Send spam email with rdns server domain

Nadermoradi

Registered
Feb 14, 2022
2
0
1
istanbul
cPanel Access Level
Website Owner
Hello everyone
I have a strange problem.
Spam email is sent from my server, I closed all email ports in csf, but email was still being sent.
The more I checked, the more I noticed that emails were sent from users with rdns domain servers.
All emails are sent with Local IP (127.0.0.1).
I put the IP in the block list and the emails are rejected, but I want to know how the email is sent. Is the server hacked?
Processes are created from mailnull. No email will be sent when I stop this processing.
Code:
ps -aux |grep 'mailnull'
mailnull 1791867  1.2  0.0  84012  6312 ?        Ss   12:59   0:11 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2053018  0.0  0.0  86800  9764 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2060185  0.0  0.0  84484  5984 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2066604  0.0  0.0  87356  5984 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2067195  0.0  0.0  87356  5984 ?        S    13:14   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
 

Attachments

Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,628
363
cPanel Access Level
Root Administrator
Hey there! The best thing to do would be to scan the mail logs to see where the messages were being sent from. The following command will search the logs and let you know directories mail has been sent from. Just be sure to ignore system notification directories like /etc/csf when checking this output:

Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Can you try that and see if that gets you more useful details?