Preventing spam, and tracing /usr/bin/sendmail -t

[fcastro86]

Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

exim_main_log have entries like this

2013-05-17 12:55:05 1UdPo1-0005gA-0k <= [email protected]***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for [email protected]***.com
2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t


The content of the mail is this:



Mail Control Data:
motoco21 596 32007
<[email protected]***.com>
1368817023 0
-ident motoco21
-received_protocol local
-body_linecount 3916
-max_received_linelength 382
-auth_id motoco21
-auth_sender [email protected]***.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NN >[email protected]:[email protected]
1
[email protected]






Date:
Fri, 17 May 2013 12:57:03 -0600
From:
Bonus Chips <[email protected]>
To:
[email protected]
Subject:
Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
Content-Type:
multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
Message-Id:
<[email protected]***.com>




--PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/plain; charset="utf-8""
Content-Transfer-Encoding: 7bit

EUROPALACE

--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit


....
....
.....




Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

Thanks in advance.

 

[24x7server]

Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

 

[cPanelMichael]

Hello

It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

Thank you.

 

[storminternet]

Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.