Spam emails being sent from cPanel account

Buffcode18

Registered
Nov 8, 2005
4
0
151
I've looked through many threads and followed the advice on this page - How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation - but I have a hosting account that is being used to send spam. Here is the "delivery event details" for one of them (I'm assuming the "sender host" and ip is the spammer since I don't recognize it?) -

Code:
Event:

success [IMG]
Sender User: holttwin
Sender Domain: example.com
Sender: [email protected]
Sent Time: Nov 11, 2016 12:18:12 PM
Sender Host: www.domain.com
Sender IP: 95.173.172.82
Authentication: dovecot_login
Spam Score: 0
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: dkim_lookuphost
Transport: dkim_remote_smtp
Out Time: Nov 11, 2016 12:18:12 PM
ID: 1c5GPE-00061S-2f
Delivery Host: mx3.hotmail.com
Delivery IP: 65.55.37.120
Size: 1.44 KB
Result: Accepted

Here is the result of the send in my exim_mainlog -

2016-11-11 13:18:28 1c5GPE-00061S-2f H=(www.domain.com) [95.173.172.82]:59161 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-1.0/40)"
2016-11-11 13:18:28 1c5GPE-00061S-2f <= [email protected] H=(www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:[email protected] S=1476 [email protected] T="4 Waiting Quick F#ck Request" for [email protected]
2016-11-11 13:18:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5GPE-00061S-2f
2016-11-11 13:18:28 1c5GPE-00061S-2f SMTP connection outbound 1478888308 1c5GPE-00061S-2f example.com [email protected]
2016-11-11 13:18:28 SMTP connection from (www.domain.com) [95.173.172.82]:59161 closed by QUIT

I am at the end of the rope of how to prevent/solve this? Running the command "
awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n" gives me this as the first line - 27698 cwd=/var/spool/exim
 
Last edited by a moderator:

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Change your [email protected] email account password, Because that mail was sent from your [email protected] account. You can suspend this single email account through your cPanel.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
did you checked if the account is infected with malicious script ? .. scan the website data with clamav or maldet and see what you get.
You yourself may want to study up a bit as the answer lies right within the logs he posted, no need to have him go on a wild good chase.

Anytime there is spam coming from the server, there will be 1 of 2 ways, in most cases anyway.

1. Spam coming from someone using SMTP authentication with an actual email account, in most cases this is from a weak password.

2. Someone sending POST requests to a PHP script

How do you distinguish between the two?

Easy..

1. Spam being sent via SMTP authentication, we can use the OPs example.. This line says it all:

2016-11-11 13:18:28 1c5GPE-00061S-2f <= [email protected] H=(www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:[email protected] S=1476 [email protected] T="4 Waiting Quick F#ck Request" for [email protected]
and more specifically this part "A=dovecot_login:[email protected]".

This is someone authenticating with the account: [email protected]

This is a good one liner you can use to check on the amount of authentications used per email:

Code:
head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
Example output:

Code:
[email protected][/]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
2016-11-06
      2 [email protected]
      2 [email protected]
     38 [email protected]
     68 [email protected]
    154 [email protected]
    180 [email protected]
   3383 [email protected]
2016-11-12
You can see between the dates 2016-11-06 and 2016-11-12 the account [email protected] has auth'd 3383 times and compared to the others, its way above the average so its a good possibility its spamming. You can easily check those outgoing emails by grepping the same log file:

Code:
grep dovecot_login:[email protected] /var/log/exim_mainlog
You can easily tell by the subject if they are spamming in most cases.

2. Finding out if the spam is coming from a PHP script, example of an email from a PHP script via the exim_mainlog:

Code:
2016-11-12 19:59:25 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i
2016-11-12 19:59:25 1c5k4r-003iYa-6K <= [email protected] U=user P=local S=25164 T=Some spam subject" for [email protected]
2016-11-12 19:59:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5k4r-003iYa-6K
2016-11-12 19:59:25 1c5k4r-003iYa-6K SMTP connection outbound 1479002365 1c5k4r-003iYa-6K poor.soul [email protected]
2016-11-12 19:59:25 SMTP connection from [x.x.x.x]:46374 (TCP/IP connection count = 3)
2016-11-12 19:59:27 1c5k4r-003iYa-6K => [email protected] R=lookuphost T=remote_smtp H=mx.domain.com [x.x.x.x] X=TLSv1.2:AES128-SHA:128 CV=yes C="250 Message received"
2016-11-12 19:59:27 1c5k4r-003iYa-6K Completed
This time around, you can see there is no "A=dovecot_login" anywhere within the log, however the first line you can see it starts off with

Code:
cwd=/home/user/public_html
Although it doesn't tell you the exact script, its telling you the location from where the mail is being sent from.

A good one liner to use to track down spam scripts, this one liner will show you each time the PHP script is posted to and recorded in the log.

Code:
head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
Example:

Code:
[email protected] [~]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
2016-11-06
195674 cwd=/home/someuser99/public_html/wp-content/plugins/wpgform
155601 cwd=/home/someuser99/public_html/blog/wp-admin/network
1945 cwd=/home/someuser662
1665 cwd=/home/someuser233/public_html/charm/forum
969 cwd=/home/someuser1
114 cwd=/home/someuser51/public_html/domain.com/shop
97 cwd=/home/someuser1/public_html/CupOfGossip
42 cwd=/home/someuser23/public_html/blog
40 cwd=/home/someuser2313/public_html/blog
26 cwd=/home/someuser54/public_html
24 cwd=/home/someuser12/public_html/domain.com/shop/wp-admin
2016-11-12
I think its pretty clear here that there is some spam coming from the top 2 directories.

A super easy way to pin point which scripts they are.. example using the above results:

Code:
grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
This will grepo all the POST requests and sort them by the amount of times each PHP script has been hit, example:

Code:
[email protected][~]# grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
      1 /wp-cron.php?doing_wp_cron=1478973503.4872438907623291015625
      1 /wp-cron.php?doing_wp_cron=1478975746.5134899616241455078125
      2 /wp-content/themes/accesspress-lite/slide-menues.php
      3 /wp-admin/
      3 /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain.com%2Fwp-admin%2F&reauth=1
      8 /xmlrpc.php
    650 /wp-content/plugins/wpgform/test44.php
   2461 /wp-login.php
The culprit being: /wp-content/plugins/wpgform/test44.php

Hope this helps!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @Buffcode18,

The previous response should help address the issue. Let us know if you have any additional questions.

Thank you.
 

Buffcode18

Registered
Nov 8, 2005
4
0
151
Thanks Jcats - this helped a lot! Obviously the account in question was being spammed from authentication - still confusing since I reset the account password a few times and it didn't help but I just changed it again to something stronger. Your solution for PHP scripts spamming also helped me diagnose an account on another server
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
For future, after you change the password, try restarting dovecot and exim, it may be that they are locked into a session which allows them to continue sending.

And/or there might be emails sitting in the mail queue as well which are waiting to be sent. I usually flush it out after I know someone has been spamming:

Code:
# exim -bp | exiqgrep -i | xargs exim -Mrm