Preventing spam, and tracing /usr/bin/sendmail -t

fcastro86 · May 17, 2013

Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.

exim_main_log have entries like this

2013-05-17 12:55:05 1UdPo1-0005gA-0k <= [email protected]***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for [email protected]***.com
2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t

The content of the mail is this:

Mail Control Data:
motoco21 596 32007
<[email protected]***.com>
1368817023 0
-ident motoco21
-received_protocol local
-body_linecount 3916
-max_received_linelength 382
-auth_id motoco21
-auth_sender [email protected]***.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NN >[email protected]:[email protected]
1
[email protected]

Date:
Fri, 17 May 2013 12:57:03 -0600
From:
Bonus Chips <[email protected]>
To:
[email protected]
Subject:
Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
Content-Type:
multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
Message-Id:
<[email protected]***.com>

--PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"

--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/plain; charset="utf-8""
Content-Transfer-Encoding: 7bit

EUROPALACE

--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

....
....
.....

Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.

Thanks in advance.

24x7server · May 20, 2013

Can you please try to enable "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

cPanelMichael · May 20, 2013

Hello

It looks like the account is still able to authenticate to send mail. Have you tried suspending the account and restarting Exim? Also, have you checked your mail queue and removed any mail associated with this account that has yet to deliver?

Thank you.

storminternet · May 20, 2013

Wordpress, Joomla and other third party applications or scripts are one of the reason for spamming. If offended domain is using outdated version of third party software or scripts then update them asap and check the permission and ownership if files and folders just to ensure of they are having insecure permission and nobody ownership.

Thread starter	Similar threads	Forum	Replies	Date
T	A method of preventing spam	E-mail Discussion	4	Jun 22, 2019
	Preventing user password change in webmail	E-mail Discussion	2	Sep 7, 2018
T	Preventing reply for an email account	E-mail Discussion	1	Jan 13, 2018
B	Preventing Boxtrapper backscatter - one weird little trick that spammers HATE!	E-mail Discussion	3	Feb 17, 2015
	Preventing the fowarding of spam to remote hosts with forwards.	E-mail Discussion	0	Dec 3, 2007

Search

Search

Preventing spam, and tracing /usr/bin/sendmail -t

fcastro86

Member

24x7server

Well-Known Member

cPanelMichael

Technical Support Community Manager

storminternet

Well-Known Member