Jr Sarath

Member
Oct 13, 2017
18
1
3
India
cPanel Access Level
Root Administrator
Hi there,
i got something strange,
I'm kinda new at this
so i got a huge spam report sending by our own server to our own email

I looked into some logs , used to
tail -f /var/log/exim_mainlog | grep "cwd"
identify mail sending script it says

cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

is sending those all spams
so kindly help please
 

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Can you please tell me the output for this command

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
 

Jr Sarath

Member
Oct 13, 2017
18
1
3
India
cPanel Access Level
Root Administrator
Here it is the output

+++++++++++++++++++++++++++++++++++++

1 /home/allierph/public_html
1 /home/breakinw/public_html
1 /home/teamspot/public_html
1 /root
2 /home/dmydesig/public_html
2 /home/mahporta
2 /home/scottde1/public_html
4
9 /home/penjaske
15 /usr/local/cpanel/whostmgr/docroot
34 /home/psgarmen
53 /home/bozurgco
64 /home/sbytpost/public_html
108 /home/bdiltour
174 /etc/csf

++++++++++++++++++++++++++++++++++++++
 

Jr Sarath

Member
Oct 13, 2017
18
1
3
India
cPanel Access Level
Root Administrator
What does this mean exactly, can you be more specific please?
here is sample email
Code:
=======================================================

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from yellow.domain.us
by yellow.domain.us with LMTP id gCs5ORvVC1r+EgAAt+PjBg
for <[email protected]>; Wed, 15 Nov 2017 11:18:11 +0530
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 15 Nov 2017 11:18:11 +0530
Received: from [117.63.76.121] (port=58690 helo=pcloud.com)
by yellow.domain.us with smtp (Exim 4.89)
(envelope-from <[email protected]>)
id 1eEqYI-0001CQ-LC
for [email protected]; Wed, 15 Nov 2017 11:18:07 +0530
Received: from pcloud.com (unknown (251.253.138.244])
by pcloud.com with SMTP id c6186503-f821-4c97-bdf5-47bd96938f3f;
for <[email protected]>;Wed, 15 Nov 2017 13:46:46 +08:00
Message-ID: <[email protected]>
From: "=?utf-8?B?6Z+p5a2Q?=" <[email protected]>
To: <[email protected]>
Date: Wed, 15 Nov 2017 13:46:46 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="9e8abb380d27d759f03d13c200026040"
Disposition-Notification-To: [email protected]
X-Spam-Status: Yes, score=12.2
X-Spam-Score: 122
X-Spam-Bar: ++++++++++++
X-Spam-Report: Spam detection software, running on the system "yellow.intersite.us",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: zc≮澳門新葡京116498點com|註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
|å…ç›’49å‚™? zc≮澳門新葡京116498點com|註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
|å…ç›’49å‚™? [...]

Content analysis details: (12.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (2871032039[at]qq.com)
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(2871032039[at]qq.com)
4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see SPF: Why]
4.0 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see SPF: Why]
0.0 HTML_MESSAGE BODY: HTML included in message
2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
X-Spam-Flag: YES
Subject: ***SPAM*** =?utf-8?B?YeW9leWPlumAmuefpeS5puOAjua+s+mWgOaWsOiRoeS6rOacnw==?=
=?utf-8?B?5b6F5oKo55qE5Yqg5YWlLemHpumHpu+8mjc3ODY4NDE2MiAt6Ki75YaK?=
=?utf-8?B?6YCBMzgt5YWt55uSNDktMTE2NDk46bueY29t44CP54+g6IGU55Kn5ZCI?=

This is a multi-part message in MIME format.

--9e8abb380d27d759f03d13c200026040
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
=EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
=EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
=EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?

--9e8abb380d27d759f03d13c200026040
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
=EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
=EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
=EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?

--9e8abb380d27d759f03d13c200026040--

===================================================================
We are getting tons of emails like this
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Looks to me that these mails are from qq.com (search for qq.com spam in your favourite search engine)

If you have any evidence that one or more of your (or your customer) email accounts is sending these mails, you should take steps to immediately change the cPanel/FTP/eMail/root/reseller....etc etc account passwords as appropriate and treat the incident as if your server has been compromised.

If you have any evidence that a script on your server is responsible for sending these emails, you will probably need to engage an experienced server security administrator to help track it down and secure the server if at all possible.

Also see these two SPF rejection reports:
SPF: Why

SPF: Why

You may also find some useful tips and advice from Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation
 
Last edited: