The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam emails being sent from cPanel account

Discussion in 'E-mail Discussions' started by Buffcode18, Nov 11, 2016.

Tags:
  1. Buffcode18

    Buffcode18 Registered

    Joined:
    Nov 8, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    I've looked through many threads and followed the advice on this page - How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation - but I have a hosting account that is being used to send spam. Here is the "delivery event details" for one of them (I'm assuming the "sender host" and ip is the spammer since I don't recognize it?) -

    Code:
    Event:
    
    success [IMG]
    Sender User: holttwin
    Sender Domain: example.com
    Sender: twinsister@example.com
    Sent Time: Nov 11, 2016 12:18:12 PM
    Sender Host: www.domain.com
    Sender IP: 95.173.172.82
    Authentication: dovecot_login
    Spam Score: 0
    Recipient: someusr@hotmail.com
    Delivered To: someusr@hotmail.com
    Delivery User: -remote-
    Delivery Domain:
    Router: dkim_lookuphost
    Transport: dkim_remote_smtp
    Out Time: Nov 11, 2016 12:18:12 PM
    ID: 1c5GPE-00061S-2f
    Delivery Host: mx3.hotmail.com
    Delivery IP: 65.55.37.120
    Size: 1.44 KB
    Result: Accepted
    
    Here is the result of the send in my exim_mainlog -
    
    2016-11-11 13:18:28 1c5GPE-00061S-2f H=(www.domain.com) [95.173.172.82]:59161 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-1.0/40)"
    2016-11-11 13:18:28 1c5GPE-00061S-2f <= twinsister@example.com H=(www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:twinsister@example.com S=1476 id=427a3fde29b1abda9013bc30746a1dc5@www.domain.com T="4 Waiting Quick F#ck Request" for someusr@hotmail.com
    2016-11-11 13:18:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5GPE-00061S-2f
    2016-11-11 13:18:28 1c5GPE-00061S-2f SMTP connection outbound 1478888308 1c5GPE-00061S-2f example.com someusr@hotmail.com
    2016-11-11 13:18:28 SMTP connection from (www.domain.com) [95.173.172.82]:59161 closed by QUIT
    

    I am at the end of the rope of how to prevent/solve this? Running the command "
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n" gives me this as the first line - 27698 cwd=/var/spool/exim
     
    #1 Buffcode18, Nov 11, 2016
    Last edited by a moderator: Nov 11, 2016
  2. Eminds

    Eminds Well-Known Member

    Joined:
    Nov 10, 2016
    Messages:
    177
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    did you checked if the account is infected with malicious script ? .. scan the website data with clamav or maldet and see what you get.
     
  3. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    543
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Change your twinsister@ email account password, Because that mail was sent from your twinsister@ account. You can suspend this single email account through your cPanel.
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    You yourself may want to study up a bit as the answer lies right within the logs he posted, no need to have him go on a wild good chase.

    Anytime there is spam coming from the server, there will be 1 of 2 ways, in most cases anyway.

    1. Spam coming from someone using SMTP authentication with an actual email account, in most cases this is from a weak password.

    2. Someone sending POST requests to a PHP script

    How do you distinguish between the two?

    Easy..

    1. Spam being sent via SMTP authentication, we can use the OPs example.. This line says it all:

    and more specifically this part "A=dovecot_login:twinsister@example.com".

    This is someone authenticating with the account: twinsister@example.com

    This is a good one liner you can use to check on the amount of authentications used per email:

    Code:
    head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
    Example output:

    Code:
    root@server[/]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
    2016-11-06
          2 jay@domain.com
          2 justin@domain.com
         38 scott@domain.com
         68 billing@domain.com
        154 abuse@domain.com
        180 sales@domain.com
       3383 support@domain.com
    2016-11-12
    
    You can see between the dates 2016-11-06 and 2016-11-12 the account support@domain.com has auth'd 3383 times and compared to the others, its way above the average so its a good possibility its spamming. You can easily check those outgoing emails by grepping the same log file:

    Code:
    grep dovecot_login:support@domain.com /var/log/exim_mainlog
    You can easily tell by the subject if they are spamming in most cases.

