:



    Mail Control Data:
    motoco21 596 32007
    <[email protected]***.com>
    1368817023 0
    -ident motoco21
    -received_protocol local
    -body_linecount 3916
    -max_received_linelength 382
    -auth_id motoco21
    -auth_sender [email protected]***.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NN >[email protected]:[email protected]
    1
    [email protected]






    Date:
    Fri, 17 May 2013 12:57:03 -0600
    From:
    Bonus Chips <[email protected]>
    To:
    [email protected]
    Subject:
    Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
    Content-Type:
    multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
    Message-Id:
    <[email protected]***.com>




    --PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/plain; charset="utf-8""
    Content-Transfer-Encoding: 7bit

    EUROPALACE

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit


    ....
    ....
    .....




    Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

    Thanks in advance.
     
    #1 fcastro86, May 17, 2013
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,890
    Likes Received:
    91
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 24x7server, May 20, 2013
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,594
    Likes Received:
    2,185
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, May 20, 2013
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 storminternet, May 20, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Preventing spam tracing
  1. toplisek

    A method of preventing spam

    toplisek, Jun 22, 2019, in forum: E-mail Discussion
    Replies:
    4
    Views:
    405
    nixuser
    Jun 27, 2019
  2. Gastón

    SOLVED [CPANEL-27859] TLS failure preventing access to /cpanel , /whm , and /webmail

    Gastón, Jun 10, 2019, in forum: Security
    Replies:
    18
    Views:
    1,076
    cPanelMichael
    Jul 12, 2019
  3. spacereaper82

    Preventing the server from compromise

    spacereaper82, Oct 1, 2018, in forum: Security
    Replies:
    3
    Views:
    387
    keat63
    Oct 9, 2018
  4. PeteS

    Preventing user password change in webmail

    PeteS, Sep 7, 2018, in forum: E-mail Discussion
    Replies:
    2
    Views:
    473
    PeteS
    Dec 11, 2018
  5. bugetarul

    Htaccess preventing file uploads?

    bugetarul, May 19, 2018, in forum: Security
    Replies:
    3
    Views:
    664
    cPanelMichael
    May 21, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice