The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

See email was sent

Discussion in 'E-mail Discussions' started by Rhuan, Dec 16, 2014.

  1. Rhuan

    Rhuan Active Member

    Joined:
    Nov 10, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hi, I was looking for spammers on server and see this:

    Command: exigrep domain exim_mainlog

    Code:
    2014-12-16 23:57:51 1Y13s6-003DYF-Pa U=user Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.7)"
    2014-12-16 23:57:51 1Y13s6-003DYF-Pa <= user@hostname U=user P=local S=563 T="update" for php_info@ymail.com
    2014-12-16 23:57:51 1Y13s6-003DYF-Pa From: header (rewritten was: [Pages@hostname], actual sender is not the same system user) original=[Pages@hostname] actual_sender=[user@hostname]
    2014-12-16 23:57:51 1Y13s6-003DYF-Pa SMTP connection outbound 1418781471 1Y13s6-003DYF-Pa domain php_info@ymail.com
    2014-12-16 23:57:53 1Y13s6-003DYF-Pa => php_info@ymail.com R=lookuphost T=remote_smtp H=mta5.am0.yahoodns.net [66.196.118.33] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel"
    2014-12-16 23:57:53 1Y13s6-003DYF-Pa Completed
    
    2014-12-17 00:09:10 1Y1433-003Gd5-PC U=user Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.7)"
    2014-12-17 00:09:11 1Y1433-003Gd5-PC <= user@hostname U=user P=local S=561 T="update" for php_info@ymail.com
    2014-12-17 00:09:11 1Y1433-003Gd5-PC From: header (rewritten was: [Pages@hostname], actual sender is not the same system user) original=[Pages@hostname] actual_sender=[user@hostname]
    2014-12-17 00:09:11 1Y1433-003Gd5-PC SMTP connection outbound 1418782151 1Y1433-003Gd5-PC domain php_info@ymail.com
    2014-12-17 00:09:13 1Y1433-003Gd5-PC => php_info@ymail.com R=lookuphost T=remote_smtp H=mta7.am0.yahoodns.net [98.138.112.34] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel"
    2014-12-17 00:09:13 1Y1433-003Gd5-PC Completed
    
    Something like 30 emails was sent to php_info@ymail.com but is it possible see if this emails was sent by php script or look content of these emails (control data or headers) ?

    Thank you!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You won't be able to view the message contents if it's no longer stored on the server, however you could review the mail queue to see if any additional messages are still in the queue:

    "WHM Home » Email » Mail Queue Manager"

    Thank you.
     
  3. Rhuan

    Rhuan Active Member

    Joined:
    Nov 10, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Any email on queue :(
    Is it possible block emails to this recipient to stay in queue ?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    What method is the user using to send the message? Have you simply tried contacting the user to verify if the email is legitimate? You may find the "Email Archiving" feature helpful:

    Email Archiving

    Thank you.
     
  5. Rhuan

    Rhuan Active Member

    Joined:
    Nov 10, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Works perfectm thank you so much!
    It's spam!

    Code:
    Return-path: <user@hostname>
    Envelope-to: php_info@ymail.com
    Delivery-date: Thu, 18 Dec 2014 18:40:31 -0200
    Received: from user by hostname with local (Exim 4.84)
    	(envelope-from <user@hostname>)
    	id 1Y1hs6-003G0V-LJ
    	for php_info@ymail.com; Thu, 18 Dec 2014 18:40:31 -0200
    To: php_info@ymail.com
    Subject: update
    X-PHP-Script: domain/documents/Mysecurefile/auth.php for 64.74.215.59, 64.74.215.59
    From: user@hostname
    Message-Id: <E1Y1hs6-003G0V-LJ@hostname>
    Date: Thu, 18 Dec 2014 18:40:30 -0200
    X-OutGoing-Spam-Status: No, score=2.7
    X-Archive-Type: outgoing
    X-Archive-Sender: user
    X-From-Rewrite: rewritten was: [Pages@hostname], actual sender is not the same system user
    
    domain/documents/Mysecurefile/auth.php
    
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page