Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Relay Problem / Spam

Discussion in 'E-mail Discussions' started by teknom, Nov 24, 2016.

Tags:
  1. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    hello i am getting trouble with my one domain. exim getting connections from different ip addresses and one domain sends lots of spam mail.
    there is track delivery logs from this domain.

    Code:
    Event:failure 
    User: domainuser
    Domain: mydomain.com
    Sender: play@example.org   //spammer address
    Sent Time: Nov 24, 2016 3:32:15 PM
    Sender Host: ip70-170-53-xxx.lv.lv.cox.net
    Sender IP: 70.170.53.xxx  //spammer ip (there is lots of different ip addresses)
    Authentication: dovecot_login
    Spam Score: 0
    Recipient: someusr@domain.com
    Delivery User:
    Delivery Domain:
    Delivered To:
    Router: enforce_mail_permissions
    Transport: remote_smtp
    Out Time: Nov 24, 2016 3:32:15 PM
    ID: 1c9tCD-00064r-KH
    Delivery Host:
    Delivery IP:
    Size: 30.77 KB
    Result: Domain mydomain.com has exceeded the max emails per hour (125/100 (125%)) allowed. Message discarded.
    
    i did not understand how this is possible. exim not accept open relay connections. and this guy sends lots of mails from my domain with different mail address.
    i changed 3 times for this user password but spams still coming.
    i scanned web folders for any harmfull script but nothing found.
    any solution?
     
    #1 teknom, Nov 24, 2016
    Last edited by a moderator: Nov 24, 2016
  2. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    here is another track delivery log with success
    Code:
    Event:success
    User: domainuser
    Domain: mydomain.com
    Sender: play@domain.org
    Sent Time: Nov 24, 2016 3:09:15 PM
    Sender Host: 170-231-226-19.static.example.com.br
    Sender IP: 170.231.xxx.x
    Authentication: dovecot_login
    Spam Score: 0
    Recipient: someusr@domain.pl
    Delivery User: -system-
    Delivery Domain:
    Delivered To: >play24@example.org
    Router: check_mail_permissions
    Transport: address_reply
    Out Time: Nov 24, 2016 3:09:15 PM
    ID: 1c9sqS-0005ku-9f
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 30.92 KB
    Result: Accepted
    
    how this is possible, the guy sends mail with different domain mail from my mail server?
     
    #2 teknom, Nov 24, 2016
    Last edited by a moderator: Nov 24, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you changed both the email account password, and the password to the cPanel account username?

    Thank you.
     
  4. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    yea, i changed domain main user and mail users passwords. at the end i found the problem, one of mail users computer infected kind of crypto virus and after entering password on outlook client spams starting again.

    here is part of exim_mainlog
    Code:
    2016-11-28 15:16:11 1cBKqw-0006To-UL <= noreply@example.it H=(8.27.123.27) [8.27.123.27]:53040 P=esmtpa A=dovecot_login:user@mydomain.com S=5311 id=0FF5B4AD86527CCF13165FEBEFC267FD@sda.it T="si dispone di una spedizione" for stefano@domain.com
    2016-11-28 15:16:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cBKqw-0006To-UL
    2016-11-28 15:16:11 1cBKqw-0006To-UL ** stefano@domain.com R=enforce_mail_permissions: Domain mydomain.com has exceeded the max defers and failures per hour (25/25 (27%)) allowed. Message discarded.
    
    in this situation, attacker obtained my mail users password, and authenticate with his credentials to mail server then start spamming with different mail address as sender.
    how can i block this? sending mail as different sender accessed with user@mydomain.com
     
    #4 teknom, Nov 30, 2016
    Last edited by a moderator: Nov 30, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    In cases where authentication is obtained from an end-user through a virus/trojan, you'd want to rely on the settings on the system to prevent email abuse. You can find them documented at:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation
    How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation

    You may also want to use a firewall management application such as CSF, which includes an email relay tracking feature that you can configure to notify you when accounts send a set number of emails:

    ConfigServer Security & Firewall (csf)

    Thank you.
     
Loading...

Share This Page