The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sending SPAM e-mails

Discussion in 'E-mail Discussions' started by wbxservicos, Sep 18, 2014.

  1. wbxservicos

    wbxservicos Registered

    Joined:
    Jul 1, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I have a Server with Linux/Cpanel, which is hosted about 55 clients (sites, e-mails, etc…), because vulnerability of these clients, some people are sending SPAM without using any e-mail account from the mail server, by the way our mail server is Exim. I would like to know how could I block this type of send e-mail in the server?
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey,

    It would probably have to do with invalid scripts in any of your domain which is casing this.
    You might want to check from which domain the script is coming from.

    A one-liner which would help you :

    ( try this command via SSH and see if you can locate the scripts )

    - awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

    Thank you
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. wbxservicos

    wbxservicos Registered

    Joined:
    Jul 1, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That was the answer :

    Code:
    [13:13:09 root@default ~]# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
          1 cwd=/home/postonb
          1 cwd=/home/servidores/public_html/wp-admin
          1 cwd=/home/shopping/public_html
          1 cwd=/home/wbxservicos/public_html
          1 cwd=/home/zzagcom/public_html
          2 cwd=/home/andreiab/public_html
          2 cwd=/home/andreiab/public_html/wp-admin
          4 cwd=/home/auditiva/public_html
          4 cwd=/home/revended
          4 cwd=/home/tagboxco
          4 cwd=/home/zzagcom
          5 cwd=/home/servidores/public_html
          6 cwd=/home/i9buscom/public_html
          6 cwd=/home/marmocom/public_html
          7 cwd=/home/balisunc/public_html/wp-admin
         13 cwd=/home/panorami
         20 cwd=/home/bwwlogcom/public_html
         33 cwd=/home/agencia110/public_html/projeto/preambulo
         44 cwd=/home/agencia110/public_html/projeto/idealsoft/ws
         70 cwd=/home/balisunc/public_html
        317 cwd=/home/webeerap
        364 cwd=/home/jujordao/public_html/wp-content/plugins/types/embedded/onthego-resources/onthegosystems-icons/css
    I would like to know what this result means ?
     
    #4 wbxservicos, Sep 18, 2014
    Last edited by a moderator: Sep 18, 2014
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The number on the left is the number of entries for that directory /var/log/exim_mainlog, indicating the script in that directory is sending email. Check the directories with high sending numbers to ensure legitimate mail is coming from them.

    Thank you.
     
  6. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey,

    You might check the scripts in '/home/jujordao/public_html/wp-content/plugins/types/embedded/onthego-resources/onthegosystems-icons/css' are safe ones. vulnerable WP plugins have been causing these sorta issues for a loooong time !
     
Loading...

Share This Page