Spam being sent directly through server - can't enable SMTP Tweak

M

monkey64

Well-Known Member
Nov 6, 2011
124
5
68
cPanel Access Level
Root Administrator
I keep reveiving email alerts from LFD about LOCALRELAY and a particular account.

When I viewed details for the email in Mail > Mail Delivery Reports, it showed that the Transport was "remote_smpt".
So does that indicate that a connection was made directly to the server or was it sent via the user's email account? I have attached the output.

I read the excellent Cpanel docs on preventing email abuse but can't enable the "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" setting. I understand that this may not be possible with all VPS machines because they don't all have the required IP Tables.

Aggh. What should I do?
 

Attachments

Q

quietFinn

Well-Known Member
Feb 4, 2006
2,042
552
493
Finland
cPanel Access Level
Root Administrator
"Sender IP: 127.0.0.1" and "Authentication: localuser" tells that email is sent by a user in your server.
In this case "SMTP tweak" will not help.

If you get alerts from CSF/LFD it's usually even able to tell what script is used to send.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

You can try searching for the recipient address in /var/log/exim_mainlog to see if any more information is available. EX:

Code: 
exigrep user@domain /var/log/exim_mainlog
Thank you.
 
M

monkey64

Well-Known Member
Nov 6, 2011
124
5
68
cPanel Access Level
Root Administrator
The email was being sent through the user's default mail account; there were no email addresses set up.

It looks as though the user had installed a Wordpress Mailing script, or the Wordpress install itself was compromised.
Since the user does not use an email address related to their domain, I have set the Monthly Bandwidth Limit (MB) to 1MB in an atempt to prevent emails being sent. Is there an easier way to disable the user's default mail account?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Typically, if you have confirmed the account that SPAM is coming from, the next step is to suspend the account and advise the user to secure their scripts or stop sending out the SPAM email. One option that may be helpful is "Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting" found under the "SpamAssassin Options" tab in "WHM Home » Service Configuration » Exim Configuration Manager".

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
C Spam emails being sent from my dedicated server Email 5
M All emails being sent to the server are being bounced as spam Email 11
I Relay spam being sent from my server Email 1
B Spam emails being sent from cPanel account Email 7
R Spam being sent from main account Email 1
Similar threads
Spam emails being sent from my dedicated server
All emails being sent to the server are being bounced as spam
Relay spam being sent from my server
Spam emails being sent from cPanel account
Spam being sent from main account
Top Bottom