The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spam emails sent from non-existent user accounts

Discussion in 'Security' started by tacos4me, Apr 4, 2013.

  1. tacos4me

    tacos4me Registered

    Joined:
    Apr 4, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    so i've just started noticing today that i'm getting large amount of spam emails sent from domains on my machine, all of them. the users they're supposedly sending mail from do not exist. need some help with this, getting blacklsited everywhere.. i've followed all the best practices for setting up courier/exim.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    "from" address can be spoofed. Likely it's a PHP script running on the doman and your web app is hacked.

    Code:
    grep 'SUBJECT LINE' /var/log/exim_mainlog | head -n 20
    You can also grep message_id if you have it. That's usually better. Get a message ID from exim -bp or the mail queue manager in WHM.

    If that grep returns lines that have P=esmtpa courier_auth:user@domain.com, then the spammer is indeed using an SMTP login, and the user@domain.com is the actual username/password being used.

    If you see P=local U=nobody (or U=some_cp_username) then it's a PHP script sending the spam, or some local running process. You'll need to take one of the exim message ID's and run this

    Code:
    grep -B3 $MESSAGE_ID /var/log/exim_mainlog | grep cwd
    This will tell you what folder the PHP script is in that is sending the spam. Good luck.
     
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    You can also check 'View Mail Statistics Summary' from WHM to find out top email sender.
    It will help you to troubleshoot spamming issue.
     
Loading...

Share This Page