Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Relay Problem / Spam

Discussion in 'E-mail Discussion' started by teknom, Nov 24, 2016.

Tags:
  1. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    hello i am getting trouble with my one domain. exim getting connections from different ip addresses and one domain sends lots of spam mail.
    there is track delivery logs from this domain.

    Code:
    Event:failure 
    User: domainuser
    Domain: mydomain.com
    Sender: play@example.org   //spammer address
    Sent Time: Nov 24, 2016 3:32:15 PM
    Sender Host: ip70-170-53-xxx.lv.lv.cox.net
    Sender IP: 70.170.53.xxx  //spammer ip (there is lots of different ip addresses)
    Authentication: dovecot_login
    Spam Score: 0
    Recipient: someusr@domain.com
    Delivery User:
    Delivery Domain:
    Delivered To:
    Router: enforce_mail_permissions
    Transport: remote_smtp
    Out Time: Nov 24, 2016 3:32:15 PM
    ID: 1c9tCD-00064r-KH
    Delivery Host:
    Delivery IP:
    Size: 30.77 KB
    Result: Domain mydomain.com has exceeded the max emails per hour (125/100 (125%)) allowed. Message discarded.
    
    i did not understand how this is possible. exim not accept open relay connections. and this guy sends lots of mails from my domain with different mail address.
    i changed 3 times for this user password but spams still coming.
    i scanned web folders for any harmfull script but nothing found.
    any solution?
     
    #1 teknom, Nov 24, 2016
    Last edited by a moderator: Nov 24, 2016
  2. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    here is another track delivery log with success
    Code:
    Event:success
    User: domainuser
    Domain: mydomain.com
    Sender: play@domain.org
    Sent Time: Nov 24, 2016 3:09:15 PM
    Sender Host: 170-231-226-19.static.example.com.br
    Sender IP: 170.231.xxx.x
    Authentication: dovecot_login
    Spam Score: 0
    Recipient: someusr@domain.pl
    Delivery User: -system-
    Delivery Domain:
    Delivered To: >play24@example.org
    Router: check_mail_permissions
    Transport: address_reply
    Out Time: Nov 24, 2016 3:09:15 PM
    ID: 1c9sqS-0005ku-9f
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 30.92 KB
    Result: Accepted
    
    how this is possible, the guy sends mail with different domain mail from my mail server?
     
    #2 teknom, Nov 24, 2016
    Last edited by a moderator: Nov 24, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,344
    Likes Received:
    1,852
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you changed both the email account password, and the password to the cPanel account username?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. teknom

    teknom Member

    Joined:
    May 20, 2016
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    yea, i changed domain main user and mail users passwords. at the end i found the problem, one of mail users computer infected kind of crypto virus and after entering password on outlook client spams starting again.

    here is part of exim_mainlog
    Code:
    2016-11-28 15:16:11 1cBKqw-0006To-UL <= noreply@example.it H=(8.27.123.27) [8.27.123.27]:53040 P=esmtpa A=dovecot_login:user@mydomain.com S=5311 id=0FF5B4AD86527CCF13165FEBEFC267FD@sda.it T="si dispone di una spedizione" for stefano@domain.com
    2016-11-28 15:16:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cBKqw-0006To-UL
    2016-11-28 15:16:11 1cBKqw-0006To-UL ** stefano@domain.com R=enforce_mail_permissions: Domain mydomain.com has exceeded the max defers and failures per hour (25/25 (27%)) allowed. Message discarded.
    
    in this situation, attacker obtained my mail users password, and authenticate with his credentials to mail server then start spamming with different mail address as sender.
    how can i block this? sending mail as different sender accessed with user@mydomain.com
     
    #4 teknom, Nov 30, 2016
    Last edited by a moderator: Nov 30, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,344
    Likes Received:
    1,852
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    In cases where authentication is obtained from an end-user through a virus/trojan, you'd want to rely on the settings on the system to prevent email abuse. You can find them documented at:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation
    How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation

    You may also want to use a firewall management application such as CSF, which includes an email relay tracking feature that you can configure to notify you when accounts send a set number of emails:

    ConfigServer Security & Firewall (csf)

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice