Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SMTP Auth log on success auth attempts?

Discussion in 'E-mail Discussion' started by SupraMario, Aug 12, 2018.

  1. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    Hi everyone,

    Seems one of the hosting accounts on our box may have been compromised, most likely via a wordpress plugin, despite everything jailed / cloudlinux security on top / etc.

    However at this stage I'm not sure if its system wide or localised to a few accounts (localised makes more sense)

    One issue is, with one of the accounts, exim_mainlog is telling us that emails are coming from overseas source/origin ips, which means they must have the accounts password to authenticate and send.

    Code:
    2018-08-12 04:29:48 1foYdz-004khY-3H H=([95.180.194.202]) [95.180.194.202]:16119 Warning: "SpamAssassin as ACCOUNTNAME detected message as spam (33.3)"
    2018-08-12 04:29:48 1foYdz-004khY-3H H=([95.180.194.202]) [95.180.194.202]:16119 Warning: Message has been scanned: no virus or other harmful content was found
    2018-08-12 04:29:48 1foYdz-004khY-3H <= email@domain.com H=([95.180.194.202]) [95.180.194.202]:16119 P=esmtp S=3187 id=35A7EABD6278F035A7EABD6278F035A7@COFHCM8COF T="Enjoy?" for email@domain.com
    2018-08-12 04:29:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1foYdz-004khY-3H
    2018-08-12 04:29:48 1foYdz-004khY-3H => abbey <email@domain.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <email@domain.com> ULoyLBwrb1v+SREAlCdKhg Saved"
    2018-08-12 04:29:48 1foYdz-004khY-3H Completed
    My first thought was immediately "lets change the password" and these emails should stop in their tracks.

    Wrong, I changed the password and they did not stop, they're still coming through on the account apparently.

    Next I thought ok, well the server only requires access to a few incoming countries, so lets use cphulks country whitelist/blacklist to assist and start to block a series of countries. This seemed to help , the above block I included was one country I didn't have blacklisted.

    Which brings me to the question.

    Where or how does cpanel log smtp authentication attemps? I basically want to track if these users are sending mail via smtp with smtp auth or help identify if its another method.

    I'm really quite perplexed by this and interested to work out how emails coming through on this account even with the password changed.
     
  2. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    I should also mention, after noticing this, this one domain in question (in the block above) did not previously have DKIM + SPF enabled.

    That has been enabled now and then the next day the above record in the mail log showed its face.
     
  3. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    Some more information to help. Shouldn't the spam/spoof email fail as there is no 'sender identification' like in the legitimate email that was sent below?


    Spam/Spoof Email
    -
    2018-08-14 18:56:08 1fpV7U-00Ar73-NO H=([77.247.88.130]) [77.247.88.130]:10223 Warning: "SpamAssassin as dlicious detected message as spam (29.9)"
    2018-08-14 18:56:08 1fpV7U-00Ar73-NO H=([77.247.88.130]) [77.247.88.130]:10223 Warning: Message has been scanned: no virus or other harmful content was found
    2018-08-14 18:56:08 1fpV7U-00Ar73-NO <= abbey@DOMAIN.COM H=([77.247.88.130]) [77.247.88.130]:10223 P=esmtp S=2847 id=F7CC69794D52DC5D66C3D3E7F876F7CC@WVFR45JE24 T="Hello!" for abbey@DOMAIN.COM
    2018-08-14 18:56:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fpV7U-00Ar73-NO
    2018-08-14 18:56:08 1fpV7U-00Ar73-NO => abbey <abbey@DOMAIN.COM> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <abbey@DOMAIN.COM> 4LIxCSiZclsvdycAlCdKhg Saved"
    2018-08-14 18:56:08 1fpV7U-00Ar73-NO Completed


    User Sending from Mail Client (LEGIT EMAIL)

    2018-08-14 20:14:05 1fpWKP-00Azfp-VH <= abbey@DOMAIN.COM H=hostname.com (Abbeys-iMac.local) [xxx.xxx.xxx.xxx]:50005 P=esmtpa A=dovecot_plain:abbey@DOMAIN.COM S=3955106 id=8fd96336-fa1d-048a-4bee-c4c38f35025f@DOMAIN.COM T="Interior Design - Deb" for recipient@recipientdomain.com
    2018-08-14 20:14:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fpWKP-00Azfp-VH
    2018-08-14 20:14:05 1fpWKP-00Azfp-VH Sender identification U=dlicious D=DOMAIN.COM S=abbey@DOMAIN.COM
    2018-08-14 20:14:05 1fpWKP-00Azfp-VH SMTP connection outbound 1534241645 1fpWKP-00Azfp-VH DOMAIN.COM recipient@recipientdomain.com
    2018-08-14 20:14:24 1fpWKP-00Azfp-VH => recipient@recipientdomain.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.203.27] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1534241664 p9-v6si18391159pff.30 - gsmtp"
     
  4. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    Noticed that I didnt have any RBL's enabled on the system, so I've enabled the 2 defaults in cpanel exim and also added dnsbl.sorbs.net and b.barracuda.org to see if that helps with this issue as I noticed a lot of the ips that seem to be spoofing are blacklisted.

    Still doesn't answer the initial query of this ticket though.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @SupraMario,

    The information is logged to /var/log/exim_mainlog, however you may need to enable additional logging options. We have a guide on this at:

    Reading and Understanding the exim main_log

    Let me know if this helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    I can't see anywhere in that which mentions the issue I'm having.

    I want to be able to view the smtp authentication process, so I can see where the users are logging in from to verify if an account has been compromised or not.

    We can see incoming attempts via dovecot, but it seems exim only logs 'failed smtp authentication' attempts, with no reference/mention of a successful login.

    Based on the scenario above in this ticket, how am I supposed to identify if the origin of the email and if smtp authentication was used or another method used to send?
     
  7. SupraMario

    SupraMario Member

    Joined:
    Mar 28, 2006
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    153
    Actually I'll take that back, changing the log_selector to "+all" now includes an authentication / login name in the exim log file.

    P=esmtpa A=dovecot_plain:user@domain.com

    So i'll keep an eye on that and see if that assists with this issue.
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice