Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SMTP Relay usage

Discussion in 'E-mail Discussion' started by Lillike, May 31, 2018.

  1. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    I have te problem of my SMTP.
    We have not got a campaign etc... In generally we use 0.5-2% of limit, but some days ago has been changed. Here is the history.

    SMTP Relay History
    DATE USED LIMIT PERCENT
    2018-05-30 5000 5000 100.0%
    2018-05-29 0 5000 0.0%
    2018-05-28 0 5000 0.0%
    2018-05-27 0 5000 0.0%
    2018-05-26 0 5000 0.0%
    2018-05-25 5000 5000 100.0%
    2018-05-24 5000 5000 100.0%
    2018-05-23 5000 5000 100.0%
    2018-05-22 5000 5000 100.0%
    2018-05-21 5000 5000 100.0%
    2018-05-20 0 5000 0.0%
    2018-05-19 2 5000 0.04%
    2018-05-18 2053 5000 41.06%
    2018-05-17 44 5000 0.88%
    2018-05-16 21 5000 0.42%
    2018-05-15 45 5000 0.9%
    2018-05-14 42 5000 0.84%
    2018-05-13 26 5000 0.52%
    2018-05-12 20 5000 0.4%
    2018-05-11 7 5000 0.14%
    2018-05-10 24 5000 0.48%
    2018-05-09 40 5000 0.8%
    2018-05-08 111 5000 2.22%
    2018-05-07 44 5000 0.88%
    2018-05-06 30 5000 0.6%
    2018-05-05 94 5000 1.88%
    2018-05-04 118 5000 2.36%
    2018-05-03 51 5000 1.02%
    2018-05-02 67 5000 1.34%
    2018-05-01 57 5000 1.14%
    2018-04-30 54 5000 1.08%
    2018-04-29 36 5000 0.72%
    2018-04-28 27 5000 0.54%
    2018-04-27 12 5000 0.24%
    2018-04-26 8 5000 0.16%
    2018-04-25 15 5000 0.3%
    2018-04-24 7 5000 0.14%
    2018-04-23 0 5000 0.0%
    2018-04-22 0 5000 0.0%
    2018-04-21 0 5000 0.0%
    2018-04-20 21 5000 0.42%
    2018-04-19 11 5000 0.22%
    2018-04-18 13 5000 0.26%
    2018-04-17 30 5000 0.6%
    2018-04-16 18 5000 0.36%
    2018-04-15 2 5000 0.04%
    2018-04-14 11 5000 0.22%
    2018-04-13 14 5000 0.28%
    2018-04-12 49 5000 0.98%
    2018-04-11 25 5000 0.5%
    2018-04-10 34 5000 0.68%
    2018-04-09 44 5000 0.88%
    2018-04-08 6 5000 0.12%
    2018-04-07 8 5000 0.16%
    2018-04-06 26 5000 0.52%
    2018-04-05 15 5000 0.3%
    2018-04-04 37 5000 0.74%
    2018-04-03 20 5000 0.4%
    2018-04-02 21 5000 0.42%
    2018-04-01 10 5000 0.2%

    The Exim stoped i had to restart on May 30th. butnow SMTP realy usage is full.
    No Exim does sending emails but does NOT receive any...

    Please, advice.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    906
    Likes Received:
    347
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    As I wrote, Exim was dead but now running.
    Naturally the sending emails are limited.

    The root (Cron Daemon) send many emails me.

    Here's:

    Code:
    Date:
    Thu, 31 May 2018 05:42:01 -0700
    From:
    root@ip-192xxxx.secureserver.net (Cron Daemon)
    To:
    gc@ip-192xxxx.secureserver.net
    
    
    
    --2018-05-31 05:41:01-- http://example.com/zz1.php?reboot=yes
    Resolving example.com... 192.xxxxx
    Connecting to example.com|192.xxxx|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]
    Saving to: “zz1.php?reboot=yes.5868”
    
    0K 2.21K=0.4s
    
    2018-05-31 05:42:01 (2.21 KB/s) - “zz1.php?reboot=yes.5868” saved [943]
    
    
     
    #3 Lillike, May 31, 2018
    Last edited by a moderator: May 31, 2018
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    906
    Likes Received:
    347
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    A quick Google search for zz1.php turned up lots of sites (most seemed to be WordPress) and indexes, with a fair number marked with the This site may be hacked tag.

    You should probably investigate to see if that file exists on any of your users file-sets, and take appropriate action if you find it.

    I did find one site that still had the zz1.php file available, and when run produced the following output
    Code:
    crontab: installing new crontab 28454 good...
    pero53 28454 2445 0.0 294608 89080 ? Sl 01:59 21945:45 ./cnrig -o 5.61.46.146:80 --donate-level=1
    Things like that would make me very nervous.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,467
    Likes Received:
    248
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I would also suggest running a malware scan - cPanel offers ClamAV but there are others, if you're not sure what to use.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Lillike likes this.
  6. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Thanks. The problem solved.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,467
    Likes Received:
    248
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike


    I'm happy to hear that! Thank you for letting us know.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Today server's over quota... :(
    ClamAv installed and working...
    zz1.php... over.


    Mail delivery reports checked. A lots of file found with the following messages:
    SMTP error from remote mail server after initial connection: 554 p3plsmtpout00xxx.prod.phx3.secxx.net : HOSTING RELAY : Pn5Jf0EURyedJ : DED : You've reached your daily relay quota - 192.xxxx


    Before above messages:
    Event: defer warning
    Sender User: gc
    Sender Domain: gc.com
    From Address: gc@ip-192-xxxxx.secureserver.net
    Sender: gc
    Sent Time: Jun 4, 2018, 12:51:12 PM
    Sender Host: localhost
    Sender IP: 127.0.0.1
    Authentication: localuser
    Spam Score:
    Recipient: zv393@mail.ru
    Delivered To:
    Delivery User: -system-
    Delivery Domain:
    Router: send_to_smart_host
    Transport: remote_smtp
    Out Time: Jun 4, 2018, 5:07:17 PM
    ID: 1fPn4s-0005Zl-Cg
    Delivery Host:
    Delivery IP:
    Size: 11.96 KB
    Result: retry time not reached for any host for 'mail.ru'

    (all notice is from same domain and recipients from RU.)

    Sent Summery Report
    from 6/1 to 6/5.
    Domain User Successful Deferrals Failures Failed and Deferred Total Messages Data Sent
    gc.com gc 211 1,095,507 35,783 1,131,290 10,738 542.97 KB
    root 30 236 6 242 18 774.79 KB


    Please, advice.
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,467
    Likes Received:
    248
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    It sounds like you still have a compromised PHP script on the account. What is the output of the following:

    Code:
    exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    A long list reveived with the following (it's not all):


    stem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy
    @list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 03:51:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fPn4s-0005Zl-Cg

    +++ 1fPn4s-0005Zl-Cg has not completed +++
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= gc@ip-192-xxxxx.secxxxxx.net U=gc P=local S=12242 id=595CEAB9B26648EB37327BC0E46C5BB6@spartascie
    nce.ru T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\32
    0\271 \320\264\320\265\320\275\321\214\320\263\320\270" for pavkov1969@gmail.com nadegdam@list.ru www.promodj@mail.ru badashov50@mail.ru aleninaalena1989@gmail.com sant
    alovanm@mail.ru vladimir.bandin@yandex.ru zv393@mail.ru nikkuningas@rambler.ru esina.irina1549@gmail.com rustem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy
    @list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == zv393@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nikkuningas@rambler.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == esina.irina1549@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == rustem196@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == sin.antihrista666@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nikolay.kamenskiy@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == artem-ushenin@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == badashov50@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == aleninaalena1989@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == santalovanm@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == vladimir.bandin@yandex.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == zv393@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nikkuningas@rambler.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == esina.irina1549@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == rustem196@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == sin.antihrista666@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nikolay.kamenskiy@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == artem-ushenin@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == badashov50@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == aleninaalena1989@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == santalovanm@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
    2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == vladimir.bandin@yandex.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru'
    /bin/bash: -c: line 0: syntax error near unexpected token `('
    /bin/bash: -c: line 0: `lessecho -p0x22 -d0x22 -e\\ -n0x3b -n0x20 -n0x2a -n0x3f -n0x9 -n0xa -n0x27 -n0x22 -n0x28 -n0x29 -n0x3c -n0x3e -n0x5b -n0x5d -n0x7c -n0x26 -n0x5e -n0x60 -n0x23 -n0x5c -n0x24 -n0x25 -n0x3d -n0x7e -- -0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not

    2018-06-04 08:07:49 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
     
  11. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,467
    Likes Received:
    248
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    Can you run the command again but omit these lines?

    Code:
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    906
    Likes Received:
    347
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  13. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    rpvw: ClamAv, ModSecurity, firewall etc. are working...

    Lauren:

    exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog run the command:

    +++ 1fPn4s-0005Zl-Cg has not completed +++
    2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= gc@ip-192-xxxx.secureserver.net U=gc P=local S=12242 id=595CEAB9B26648EB37327BC0E46C5BB6@spartascience.ru T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\320\271 \320\264\320\265\320\275\321\214\320\263\320\270" for pavkov1969@gmail.com nadegdam@list.ru www.promodj@mail.ru badashov50@mail.ru aleninaalena1989@gmail.com santalovanm@mail.ru vladimir.bandin@yandex.ru zv393@mail.ru nikkuningas@rambler.ru esina.irina1549@gmail.com rustem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy@list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru .....
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,467
    Likes Received:
    248
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    This shows us is that the user gc is sending mail but that is most likely because a script is responsible for it. Since the message hasn't sent yet can you can view the headers:

    Code:
    exim -Mvh 1fPn4s-0005Zl-Cg
    But ultimately what you need to find is where the message originated from within the user's account

    something we use to quickly identify the source of spam mail:
    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    It should point out where that mail is coming from though I think the entire gc user directory needs to be audited at this point.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice