The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious Spam problem

Discussion in 'E-mail Discussions' started by luca.sartori, Jul 18, 2014.

  1. luca.sartori

    luca.sartori Member

    Joined:
    Jul 18, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Udine, Italy, Italy
    cPanel Access Level:
    Root Administrator
    I have tons of mails sent from users: "-remote-"
    I think my server could be compromised but I'm unsure on what to do or what is causing the issue.
    It seems to me that mails are sent from local uer authenticating to my local exim.
    My server is not relaying, could it be a php script? :confused:
    Can anybody help me?
     
  2. luca.sartori

    luca.sartori Member

    Joined:
    Jul 18, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Udine, Italy, Italy
    cPanel Access Level:
    Root Administrator
    Additional detail:
    There is an header of a spam email:

    Code:
    Date:	
    Fri, 18 Jul 2014 23:13:37 +0800
    From:	
    "Daily Health eAlert" <ukmaajmbgffbe0@domain.com.sg>
    To:	
    ukmaajmbgf@MYDOMAIN
    Subject:	
    What happened to me within a season is a miracle!
    Content-Type:	
    multipart/alternative;
     boundary="----=_Part_68016_1213225342.3282929346909"
    Delivery-date:	
    Fri, 18 Jul 2014 17:13:40 +0200
    Envelope-to:	
    ukmaajmbgf@MYDOMAIN
    Errors-To:	
    ukmaajmbgffbe0@domain.com.sg
    List-Unsubscribe:	
    <https://domain.com.sg/app/optOut/noConfirm/195947953/164239934093b4c8>
    Message-ID:	
    <2146976893.3546171873374412090.JavaMail.root@103-11-51-210.domain.com.sg>
    MIME-Version:	
    1.0
    Received:	
    from [10.0.0.147] ([10.0.0.147:7153] helo=103-11-51-210.domain.com.sg)
     by 715FAF88 (envelope-from <ukmaajmbgffbe0@domain.com.sg>)
     (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
     id D5/DC-5BBC6-DCE97352; Fri, 18 Jul 2014 23:13:42 +0800
    Received:	
    from [103.11.51.210] (port=39215 helo=103-11-51-210.domain.com.sg)
     by MYSERVER with esmtp (Exim 4.82)
     (envelope-from <ukmaajmbgffbe0@domain.com.sg>)
     id 1X89qu-0007G4-7r
     for ukmaajmbgf@MYDOMAIN; Fri, 18 Jul 2014 17:13:40 +0200
    Return-path:	
    <ukmaajmbgffbe0@domain.com.sg>
    Sender:	
    ukmaajmbgffbe0@domain.com.sg
     
    #2 luca.sartori, Jul 18, 2014
    Last edited by a moderator: Jul 18, 2014
  3. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    -remote- generally indicates mails being sent to users on your server... all your incoming emails. This is normal unless you're seeing something else suspicious.
     
  4. luca.sartori

    luca.sartori Member

    Joined:
    Jul 18, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Udine, Italy, Italy
    cPanel Access Level:
    Root Administrator
    There is an example of header I've from one of the spammy mail:
    MYDOMAIN is one of my domains on MYSERVER but the user e2c418134 obviusly does not exist.
    e2c418134c8@domain.net is a very souspicios sender, and domain.net is NOT one of my domains!

    Amd I think it's suspect that: Message-ID:
    <2037766881.69350758227170785605.JavaMail.root@maia-80fe7c2fd8.ddns.domain.net>

    I've disabled relaying,
    Discard FormMail-clone message with bcc: ON
    Mail authentication via domain owner password: OFF
    Track email origin via X-Source email headers: ON
    Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): ON
    Prevent “nobody” from sending mail: ON
    Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP: OFF

    Code:
    Date:	
    Thu, 17 Jul 2014 19:28:59 +0300
    From:	
    "About Today" <e2c418134c8@domain.net>
    To:	
    e2c418134@MYDOMAIN
    Subject:	
    This product will become a sensation within month
    Content-Type:	
    multipart/alternative;
     boundary="----=_Part_85034_6015826504.4066855935910"
    Delivery-date:	
    Thu, 17 Jul 2014 18:29:00 +0200
    Envelope-to:	
    e2c418134@MYDOMAIN
    Errors-To:	
    e2c418134c8@cablebg.net
    List-Unsubscribe:	
    <https://domain.net/app/optOut/noConfirm/33997946/1c07569b776ad7ecc47d>
    Message-ID:	
    <2037766881.69350758227170785605.JavaMail.root@maia-80fe7c2fd8.ddns.domain.net>
    MIME-Version:	
    1.0
    Received:	
    from [10.0.0.78] ([10.0.0.78:1815] helo=maia-80fe7c2fd8.ddns.domain.net)
     by 2E193A31C (envelope-from <e2c418134c8@domain.net>)
     (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
     id 39/7B-8D483-C58BCD29; Thu, 17 Jul 2014 19:29:08 +0300
    Received:	
    from 130-204-140-40.2073348467.ddns.domain.net ([130.204.140.40]:2058 helo=maia-80fe7c2fd8.ddns.domain.net)
     by MYSERVER with esmtp (Exim 4.82)
     (envelope-from <e2c418134c8@domain.net>)
     id 1X7oYG-0003OB-6k
     for e2c418134@domain.it; Thu, 17 Jul 2014 18:29:00 +0200
    Return-path:	
    <e2c418134c8@domain.net>
    Sender:	
    e2c418134c8@domain.net
     
    #4 luca.sartori, Jul 18, 2014
    Last edited by a moderator: Jul 18, 2014
  5. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Looks like an incoming spam email to me. Spammers often send to addresses that don't exist. If there was a problem the To: field would not be going to your MYDOMAIN.

    - - - Updated - - -

    Also, if you're actually receiving the email even though it's sent to an email that doesn't exist you may want to log into your cPanel account and go to "Set Default Address" and set "Send all unrouted email" to "Discard with error to sender (at SMTP time)".
     
  6. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Yea, it seems like incoming spam mails. Make sure SpamAssassin is enabled and configured.
    Also, you can configure the RBLs checker from WHM.

    (Home >> Service Configuration >> Exim Configuration Editor >> RBLs)
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Ensure the "Default Address" in cPanel for this account is set to "Discard with error to sender (at SMTP time)" as mentioned in a previous post. This will ensure email sent to non-existent email accounts is automatically discarded.

    Thank you.
     
  8. luca.sartori

    luca.sartori Member

    Joined:
    Jul 18, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Udine, Italy, Italy
    cPanel Access Level:
    Root Administrator
    Thanks, I'll follow your advices.
    I'm only worried about one thing:
    If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem.
    Thank you again!
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can search for the term "backscatter" on our forums and there are a few threads where users discuss potential solutions.

    Thank you.
     
Loading...

Share This Page