    2. Finding out if the spam is coming from a PHP script, example of an email from a PHP script via the exim_mainlog:

    Code:
    2016-11-12 19:59:25 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-11-12 19:59:25 1c5k4r-003iYa-6K <= user@server.domain.com U=user P=local S=25164 T=Some spam subject" for some@poor.soul
    2016-11-12 19:59:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5k4r-003iYa-6K
    2016-11-12 19:59:25 1c5k4r-003iYa-6K SMTP connection outbound 1479002365 1c5k4r-003iYa-6K poor.soul some@poor.soul
    2016-11-12 19:59:25 SMTP connection from [x.x.x.x]:46374 (TCP/IP connection count = 3)
    2016-11-12 19:59:27 1c5k4r-003iYa-6K => some@poor.soul R=lookuphost T=remote_smtp H=mx.domain.com [x.x.x.x] X=TLSv1.2:AES128-SHA:128 CV=yes C="250 Message received"
    2016-11-12 19:59:27 1c5k4r-003iYa-6K Completed
    This time around, you can see there is no "A=dovecot_login" anywhere within the log, however the first line you can see it starts off with

    Code:
    cwd=/home/user/public_html
    Although it doesn't tell you the exact script, its telling you the location from where the mail is being sent from.

    A good one liner to use to track down spam scripts, this one liner will show you each time the PHP script is posted to and recorded in the log.

    Code:
    head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
    Example:

    Code:
    root@hearted [~]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
    2016-11-06
    195674 cwd=/home/someuser99/public_html/wp-content/plugins/wpgform
    155601 cwd=/home/someuser99/public_html/blog/wp-admin/network
    1945 cwd=/home/someuser662
    1665 cwd=/home/someuser233/public_html/charm/forum
    969 cwd=/home/someuser1
    114 cwd=/home/someuser51/public_html/domain.com/shop
    97 cwd=/home/someuser1/public_html/CupOfGossip
    42 cwd=/home/someuser23/public_html/blog
    40 cwd=/home/someuser2313/public_html/blog
    26 cwd=/home/someuser54/public_html
    24 cwd=/home/someuser12/public_html/domain.com/shop/wp-admin
    2016-11-12
    
    I think its pretty clear here that there is some spam coming from the top 2 directories.

    A super easy way to pin point which scripts they are.. example using the above results:

    Code:
    grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
    This will grepo all the POST requests and sort them by the amount of times each PHP script has been hit, example:

    Code:
    root@server[~]# grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
          1 /wp-cron.php?doing_wp_cron=1478973503.4872438907623291015625
          1 /wp-cron.php?doing_wp_cron=1478975746.5134899616241455078125
          2 /wp-content/themes/accesspress-lite/slide-menues.php
          3 /wp-admin/
          3 /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain.com%2Fwp-admin%2F&reauth=1
          8 /xmlrpc.php
        650 /wp-content/plugins/wpgform/test44.php
       2461 /wp-login.php
    The culprit being: /wp-content/plugins/wpgform/test44.php

    Hope this helps!
     
    cPanelMichael likes this.
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Buffcode18,

    The previous response should help address the issue. Let us know if you have any additional questions.

    Thank you.
     
  6. Buffcode18

    Buffcode18 Registered

    Joined:
    Nov 8, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Thanks Jcats - this helped a lot! Obviously the account in question was being spammed from authentication - still confusing since I reset the account password a few times and it didn't help but I just changed it again to something stronger. Your solution for PHP scripts spamming also helped me diagnose an account on another server
     
  7. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    For future, after you change the password, try restarting dovecot and exim, it may be that they are locked into a session which allows them to continue sending.

    And/or there might be emails sitting in the mail queue as well which are waiting to be sent. I usually flush it out after I know someone has been spamming:

    Code:
    # exim -bp | exiqgrep -i | xargs exim -Mrm
     
    cPanelMichael and webhostuk like this.
  8. webhostuk

    webhostuk Well-Known Member

    Joined:
    Sep 11, 2013
    Messages:
    102
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Nice help Jcats to teach our new staff members on how to help such customers :)
     
    cPanelMichael likes this.
Loading...

Share This Page