Spam being sent via IMAP AUTHRELAY

[Evolve]

This is the second time I've encountered this from the same user...

One of their email addresses is sending out spam emails that have the subject line "Fwd: Photos"...
I am alerted of this because I get an LFD AUTHRELAY reporting:
Count: 101 emails relayed

The last time I noticed this was happening I changed their email's password and told them to run antivirus on their computer because I assumed someone must have gotten their password... I'm not sure if they followed my instruction. The spammers were successfully being blocked trying to log into their account via LFD's smtp blocking and everything seemed fine for a couple of weeks. The password I changed it to wasn't the strongest but it did include upper and lower characters and digits and LFD was successfully blocking ips after 1 failed attempt so someone must be hacking their system to get the password right?? I can't imagine they guessed it in 100 or so attempts over that time.

Anyways it all started happening again today.
My maillog says the following when the spammers log in to send spam:

Feb  5 06:29:15 cp dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__zq8gb_hztfrlrd0og37icroblnh7o7qacaztwl...etc.>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Feb  5 06:29:16 cp dovecot: IMAP(__cpanel__service__auth__imap__zq8gb_hztfrlrd0og37icroblnh7o7qacaztw....etc.): Disconnected: Logged out bytes=11/313

Normally the user is a regular email address but when the spammers log in it looks like "__cpanel__service__auth__imap__zq8gb_hztfrl". Is this normal?

The client is only using POP3 and the spammers are using IMAP.

Any suggestions on what I can do to fix this situation? I'm going to drop their relay rate down to something like 20 and give them a long complicated password and scold them into running anti-virus on their system...

If that doesn't work I'll have to get them to host their email or entire website elsewhere.

Thanks

 

[ruzbehraja]

Quite strange.

Have you reviewed the Mailserver Configuration in WHM:

Can you disable this:

Allow Plaintext Authentication (from remote clients)

This setting will allow remote email clients to authenticate using unencrypted connections. When set to 'no' only connections originating on the local server will be allowed to authenticate without encryption. Setting this to 'no' is preferable to disabling IMAP in the 'Protocols Enabled' section since it will force remote users to use encryption while still allowing webmail to function correctly.

 

[Evolve]

Hmm I do like the sound of that setting but I should probably alert all email users on all accounts that I would be flicking that switch before I do it.

Does the "secured" part on the end of the login mean that it was actually encrypted? Does secured = encrypted?

I've given them a much more complicated password and they've assured me that they will get the computer "looked at". I'll let you know if I have another occurrence.

In the meantime I'll have to figure out how to send an email to all of the email accounts for all of my clients on my server.

 

[Evolve]

It happened again today. I gave my client a very strong password and they said they had their "guy" turn their anti virus on again a few days prior.

There have been daily attempts to log into the email account that are blocked by lfd after one failed smtpauth failure. Perhaps these are just zombies trying to use the last known password?

Is this the client's fault? Should i just kick them off my server? I'd hate to blame the client if it wasn't them but I can't figure out how else the spammers are getting access.

 

[quietFinn]

In your 1st post you have a wrong line of the logs, this "cpanel__service__auth__imap__...etc..." is cPanel checking that IMAP is alive.
It also states "rip=127.0.0.1, lip=127.0.0.1", rip = remote IP and lip = local IP, so it's a local connection.

 

[Evolve]

This is a sample from my exim_mainlog

2013-02-19 07:30:01 SMTP connection from [bad.guy.ip.here]:60103 (TCP/IP connection count = 1)
2013-02-19 07:30:02 H=s01060011953ff72a.vs.badguydomain.net (WKST-03) [bad.guy.ip.here]:60103 Warning: Sender rate 1.0 / 1h
2013-02-19 07:30:02 1U7oCo-00035A-IA <= [email protected] H=s01060011953ff72a.vs.badguydomain.net (WKST-03) [bad.guy.ip.here]:60103 P=esmtpsa X=TLSv1:RC4-MD5:128 A=dovecot_login:[email protected] S=730 T="Re: Your Photos" for [email protected]
2013-02-19 07:30:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U7oCo-00035A-IA

 

[quietFinn]

Is this the client's fault? Should i just kick them off my server? I'd hate to blame the client if it wasn't them but I can't figure out how else the spammers are getting access.

If that was our customer I'd limit their SMTP use.
I don't know how to disable SMTP for one user/domain, but it's easy to set limit in:
/var/cpanel/users/CPANELUSERNAME

set:
MAX_EMAIL_PER_HOUR=1

and run
/usr/local/cpanel/scripts/updateuserdomains

 

[Evolve]

I have set that through WHM under "Modify Account" by changing the "Maximum Hourly Email by Domain Relayed" setting for that user.

There is also a setting called "Maximum percentage of failed or deferred messages a domain may send per hour" that seems to have had a good effect by stopping the user from sending after a couple of failed messages.

 

[Evolve]

Uh.. I see you have duplicated what someone else said yet you didn't seem to read the response I gave that person.

I don't see an option to edit my first post. Please read post #6