The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Remote Sending Spam

Discussion in 'E-mail Discussions' started by wilson18, Apr 1, 2014.

  1. wilson18

    wilson18 Member

    Joined:
    Mar 4, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I have a fairly new server set up with only a handful of users on it. I have just checked our sent emails and i have seen some coming from a domain which isnt hosted with us. After checking the sent summary i can see the following:

    Domain User Successful Deferrals Failures Failed and Deferred Total Messages Data Sent
    -remote- 221 0 113 113 328 6.77 MB

    All pail is sent through the Web Mail so it shouldnt be the case of some been sent from elseware.

    Is there any way to find out how they are sending the emails and stop it?
    I have used mysql -e "SELECT * FROM eximstats.sends WHERE user = '-remote-'\G" > /root/mysqlremotesends and here are just a couple entries from the file

    Code:
    *************************** 4199. row ***************************
mailtime: 2014-04-01 11:47:49
msgid: 1WUwEO-0005fX-6i
email: cardsupport@domain.co.uk
processed: 0
user: -remote-
size: 48053
ip: 85.158.xxx.xxx
auth: localdelivery
host: mail1.bemta4.domaintoo.com
domain:
localsender: 1
spamscore: 4.3
*************************** 4200. row ***************************
mailtime: 2014-04-01 11:54:58
msgid: 1WUwLI-0006Ek-85
email: <>
processed: 0
user: -remote-
size: 3525
ip: 87.238.xx.xx
auth: localdelivery
host: hostname.domain.de
domain:
localsender: 1
spamscore: 0
*************************** 4201. row ***************************
mailtime: 2014-04-01 11:55:53
msgid: 1WUwM8-0006PP-5Y
email: bounce-zwdsprsbwsblkrrwzrdzkwmdrlwzw...domainthree.com
processed: 0
user: -remote-
size: 31849
ip: 208.123.xx.xx
auth: localdelivery
host: mail6.domaintoo.com
domain:
localsender: 1
spamscore: -4.6

    Any help would be much appreciated.
     
    #1 wilson18, Apr 1, 2014
    Last edited by a moderator: Apr 1, 2014
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,301
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Does this produce anything:

    grep 1WUwM8-0006PP-5Y /var/log/exim_mainlog|grep courier_login

    If so, is there a local email account listed right after courier_login: that is the same in all of those messages? That would be an indicator of a breached email account being used to send spam.

    Mike
     
    #2 mtindor, Apr 1, 2014
  3. wilson18

    wilson18 Member

    Joined:
    Mar 4, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Mike,

    Thanks for getting back to me. I have just tried that and nothing comes back from it

    Chris
     
    #3 wilson18, Apr 1, 2014
  4. wilson18

    wilson18 Member

    Joined:
    Mar 4, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    When just doing
    grep 1WUwM8-0006PP-5Y /var/log/exim_mainlog
    I get the following

    Code:
    2014-04-01 11:55:53 1WUwM8-0006PP-5Y H=mail6.domain.com [208.123.xx.xx]:41733 Warning: "SpamAssassin as localuser detected message as NOT spam (-4.6)"
2014-04-01 11:55:53 1WUwM8-0006PP-5Y H=mail6.domaintoo.com [208.123.68.16]:41733 Warning: Message has been scanned: no virus or other harmful content was found
2014-04-01 11:55:53 1WUwM8-0006PP-5Y <= bounce-zwdsprsbwsblkrrwzrdzkwmdrlwzw...sswalkmail.com H=mail6.domaintoo.com [208.123.xx.xx]:41733 P=esmtp S=31849 id=312557203.5176246.1396348555039.JavaMail.root@domaintoo.com T="How to Prepare Your Kids for Meaningful and Worthy Lives" for user@domain.com
2014-04-01 11:55:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WUwM8-0006PP-5Y
2014-04-01 11:55:53 1WUwM8-0006PP-5Y => localuser <user@domain.com> R=localuser T=local_delivery
2014-04-01 11:55:53 1WUwM8-0006PP-5Y Completed
     
    #4 wilson18, Apr 1, 2014
    Last edited by a moderator: Apr 1, 2014
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,301
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That [and the info from your first post] seem to indicate that those are just normal emails coming in from external mailservers to your mailsystem for your users. I dont particularly see anything wrong at this point. What is it that is making you believe that your server is sending out unwanted mails to remote mailservers?

    Mike
     
    #5 mtindor, Apr 1, 2014
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote. Is there any other evidence that leads you to believe that this is SPAM email?

    Thank you.
     
    #6 cPanelMichael, Apr 2, 2014
  7. wilson18

    wilson18 Member

    Joined:
    Mar 4, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Im thinking they are spam due to the domains they are coming from not actually been hosted on the server on anyones accounts and yet they are still going out.
     
    #7 wilson18, Apr 2, 2014
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The following document is a good place to start if you want to prevent email abuse:

    cPanel - Prevent Email Abuse

    You may also want to enable SpamAssassin for outgoing email to help reduce the potential of SPAM being sent from your server.

    Thank you.
     
    #8 cPanelMichael, Apr 4, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - Remote Sending Spam
  1. KrisG

    Large Exim Queue - How to speed up local delivery / remote sending

    KrisG, Jan 31, 2017, in forum: E-mail Discussions
    Replies:
    2
    Views:
    485
    cPanelMichael
    Feb 1, 2017
  2. awaraleo

    Sending email from a remote script

    awaraleo, Sep 2, 2015, in forum: E-mail Discussions
    Replies:
    6
    Views:
    524
    Infopro
    Sep 2, 2015
  3. ruiz

    Spamassassin detecting local e-mail as remote

    ruiz, Aug 23, 2017 at 7:22 AM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    28
    cPanelMichael
    Aug 23, 2017 at 10:30 AM
  4. Nirjonadda

    Remote Root Account Transfer

    Nirjonadda, Aug 21, 2017 at 8:35 AM, in forum: General Discussion
    Replies:
    3
    Views:
    41
    cPanelMichael
    Aug 22, 2017 at 11:11 AM
  5. Dhaupin

    Comments in /etc/ips.remotedns (Remote Service IP's)

    Dhaupin, Aug 9, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    3
    Views:
    75
    cPanelMichael
    Aug 10, 2017

Share This Page