Serious Spam problem

[luca.sartori]

I have tons of mails sent from users: "-remote-"
I think my server could be compromised but I'm unsure on what to do or what is causing the issue.
It seems to me that mails are sent from local uer authenticating to my local exim.
My server is not relaying, could it be a php script?
Can anybody help me?

 

[luca.sartori]

Additional detail:
There is an header of a spam email:

Date:	
Fri, 18 Jul 2014 23:13:37 +0800
From:	
"Daily Health eAlert" <[email protected]>
To:	
ukmaajmbgf@MYDOMAIN
Subject:	
What happened to me within a season is a miracle!
Content-Type:	
multipart/alternative;
 boundary="----=_Part_68016_1213225342.3282929346909"
Delivery-date:	
Fri, 18 Jul 2014 17:13:40 +0200
Envelope-to:	
ukmaajmbgf@MYDOMAIN
Errors-To:	
[email protected]
List-Unsubscribe:	
<https://domain.com.sg/app/optOut/noConfirm/195947953/164239934093b4c8>
Message-ID:	
<2146976893.3546171873374412090.JavaMail.root@103-11-51-210.domain.com.sg>
MIME-Version:	
1.0
Received:	
from [10.0.0.147] ([10.0.0.147:7153] helo=103-11-51-210.domain.com.sg)
 by 715FAF88 (envelope-from <[email protected]>)
 (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
 id D5/DC-5BBC6-DCE97352; Fri, 18 Jul 2014 23:13:42 +0800
Received:	
from [103.11.51.210] (port=39215 helo=103-11-51-210.domain.com.sg)
 by MYSERVER with esmtp (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1X89qu-0007G4-7r
 for ukmaajmbgf@MYDOMAIN; Fri, 18 Jul 2014 17:13:40 +0200
Return-path:	
<ukmaaj[email protected]>
Sender:	
[email protected]

 

[kdean]

-remote- generally indicates mails being sent to users on your server... all your incoming emails. This is normal unless you're seeing something else suspicious.

 

[luca.sartori]

There is an example of header I've from one of the spammy mail:
MYDOMAIN is one of my domains on MYSERVER but the user e2c418134 obviusly does not exist.
[email protected] is a very souspicios sender, and domain.net is NOT one of my domains!

Amd I think it's suspect that: Message-ID:
<2037766881.693507[email protected]>

I've disabled relaying,
Discard FormMail-clone message with bcc: ON
Mail authentication via domain owner password: OFF
Track email origin via X-Source email headers: ON
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): ON
Prevent “nobody” from sending mail: ON
Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP: OFF

Date:	
Thu, 17 Jul 2014 19:28:59 +0300
From:	
"About Today" <[email protected]>
To:	
e2c418134@MYDOMAIN
Subject:	
This product will become a sensation within month
Content-Type:	
multipart/alternative;
 boundary="----=_Part_85034_6015826504.4066855935910"
Delivery-date:	
Thu, 17 Jul 2014 18:29:00 +0200
Envelope-to:	
e2c418134@MYDOMAIN
Errors-To:	
[email protected]
List-Unsubscribe:	
<https://domain.net/app/optOut/noConfirm/33997946/1c07569b776ad7ecc47d>
Message-ID:	
<2037766881.69350758227170785605.JavaMail.root@maia-80fe7c2fd8.ddns.domain.net>
MIME-Version:	
1.0
Received:	
from [10.0.0.78] ([10.0.0.78:1815] helo=maia-80fe7c2fd8.ddns.domain.net)
 by 2E193A31C (envelope-from <[email protected]>)
 (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
 id 39/7B-8D483-C58BCD29; Thu, 17 Jul 2014 19:29:08 +0300
Received:	
from 130-204-140-40.2073348467.ddns.domain.net ([130.204.140.40]:2058 helo=maia-80fe7c2fd8.ddns.domain.net)
 by MYSERVER with esmtp (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1X7oYG-0003OB-6k
 for [email protected]; Thu, 17 Jul 2014 18:29:00 +0200
Return-path:	
<[email protected]>
Sender:	
[email protected]

 

[kdean]

Looks like an incoming spam email to me. Spammers often send to addresses that don't exist. If there was a problem the To: field would not be going to your MYDOMAIN.

- - - Updated - - -

Also, if you're actually receiving the email even though it's sent to an email that doesn't exist you may want to log into your cPanel account and go to "Set Default Address" and set "Send all unrouted email" to "Discard with error to sender (at SMTP time)".

 

[triantech]

Yea, it seems like incoming spam mails. Make sure SpamAssassin is enabled and configured.
Also, you can configure the RBLs checker from WHM.

(Home >> Service Configuration >> Exim Configuration Editor >> RBLs)

 

[cPanelMichael]

Hello

Ensure the "Default Address" in cPanel for this account is set to "Discard with error to sender (at SMTP time)" as mentioned in a previous post. This will ensure email sent to non-existent email accounts is automatically discarded.

Thank you.

 

[luca.sartori]

Thanks, I'll follow your advices.
I'm only worried about one thing:
If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem.
Thank you again!

 

[cPanelMichael]

Thanks, I'll follow your advices.
I'm only worried about one thing:
If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem.
Thank you again!

You can search for the term "backscatter" on our forums and there are a few threads where users discuss potential solutions.

Thank you.