The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Sending Spam

Discussion in 'E-mail Discussions' started by coffear, May 4, 2014.

  1. coffear

    coffear Registered

    Joined:
    May 2, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey Guys

    I posted a thread in the security section however now when I go into the thread the post shows empty for me. I posted the thread and also responded to the thread with more info.

    Can anyone advise if this shows blank for them also

    Original Post

    HI All

    I have been having serious issues with my server being used to send out spam. I appear to be getting targeted quite badly.

    I receive quite a few emails showing that someone is trying to brute force passwords however I have set the server to ban these after 7 attempts.

    I have also severely restricted how many emails an account can send an hour, I have ensured that SMTP authentication is required. I have also setup outgoing scanning and have a very tighht restriction on how many rejection emails are acceptable however none of this helped at all.

    Today it appears that around 40,000 emails have been sent and as can be shown below these are directly through exim.

    My queue is so big I cannot open the page in WHM to view them. From prvious times that have allowed me to see I know that each time an account is compromised we change the password but another email on another account entirely is later compromised and used instead. A person I personally use was 1 of those to be compromised and was used to send spam, I know the password on this was stupidly secure. I am at a complete loss on how to rectify this issue.


    Code:
    67528 cwd=/var/spool/exim
    2325 cwd=/
    2140 cwd=/etc/csf
    45 cwd=/home/flexiweb
    30 cwd=/home/flexiweb/public_html/tools
    24 cwd=/usr/local/cpanel/whostmgr/docroot
    20 cwd=/home/petermcd/public_html/blog
    18 cwd=/root
    1 cwd=/home/munin
    1 cwd=/home/karkii/public_html/sve
    Can anyone direct me to what I can do to see if it helps.

    I have now given up even unblocking my IP from black list sites as every time i think it has cleared up and stopped I end up being compromised again.

    - - - Updated - - -

    Ok I am now not convinced that the emails I thought were compromised were actually compromised.

    I have now managed to get into my email queue and here is an example of an email being sent:

    Code:
    Date: Sat, 3 May 2014 17:06:26 -0700
    From: zyzu@domain.com
    To: someuser@yahoo.fr
    Subject: muscular for boy
    Content-Type: 	
    text/plain; charset="utf-8"
    Mime-Version: 1.0
    Received: from [178.150.xx.xx] (port=58177 helo=vqfpnxafjnv)
     by vps.domain.com with esmtpa (Exim 4.82)
     (envelope-from <zyzu@domain.com>)
     id 1WgaYo-0000uD-PI
     for someuser@yahoo.fr; Sat, 03 May 2014 15:05:03 +0100
    The from email address does not exist however the domain is on the server (it is the first time I have seen this domain used, a different email address for this domain does exist.). Looking through the queue they have been alternating using loads of variations.

    Does the way cPanel is configured allow people to send as a different email?
     
    #1 coffear, May 4, 2014
    Last edited by a moderator: May 4, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    As a new user, your post was in moderation. I've merged your posts here.
     
  3. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    The 'from' user in an email is set by the client sending it - it can technically be anything. It's just how email works (read: Email Spoofing), and is not specific to cPanel, nor is it directly preventable.

    What you need to look at is this:

    Code:
     (envelope-from <zyzu@domain.com>)
    
    This is the true sender of the email. Either you have spammers, or the email passwords to the accounts doing this are compromised. You can probably confirm by checking the message ID in /var/log/exim_mainlog and for the sender in /var/log/maillog.

    You may want to consider enabling the outgoing spam scanning in WHM -> Exim Configuration Manager.
     
  4. coffear

    coffear Registered

    Joined:
    May 2, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    ahh cheers Vanessa I missed the outgoing scanning options, had enabled similar options elsewhere.

    With regards to the sender. They are definitely being sent from the server and appears to be using SMTP authentication. I will double check those logs to narrow it down.

    I found a function someone posted that ensures the sender is sending from the email address they are logged in with which should also help. Just very concerning how they are compromising the machine so easily.
     
  5. coffear

    coffear Registered

    Joined:
    May 2, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ok so much for stopping the emails getting sent that do not match the user. WHile I was typing the reply further emails went into the queue for dummy emails that dont exist.
     
Loading...

Share This Page