Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam e-mails originating from 'cpanel' userid

Discussion in 'E-mail Discussion' started by Arvand, Nov 15, 2006.

  1. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    128
    Likes Received:
    1
    Trophy Points:
    168
    Hello,

    Recently several of our servers have started sending spam using the 'cpanel' userid. This makes it close to impossible to track who is actually sending spam. Is this a new exploit?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 Arvand, Nov 15, 2006
  2. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    128
    Likes Received:
    1
    Trophy Points:
    168
    Here is a header:

    Return-Path: <goodnews_mary@yahoo.com>

    Received: from rly-yc01.mail.aol.com (rly-yc01.mail.aol.com [172.18.205.144]) by air-yc01.mail.aol.com (v114.2) with ESMTP id MAILINYC13-1b6455a110157; Tue, 14 Nov 2006 13:55:25 -0500

    Received: from myserver.com (myserver.com [xx.xx.xx.xx]) by rly-yc01.mail.aol.com (v114.2) with ESMTP id MAILRELAYINYC18-1b6455a110157; Tue, 14 Nov 2006 13:55:02 -0500

    Received: from cpanel by myserver.com with local (Exim 4.52)

    id 1Gk3QG-00089R-V5; Tue, 14 Nov 2006 10:54:16 -0800

    Received: from 213.185.106.204 ([213.185.106.204]) by langdalesmith.co.uk

    (Horde MIME library) with HTTP; Tue, 14 Nov 2006 10:54:13 -0800

    Message-ID: <20061114105413.vn0j1s7whvbkcwcw@langdalesmith.co.uk>

    Date: Tue, 14 Nov 2006 10:54:13 -0800

    From: Mrs Mary Collins <goodnews_mary@yahoo.com>

    To: <Undisclosed Recipients>

    Subject: Dear beloved

    MIME-Version: 1.0

    Content-Type: text/plain;

    charset=ISO-8859-1;

    DelSp="Yes";

    format="flowed"

    Content-Disposition: inline

    Content-Transfer-Encoding: quoted-printable

    User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)

    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

    X-AntiAbuse: Primary Hostname - myserver

    X-AntiAbuse: Original Domain - aol.com

    X-AntiAbuse: Originator/Caller UID/GID - [32001 32001] / [47 12]

    X-AntiAbuse: Sender Address Domain - yahoo.com

    X-Source:

    X-Source-Args:

    X-Source-Dir:


    This was happening on another server of mine as well but I wasn't able to track down the spammer cause the e-mails in the queue manager only pointed toward 'cpanel' username.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Arvand, Nov 15, 2006
  3. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    128
    Likes Received:
    1
    Trophy Points:
    168
    This is actually getting quiet serious. Im watching spam go through exim but I can't stop it because its originating from cpanel.

    Is there a way to force exim to stop delivering mail for a specific user? I've looked at top logs and everything else but I can't find out how these e-mails are being originated. They are however being sent with the userid 'cpanel' though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 Arvand, Nov 18, 2006
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,803
    Likes Received:
    134
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    It looks like someone from the IP address 213.185.106.204 is logging into webmail on your server (langdalesmith.co.uk? but doesn't necessarily mean that its someone from that domain) and sending this message.

    To find out exactly who is sending it, you would need to grep the cpanel access logs for the time period around this time and see who was logged into webmail and sending messages:

    cat /usr/local/cpanel/logs/access_log | grep 14/Nov/2006:10:54

    This will show you all the log entries made into cPanel, WHM, and Webmail on November 14th, 2006 at 10:54 (I would exclude the seconds because then you are getting too specific and the logs may not show anything).

    Since you are pretty sure this user was using Horde, you can further narrow the search by searching only for Horde accesses:

    cat /usr/local/cpanel/logs/access_log | grep 14/Nov/2006:10:54 | grep horde

    This may result in a lot of lines, and since you are only interested in the specific webmail user that was logged in at this time, use awk to only give you that information and only display uniq entries:

    cat /usr/local/cpanel/logs/access_log | grep 14/Nov/2006:10:54 | grep horde | awk '{print $3}' | sort | uniq

    This last command will show you the usernames that were logged into webmail (actually just clicked something) on November 14, 2006 at 10:54.

    Hope this helps.
     
    #4 sparek-3, Nov 18, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Spam mails originating
  1. PAFFY

    Emails going into spam folder

    PAFFY, Jan 14, 2019 at 11:53 AM, in forum: E-mail Discussion
    Replies:
    3
    Views:
    185
    cPanelLauren
    Jan 15, 2019 at 7:12 AM
  2. Jedi82

    How do I get rid of these spam emails?

    Jedi82, Dec 21, 2018, in forum: E-mail Discussion
    Replies:
    4
    Views:
    473
    cPanelMichael
    Dec 25, 2018
  3. RobinF28

    SOLVED DKIM for 'root' user, to avoid emails going to spam

    RobinF28, Dec 8, 2018, in forum: E-mail Discussion
    Replies:
    15
    Views:
    1,011
    cPanelMichael
    Jan 14, 2019 at 9:31 AM
  4. DigitalEssence

    Emails Bypassing RBL Reject and SpamAssassin Bounce

    DigitalEssence, Dec 6, 2018, in forum: E-mail Discussion
    Replies:
    5
    Views:
    563
    cPanelLauren
    Dec 10, 2018
  5. xtianfab

    Emails to Gmail and Hotmail going to spam

    xtianfab, Nov 23, 2018, in forum: E-mail Discussion
    Replies:
    4
    Views:
    353
    cPanelLauren
    Nov 26, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice