The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing spam, and tracing /usr/bin/sendmail -t

Discussion in 'E-mail Discussions' started by fcastro86, May 17, 2013.

  1. fcastro86

    fcastro86 Member

    Joined:
    Mar 20, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

    exim_main_log have entries like this

    2013-05-17 12:55:05 1UdPo1-0005gA-0k <= motoco21@titan.***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for hcoommontest@***.com
    2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t


    The content of the mail is this:



    Mail Control Data:
    motoco21 596 32007
    <motoco21@titan.***.com>
    1368817023 0
    -ident motoco21
    -received_protocol local
    -body_linecount 3916
    -max_received_linelength 382
    -auth_id motoco21
    -auth_sender motoco21@titan.***.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NN >bonus_chips@bonus-chip.biz:b2is0t@yahoo.com
    1
    b2is0t@yahoo.com






    Date:
    Fri, 17 May 2013 12:57:03 -0600
    From:
    Bonus Chips <bonus_chips@bonus-chip.biz>
    To:
    b2is0t@yahoo.com
    Subject:
    Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
    Content-Type:
    multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
    Message-Id:
    <E1UdPpv-0005xm-Ci@titan.***.com>




    --PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/plain; charset="utf-8""
    Content-Transfer-Encoding: 7bit

    EUROPALACE

    --PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit


    ....
    ....
    .....




    Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

    Thanks in advance.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

    Thank you.
     
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.
     
Loading...

Share This Page