Spam coming from server

[Jr Sarath]

Hi there,
i got something strange,
I'm kinda new at this
so i got a huge spam report sending by our own server to our own email

I looked into some logs , used to
tail -f /var/log/exim_mainlog | grep "cwd"
identify mail sending script it says

cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

is sending those all spams
so kindly help please

 

[SysSachin]

Can you please tell me the output for this command

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

 

[Jr Sarath]

Here it is the output

+++++++++++++++++++++++++++++++++++++

1 /home/allierph/public_html
1 /home/breakinw/public_html
1 /home/teamspot/public_html
1 /root
2 /home/dmydesig/public_html
2 /home/mahporta
2 /home/scottde1/public_html
4
9 /home/penjaske
15 /usr/local/cpanel/whostmgr/docroot
34 /home/psgarmen
53 /home/bozurgco
64 /home/sbytpost/public_html
108 /home/bdiltour
174 /etc/csf

++++++++++++++++++++++++++++++++++++++

 

[Infopro]

so i got a huge spam report sending by our own server to our own email

What does this mean exactly, can you be more specific please?

 

[Jr Sarath]

What does this mean exactly, can you be more specific please?

here is sample email

=======================================================

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from yellow.domain.us
by yellow.domain.us with LMTP id gCs5ORvVC1r+EgAAt+PjBg
for <[email protected]>; Wed, 15 Nov 2017 11:18:11 +0530
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 15 Nov 2017 11:18:11 +0530
Received: from [117.63.76.121] (port=58690 helo=pcloud.com)
by yellow.domain.us with smtp (Exim 4.89)
(envelope-from <[email protected]>)
id 1eEqYI-0001CQ-LC
for [email protected]; Wed, 15 Nov 2017 11:18:07 +0530
Received: from pcloud.com (unknown (251.253.138.244])
by pcloud.com with SMTP id c6186503-f821-4c97-bdf5-47bd96938f3f;
for <[email protected]>;Wed, 15 Nov 2017 13:46:46 +08:00
Message-ID: <[email protected]>
From: "=?utf-8?B?6Z+p5a2Q?=" <[email protected]>
To: <[email protected]>
Date: Wed, 15 Nov 2017 13:46:46 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="9e8abb380d27d759f03d13c200026040"
Disposition-Notification-To: [email protected]
X-Spam-Status: Yes, score=12.2
X-Spam-Score: 122
X-Spam-Bar: ++++++++++++
X-Spam-Report: Spam detection software, running on the system "yellow.intersite.us",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: zc≮澳門新葡京116498點com｜註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
｜å…ç›’49å‚™? zc≮澳門新葡京116498點com｜註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
｜å…ç›’49å‚™? [...]

Content analysis details: (12.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (2871032039[at]qq.com)
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(2871032039[at]qq.com)
4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see SPF: Why]
4.0 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see SPF: Why]
0.0 HTML_MESSAGE BODY: HTML included in message
2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
X-Spam-Flag: YES
Subject: ***SPAM*** =?utf-8?B?YeW9leWPlumAmuefpeS5puOAjua+s+mWgOaWsOiRoeS6rOacnw==?=
=?utf-8?B?5b6F5oKo55qE5Yqg5YWlLemHpumHpu+8mjc3ODY4NDE2MiAt6Ki75YaK?=
=?utf-8?B?6YCBMzgt5YWt55uSNDktMTE2NDk46bueY29t44CP54+g6IGU55Kn5ZCI?=

This is a multi-part message in MIME format.

--9e8abb380d27d759f03d13c200026040
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
=EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
=EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
=EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?

--9e8abb380d27d759f03d13c200026040
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
=EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
=EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
=EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?

--9e8abb380d27d759f03d13c200026040--

===================================================================

We are getting tons of emails like this

 

[rpvw]

Looks to me that these mails are from qq.com (search for qq.com spam in your favourite search engine)

If you have any evidence that one or more of your (or your customer) email accounts is sending these mails, you should take steps to immediately change the cPanel/FTP/eMail/root/reseller....etc etc account passwords as appropriate and treat the incident as if your server has been compromised.

If you have any evidence that a script on your server is responsible for sending these emails, you will probably need to engage an experienced server security administrator to help track it down and secure the server if at all possible.

Also see these two SPF rejection reports:
SPF: Why

SPF: Why

You may also find some useful tips and advice from Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation