The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam being sent via IMAP AUTHRELAY

Discussion in 'E-mail Discussions' started by Evolve, Feb 5, 2013.

  1. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    This is the second time I've encountered this from the same user...

    One of their email addresses is sending out spam emails that have the subject line "Fwd: Photos"...
    I am alerted of this because I get an LFD AUTHRELAY reporting:
    Count: 101 emails relayed

    The last time I noticed this was happening I changed their email's password and told them to run antivirus on their computer because I assumed someone must have gotten their password... I'm not sure if they followed my instruction. The spammers were successfully being blocked trying to log into their account via LFD's smtp blocking and everything seemed fine for a couple of weeks. The password I changed it to wasn't the strongest but it did include upper and lower characters and digits and LFD was successfully blocking ips after 1 failed attempt so someone must be hacking their system to get the password right?? I can't imagine they guessed it in 100 or so attempts over that time.

    Anyways it all started happening again today.
    My maillog says the following when the spammers log in to send spam:
    Code:
    Feb  5 06:29:15 cp dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__zq8gb_hztfrlrd0og37icroblnh7o7qacaztwl...etc.>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
    Feb  5 06:29:16 cp dovecot: IMAP(__cpanel__service__auth__imap__zq8gb_hztfrlrd0og37icroblnh7o7qacaztw....etc.): Disconnected: Logged out bytes=11/313
    Normally the user is a regular email address but when the spammers log in it looks like "__cpanel__service__auth__imap__zq8gb_hztfrl". Is this normal?

    The client is only using POP3 and the spammers are using IMAP.

    Any suggestions on what I can do to fix this situation? I'm going to drop their relay rate down to something like 20 and give them a long complicated password and scold them into running anti-virus on their system...

    If that doesn't work I'll have to get them to host their email or entire website elsewhere.

    Thanks
     
    #1 Evolve, Feb 5, 2013
    Last edited: Feb 5, 2013
  2. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Quite strange.

    Have you reviewed the Mailserver Configuration in WHM:

    Can you disable this:

    Allow Plaintext Authentication (from remote clients)

    This setting will allow remote email clients to authenticate using unencrypted connections. When set to 'no' only connections originating on the local server will be allowed to authenticate without encryption. Setting this to 'no' is preferable to disabling IMAP in the 'Protocols Enabled' section since it will force remote users to use encryption while still allowing webmail to function correctly.
     
  3. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Hmm I do like the sound of that setting but I should probably alert all email users on all accounts that I would be flicking that switch before I do it.

    Does the "secured" part on the end of the login mean that it was actually encrypted? Does secured = encrypted?

    I've given them a much more complicated password and they've assured me that they will get the computer "looked at". I'll let you know if I have another occurrence.

    In the meantime I'll have to figure out how to send an email to all of the email accounts for all of my clients on my server.
     
  4. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    It happened again today. I gave my client a very strong password and they said they had their "guy" turn their anti virus on again a few days prior.

    There have been daily attempts to log into the email account that are blocked by lfd after one failed smtpauth failure. Perhaps these are just zombies trying to use the last known password?

    Is this the client's fault? Should i just kick them off my server? I'd hate to blame the client if it wasn't them but I can't figure out how else the spammers are getting access.
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    In your 1st post you have a wrong line of the logs, this "cpanel__service__auth__imap__...etc..." is cPanel checking that IMAP is alive.
    It also states "rip=127.0.0.1, lip=127.0.0.1", rip = remote IP and lip = local IP, so it's a local connection.
     
  6. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    This is a sample from my exim_mainlog
    Code:
    2013-02-19 07:30:01 SMTP connection from [bad.guy.ip.here]:60103 (TCP/IP connection count = 1)
    2013-02-19 07:30:02 H=s01060011953ff72a.vs.badguydomain.net (WKST-03) [bad.guy.ip.here]:60103 Warning: Sender rate 1.0 / 1h
    2013-02-19 07:30:02 1U7oCo-00035A-IA <= info@domain.com H=s01060011953ff72a.vs.badguydomain.net (WKST-03) [bad.guy.ip.here]:60103 P=esmtpsa X=TLSv1:RC4-MD5:128 A=dovecot_login:info@domain.com S=730 T="Re: Your Photos" for swgraphi@spamdestination.com
    2013-02-19 07:30:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U7oCo-00035A-IA
     
    #6 Evolve, Feb 19, 2013
    Last edited: Feb 19, 2013
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If that was our customer I'd limit their SMTP use.
    I don't know how to disable SMTP for one user/domain, but it's easy to set limit in:
    /var/cpanel/users/CPANELUSERNAME

    set:
    MAX_EMAIL_PER_HOUR=1

    and run
    /usr/local/cpanel/scripts/updateuserdomains
     
  8. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    I have set that through WHM under "Modify Account" by changing the "Maximum Hourly Email by Domain Relayed" setting for that user.

    There is also a setting called "Maximum percentage of failed or deferred messages a domain may send per hour" that seems to have had a good effect by stopping the user from sending after a couple of failed messages.
     
  9. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Uh.. I see you have duplicated what someone else said yet you didn't seem to read the response I gave that person.

    I don't see an option to edit my first post. Please read post #6
     
Loading...

Share This Page