Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SPAM from -Remote- user

Discussion in 'E-mail Discussion' started by Tornado, Sep 28, 2018.

  1. Tornado

    Tornado Active Member

    Joined:
    Jul 17, 2007
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Iran
    Hi
    unfortunately from my server sending many spam from -remote- user which i could not find any users...

    i dont know how i can stop this
    see the screenshot

    i fight with this about 40 days..

    sometimes datacenter got suspend my server ...

    please help us

    thanks Screen Shot 2018-09-28 at 4.10.20 PM.png Screen Shot 2018-09-28 at 4.10.08 PM.png
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    While we wait for the experts to come along, do you recognise the 195.201.x.x IP address.

    Do you have SPF and DKIM configured for your domain.
     
    #2 keat63, Sep 28, 2018
    Last edited: Sep 28, 2018
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Lets see if you are an open relay.

    Maybe check the following in WHM.


    Tweak Settings >> Mail >> Initial default/catch-all forwarder destination
    Change this to 'Fail'
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Yea, perhaps someone with a better understanding of the Mail Stats feature thingy in cPanel/WHM will be able to help. I don't use that feature, so I really don't understand what all is being displayed here.

    But outside of that, I would recommend examining the logs for one of the specific message ids listed here, i.e.:

    cat /var/log/exim_mainlog | grep 1g5ry3-000AQu-2Q

    That's how I diagnose issues like this.

    If you copy that information into this thread, be sure to redact any confidential or identifying information.
     
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    147
    Likes Received:
    7
    Trophy Points:
    68
    Can you click on the "View Message" action on one email, then, click "Show Control Data", check "Mail control Data" to find the cpanel username or email address, those might be the one got hacked.

    In tweak settings >> Mail >> Number of emails a domain may send per day before the system sends a notification >> Change from unlimited to a number, you may get notification about which account sent lots of emails.

    Also, in tweak settings, set following:

    Maximum percentage of failed or deferred messages a domain may send per hour: I use 25%
    Number of failed or deferred messages a domain may send before protections can be triggered: I use 25

    This will stop the user to send email if they've too many failed messages.
     
  6. Tornado

    Tornado Active Member

    Joined:
    Jul 17, 2007
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Iran
    Hi
    its MAIN IP

    its already set to Fail

    everything email sent from :
    Sender User: -remote-

    i want stop sending email from -Remote- user

    how i can stop it
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I would think twice before you disallow remote senders - it may have a consequence that no one will be able to send legitimate mail to any of the domains hosted on your server.

    To test if your server is an open relay use the following website:
    Email Server Test - Online SMTP diagnostics tool - MxToolbox

    Check for the SMTP Open Relay line - if it says OK - Not an open relay - you are fine.

    As long as your server is not an open relay, your mail system looks as if it is doing what it was designed to do - rejecting relay attempts.

    See Tweak Settings - Mail - Version 74 Documentation - cPanel Documentation and ensure you have followed all the security suggestions, notes and warnings.

    You may also like to check the various Tweak Settings for the word spam, as well as the Exim Configuration Manager (the default values are always a good place to start) and you may want to consider enabling and configuring:
    Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

    Hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Tornado likes this.
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I had another thought:

    Check that no-one has configured a forwarder that shouldn't be there - we have seen several cases of email accounts having been hacked and forwarders set up for the purpose of spamming from supposedly legitimate accounts.

    You might also want to check that your users have not had any scripts injected or uploaded to their /public_html space that might trigger a mail event from a specially crafted browser request.

    Good luck
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. catys sun

    catys sun Registered

    Joined:
    Aug 20, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    New york, united States
    cPanel Access Level:
    Website Owner
    I am facing same issue. From one Ip address many Spam messages coming daily.
     
  10. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    296
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    I'm confused. His screenshots show that the server is already rejecting the relay attempts, so everything is good. So, what's the problem?

    Remote is any email coming in from outside the server, so you can't block that. Remote senders trying to relay through your server to another remote address are being rejected(22,957), so that's correct.

    The 64 successful ones are likely local deliveries/incoming mail.
     
  11. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    296
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    To add, turn on your Authentication column and it was tell you "unauthorized", "localdelivery" or "forwarder".
     
  12. Tornado

    Tornado Active Member

    Joined:
    Jul 17, 2007
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Iran
    Hi
    how i can find which users set forwarders ?

    from where i can turn on Authentication ?
     
  13. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    296
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    The icon in your screen shots at the upper right of the Mail Delivery Reports with 3 dots and 3 lines will allow you to add/remove columns.
     
  14. Tornado

    Tornado Active Member

    Joined:
    Jul 17, 2007
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Iran
    Hi
    thanks guys
    is there possible completely disable sending email from Remote user?

    because i feeling someone use our mail sevrer as remote
     
  15. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If you are going to disable remote mail (which is ALL mail sent TO your server) - you may as well just stop the mail daemons, and use some external mailer service.

    We seem to be going around in circles with you asking the same question over and over again. I am sorry if you don't like the answers, but they are unlikely to change to something you want to hear.

    Since you don't seem to have got a grip on this at all, I suggest you retain the services of a server administrator to help you - see System Administration Services | cPanel Forums for available services

    If you want to continue to learn about preventing mail abuse - this is a good place to start - How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  16. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    296
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    In the evidence you've shown so far, attempts to use your server as a relay are being rejected. This is correct. Spammers will continue to try, but it won't work. So unless you show evidence of spam emails being sent through your server by a local account or script. Not all errors in the mail log are bad. Some and many in your case are indicating the correct response to relay attempts.
     
    Tornado and rpvw like this.
  17. Tornado

    Tornado Active Member

    Joined:
    Jul 17, 2007
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Iran
    Hi
    finally today datacenter contact us and send Warning... :

    ==
    It has come to our attention that the IP address of a server you have with us is sending emails to Microsoft accounts (live.com, outlook.com, hotmail.com and msn.com), and that these emails are being marked as spam by the recipients.
    ==
    here logs

    - Removed -
     
    #17 Tornado, Oct 1, 2018
    Last edited by a moderator: Oct 1, 2018
  18. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The answers provided in this thread are pretty comprehensive but @Tornado if you're still experiencing issues please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice