Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam coming from server

Discussion in 'E-mail Discussions' started by Jr Sarath, Nov 15, 2017.

Tags:
  1. Jr Sarath

    Jr Sarath Member

    Joined:
    Oct 13, 2017
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi there,
    i got something strange,
    I'm kinda new at this
    so i got a huge spam report sending by our own server to our own email

    I looked into some logs , used to
    tail -f /var/log/exim_mainlog | grep "cwd"
    identify mail sending script it says

    cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

    is sending those all spams
    so kindly help please
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    604
    Likes Received:
    41
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you please tell me the output for this command

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
     
  3. Jr Sarath

    Jr Sarath Member

    Joined:
    Oct 13, 2017
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Here it is the output

    +++++++++++++++++++++++++++++++++++++

    1 /home/allierph/public_html
    1 /home/breakinw/public_html
    1 /home/teamspot/public_html
    1 /root
    2 /home/dmydesig/public_html
    2 /home/mahporta
    2 /home/scottde1/public_html
    4
    9 /home/penjaske
    15 /usr/local/cpanel/whostmgr/docroot
    34 /home/psgarmen
    53 /home/bozurgco
    64 /home/sbytpost/public_html
    108 /home/bdiltour
    174 /etc/csf

    ++++++++++++++++++++++++++++++++++++++
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,066
    Likes Received:
    348
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What does this mean exactly, can you be more specific please?
     
  5. Jr Sarath

    Jr Sarath Member

    Joined:
    Oct 13, 2017
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    here is sample email
    Code:
    
    =======================================================
    
    Return-Path: <2871032039@qq.com>
    Delivered-To: contact+Junk@example.com
    Received: from yellow.domain.us
    by yellow.domain.us with LMTP id gCs5ORvVC1r+EgAAt+PjBg
    for <contact+Junk@example.com>; Wed, 15 Nov 2017 11:18:11 +0530
    Return-path: <2871032039@qq.com>
    Envelope-to: contact@example.com
    Delivery-date: Wed, 15 Nov 2017 11:18:11 +0530
    Received: from [117.63.76.121] (port=58690 helo=pcloud.com)
    by yellow.domain.us with smtp (Exim 4.89)
    (envelope-from <2871032039@qq.com>)
    id 1eEqYI-0001CQ-LC
    for contact@example.com; Wed, 15 Nov 2017 11:18:07 +0530
    Received: from pcloud.com (unknown (251.253.138.244])
    by pcloud.com with SMTP id c6186503-f821-4c97-bdf5-47bd96938f3f;
    for <2871032039@qq.com>;Wed, 15 Nov 2017 13:46:46 +08:00
    Message-ID: <cb735d239e31012360f31c70150d0725@qq.com>
    From: "=?utf-8?B?6Z+p5a2Q?=" <2871032039@qq.com>
    To: <contact@example.com>
    Date: Wed, 15 Nov 2017 13:46:46 +0800
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="9e8abb380d27d759f03d13c200026040"
    Disposition-Notification-To: 2871032039@qq.com
    X-Spam-Status: Yes, score=12.2
    X-Spam-Score: 122
    X-Spam-Bar: ++++++++++++
    X-Spam-Report: Spam detection software, running on the system "yellow.intersite.us",
    has identified this incoming email as possible spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    
    Content preview: zc≮澳門新葡京116498點com|註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
    |å…ç›’49å‚™? zc≮澳門新葡京116498點com|註冊å³é€38åŠå·¥è³‡ï½œé‡¦é‡¦ï¼š778741365
    |å…ç›’49å‚™? [...]
    
    Content analysis details: (12.2 points, 5.0 required)
    
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
    digit (2871032039[at]qq.com)
    0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
    (2871032039[at]qq.com)
    4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
    [SPF failed: Please see SPF: Why]
    4.0 SPF_FAIL SPF: sender does not match SPF record (fail)
    [SPF failed: Please see SPF: Why]
    0.0 HTML_MESSAGE BODY: HTML included in message
    2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
    2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
    0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
    X-Spam-Flag: YES
    Subject: ***SPAM*** =?utf-8?B?YeW9leWPlumAmuefpeS5puOAjua+s+mWgOaWsOiRoeS6rOacnw==?=
    =?utf-8?B?5b6F5oKo55qE5Yqg5YWlLemHpumHpu+8mjc3ODY4NDE2MiAt6Ki75YaK?=
    =?utf-8?B?6YCBMzgt5YWt55uSNDktMTE2NDk46bueY29t44CP54+g6IGU55Kn5ZCI?=
    
    This is a multi-part message in MIME format.
    
    --9e8abb380d27d759f03d13c200026040
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    
    zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
    =EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
    =EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
    =EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?
    
    --9e8abb380d27d759f03d13c200026040
    Content-Type: text/html;
    charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    
    zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom=
    =EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87=
    =EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 =
    =EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99?
    
    --9e8abb380d27d759f03d13c200026040--
    
    ===================================================================
    
    We are getting tons of emails like this
     
    #5 Jr Sarath, Nov 15, 2017
    Last edited by a moderator: Nov 15, 2017
  6. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Looks to me that these mails are from qq.com (search for qq.com spam in your favourite search engine)

    If you have any evidence that one or more of your (or your customer) email accounts is sending these mails, you should take steps to immediately change the cPanel/FTP/eMail/root/reseller....etc etc account passwords as appropriate and treat the incident as if your server has been compromised.

    If you have any evidence that a script on your server is responsible for sending these emails, you will probably need to engage an experienced server security administrator to help track it down and secure the server if at all possible.

    Also see these two SPF rejection reports:
    SPF: Why

    SPF: Why

    You may also find some useful tips and advice from Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation
     
    #6 rpvw, Nov 15, 2017
    Last edited: Nov 15, 2017
Loading...

Share This Page