Root/system sends e-mail from @gmail.com

[Evesion]

Hi.

I was checking my mail logs and saw 21k msg send in the last month by root/-sytem all msg are sent from: ****@gmail.com to ****@gmail.com.
What I did so far is:
- Suspend my websites to see if the msg stop.
- Change my contact e-mail in WHM to see if the msg now would go to a different e-mail.

The msg didn't stop or go to the different e-mail.

Event:	failure
Sender User:	root
Sender Domain:	-system-
From Address:	*****@gmail.com
Sender:	root
Sent Time:	Dec 16, 2022, 11:39:11 AM
Sender Host:	localhost
Sender IP:	127.0.0.1
Authentication:	localuser
Spam Score:
Recipient:	****@gmail.com
Delivered To:
Delivery User:	-system-
Delivery Domain:
Router:	lookuphost
Transport:	remote_smtp
Out Time:	Dec 16, 2022, 11:39:11 AM
ID:	1p65JM-0006YJ-NU
Delivery Host:	gmail-smtp-in.l.google.com
Delivery IP:	108.177.14.27
Size:	726 bytes
Result:	ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both\n550-5.7.26 do not pass). SPF check for [gmail.com] does not pass with ip:\n550-5.7.26 [95.216.96.53].To best protect our users from spam, the message has\n550-5.7.26 been blocked. Please visit\n550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more\n550 5.7.26 information. p18-20020a056512139200b0049492f3f14fsi815366lfa.445 - gsmtp

 

[Evesion]

just to clarify both ****@gmail.com are the same and where my contact e-mail in WHM

 

[Evesion]

I was able to intercept one of these e-mails in the mail queue before it was send:


Mail Control Data:

mailnull 47 12
<>
1671178158 0
-received_time_usec .133773
-received_time_complete 1671178158.143364
-ident mailnull
-received_protocol local
-body_linecount 59
-max_received_linelength 101
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-localerror
-tls_resumption A
XX
1
****@gmail.com


Date:

Fri, 16 Dec 2022 09:09:18 +0100

From:

Mail Delivery System <[email protected]****.rs>

To:

****@gmail.com

Subject:

Mail delivery failed: returning message to sender

Auto-Submitted:

auto-replied

Content-Type:

multipart/report; report-type=delivery-status; boundary=1671178158-eximdsn-1849465294

Message-Id:

<[email protected]*****.rs>

MIME-Version:

1.0

Received:

from mailnull by cpanel.****.rs with local (Exim 4.95)
id 1p65mQ-0007n4-4J
for ****@gmail.com;
Fri, 16 Dec 2022 09:09:18 +0100

References:

<[email protected]*****.rs>

X-Failed-Recipients: ****@gmail.com


--1671178158-eximdsn-1849465294
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

****@gmail.com
host gmail-smtp-in.l.google.com [64.233.164.27]
SMTP error from remote mail server after end of data:
550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
550-5.7.26 do not pass). SPF check for [gmail.com] does not pass with ip:
550-5.7.26 [95.216.96.53].To best protect our users from spam, the message has
550-5.7.26 been blocked. Please visit
550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more
550 5.7.26 information. 200-20020a2e05d1000000b0026de05c7ed4si852162ljf.280 - gsmtp

--1671178158-eximdsn-1849465294
Content-type: message/delivery-status

Reporting-MTA: dns; cpanel.*****.rs

Action: failed
Final-Recipient: rfc822;****@gmail.com
Status: 5.0.0
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
550-5.7.26 do not pass). SPF check for [gmail.com] does not pass with ip:
550-5.7.26 [95.216.96.53].To best protect our users from spam, the message has
550-5.7.26 been blocked. Please visit
550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more
550 5.7.26 information. 200-20020a2e05d1000000b0026de05c7ed4si852162ljf.280 - gsmtp

--1671178158-eximdsn-1849465294
Content-type: message/rfc822

Return-path: <****@gmail.com>
Received: from root by cpanel.****.rs with local (Exim 4.95)
(envelope-from <****@gmail.com>)
id 1p65mP-0007mt-Lj
for ****@gmail.com;
Fri, 16 Dec 2022 09:09:17 +0100
From: ****@gmail.com
To: ****@gmail.com
Subject: lfd on cpanel.*****.rs: Excessive resource usage: hellohireme (29831 (Parent PID:20129))
Message-Id: <[email protected]*****.rs>
Date: Fri, 16 Dec 2022 09:09:17 +0100

Time: Fri Dec 16 09:09:17 2022 +0100
Account: hellohireme
Resource: Virtual Memory Size
Exceeded: 651 > 512 (MB)
Executable: /opt/cpanel/ea-php74/root/usr/sbin/php-fpm
Command Line: php-fpm: pool hellohireme_today
PID: 29831 (Parent PID:20129)
Killed: No

--1671178158-eximdsn-1849465294--

 

[ServerHealers]

These looks to be server notifications, especially from CSF/LFD. The CSF/LFD by default turn on their notifications which generates from the root system user and the From/To field interpret as the WHM contact email address. From the notification you've attached, it looks to be a false positive alert, and fine to ignore or disable LFD notification on the server to prevent these amount of emails generating from the server. If you wish to disable full LFD alerts, run the below one-liner script on your server as root user which we built and use regularly in our client servers.

curl -s scripts.serverhealers.com/scripts/csf/csf_noalert | bash

 

[Evesion]

My first idea was that it were contact emails, so I changed the contact e-mail address but the e-mails were still showing up.

 

[ServerHealers]

If you run that one-liner in my previous response, then those notifications should stop coming in anyway. I'd also suggest making sure if you've entered the email address inside CSF configuration notification section by any chance, then it may override the WHM contact email section for LFD notifications.