Spam being sent from server. Can't trace route

samjsharples

Registered
Apr 10, 2015
4
0
1
UK
cPanel Access Level
Root Administrator
Hi

I have spam being sent from an email on one of my accounts to a specific email address roughly every 10 minutes. I have changed the passwords etc and now have an exim log but I am unsure whats going on. It doesn't specify that a php script is being run. any ideas?

- Snipped -
 
Last edited by a moderator:

noahbalboah

Registered
Apr 11, 2015
4
0
1
Lansing, MI
cPanel Access Level
Root Administrator
Hello. Run the command below to, it'll tell you where if any directories are sending out spam from a script.

grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100

It'll give a number on the left side, the higher the number, the more spam coming from that directory.
 

24x7server

Well-Known Member
Apr 17, 2013
1,913
99
78
India
cPanel Access Level
Root Administrator
Twitter
2015-04-11 11:45:46 [24726] 1Ygssc-0006Qo-D2 <= [email protected] H=176-35-166-24.xdsl.domain.net (ACCOUNTNAME) [176.35.xxx.xx]:64985 I=[78.109.xxx.xx]:25 P=esmtpa A=dovecot_login:[email protected] S=8059216 M8S=0 [email protected] T="LAST e-mail for ACCOUNTNAME" from <[email protected]> for [email protected]
As per the provided logs I can see your mails has been sent from your [email protected] account using the mail account password. So change your this mail account password and update your server setting with Prevent Email Abuse
 
Last edited by a moderator:
  • Like
Reactions: madmanmachines

noahbalboah

Registered
Apr 11, 2015
4
0
1
Lansing, MI
cPanel Access Level
Root Administrator
I already changed the password to a secure one. would this mean that the computer that has the email account has a virus or something?
Most likely not. Have you checked for scripts sending out mail using the command I gave you? I'd double check that first. Otherwise, if it's being sent out by a single email account it's usually a compromised password.
 

samjsharples

Registered
Apr 10, 2015
4
0
1
UK
cPanel Access Level
Root Administrator
i'm pretty new to this stuff. I'm using a mac so I have connected via SSH using terminal, run the script you sent and all I got was this:
[email protected] [~]# grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100

1 [17933]

1 [17934]

1 [17937]

1 [17939]

1 [17949]

1 [19453]

1 [19460]

1 [20490]

1 [20494]

1 [20616]

1 [20621]

1 [21921]

1 [21963]

1 [21972]

1 [21982]

1 [21991]

1 [23123]

1 [23258]

1 [23263]

1 [24124]

1 [5297]

1 [5302]

1 [5734]

1 [5739]

[email protected] [~]#
 

noahbalboah

Registered
Apr 11, 2015
4
0
1
Lansing, MI
cPanel Access Level
Root Administrator
i'm pretty new to this stuff. I'm using a mac so I have connected via SSH using terminal, run the script you sent and all I got was this:
[email protected] [~]# grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100

1 [17933]

1 [17934]

1 [17937]

1 [17939]

1 [17949]

1 [19453]

1 [19460]

1 [20490]

1 [20494]

1 [20616]

1 [20621]

1 [21921]

1 [21963]

1 [21972]

1 [21982]

1 [21991]

1 [23123]

1 [23258]

1 [23263]

1 [24124]

1 [5297]

1 [5302]

1 [5734]

1 [5739]

[email protected] [~]#
Basically, it didn't find a script spamming on the server, so that's good news. Other than a script or a password compromise it might be hard to troubleshoot without knowing more information. Have you opened a cPanel ticket to see if they can login to your server and assist you?
 

madmanmachines

Well-Known Member
Nov 28, 2014
94
4
8
cPanel Access Level
Root Administrator
Hi,

The logs clearly show this was sent via password authentication and not a script.
Code:
A=dovecot_login:[email protected]
A search for scripts sending mail is not needed. Simply update the password. The password may have been guessed or bruteforced by a hacker. I recommend using long 3-character-class passwords. As well, the password may have been obtained from a computer infected with malware. I recommend that you run a scan on all computer's that are used to access this email account. As well, I recommend ensuring that all email clients are using the SSL connection details in their mail client which is provided at cPanel > Email Accounts > More > Configure.

Thanks,
 

nisamudeen97

Well-Known Member
Jul 7, 2010
59
5
58
Cochin
cPanel Access Level
Root Administrator
2015-04-11 11:45:46 [24726] 1Ygssc-0006Qo-D2 <= [email protected] H=176-35-166-24.xdsl.domain.net (ACCOUNTNAME) [176.35.166.24]:64985 I=[78.109.xxx.xx]:25 P=esmtpa A=dovecot_login:[email protected] S=8059216 M8S=0 [email protected] T="LAST e-mail for ACCOUNTNAME" from <[email protected]> for [email protected]
Hi,


The log you have provided it self says all the mails were sent via dovecot with smtp authentication hence no need to check for scripts used. Let me try to explain the log you have provided.

The above log clearly shows the mail was originated from the mail account "[email protected]". The variable "P=esmtpa" shows the mail account has authentication to sent this particular mail. The variable I shows the public IP from which mail has originated. In your case the mail is originated from the public IP "78.109.xxx.xx" so the user from this public IP has used authentication of "[email protected]" to sent mail. The T denotes the subject of the message, so as per the above log subject is "LAST e-mail for ACCOUNTNAME".

If the mail is not supposed to be sent without your knowledge, this clearly shows spammer has used got the password of mail account and exploited it. You have to change the password of the mail account with immediate effect. :)
 
Last edited by a moderator:
  • Like
Reactions: madmanmachines

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Feel free to update this thread with the outcome after changing the password of the email account, as advised in the previous posts.

Thank you.