The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam being sent directly through server - can't enable SMTP Tweak

Discussion in 'E-mail Discussions' started by monkey64, Oct 23, 2013.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I keep reveiving email alerts from LFD about LOCALRELAY and a particular account.

    When I viewed details for the email in Mail > Mail Delivery Reports, it showed that the Transport was "remote_smpt".
    So does that indicate that a connection was made directly to the server or was it sent via the user's email account? I have attached the output.

    I read the excellent Cpanel docs on preventing email abuse but can't enable the "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" setting. I understand that this may not be possible with all VPS machines because they don't all have the required IP Tables.

    Aggh. What should I do?
     

    Attached Files:

  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    "Sender IP: 127.0.0.1" and "Authentication: localuser" tells that email is sent by a user in your server.
    In this case "SMTP tweak" will not help.

    If you get alerts from CSF/LFD it's usually even able to tell what script is used to send.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can try searching for the recipient address in /var/log/exim_mainlog to see if any more information is available. EX:

    Code:
    exigrep user@domain /var/log/exim_mainlog
    Thank you.
     
  4. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The email was being sent through the user's default mail account; there were no email addresses set up.

    It looks as though the user had installed a Wordpress Mailing script, or the Wordpress install itself was compromised.
    Since the user does not use an email address related to their domain, I have set the Monthly Bandwidth Limit (MB) to 1MB in an atempt to prevent emails being sent. Is there an easier way to disable the user's default mail account?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Typically, if you have confirmed the account that SPAM is coming from, the next step is to suspend the account and advise the user to secure their scripts or stop sending out the SPAM email. One option that may be helpful is "Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting" found under the "SpamAssassin Options" tab in "WHM Home » Service Configuration » Exim Configuration Manager".

    Thank you.
     
Loading...

Share This Page