The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam going out from an Account

Discussion in 'E-mail Discussions' started by mauinet, Sep 17, 2014.

  1. mauinet

    mauinet Active Member

    Joined:
    Mar 2, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Maui
    Hello, one of our servers is sending out 1,000s of spams with the From address as info@hp.com. The message header show them authenticating as H=(User). These emails are coming in from around the world, then going out as info@hp.com. I have checked several relaying sites to see if we are a relaying server. They all say we do not relay. What else can I check or do to block these? Here is a header from one:

    Code:
    1XULzM-0007uw-1O-H
    mailnull 47 12
    <info@hp.com>
    1410986288 0
    -helo_name User
    -host_address 41.150.116.168.61594
    -host_name 8ta-150-116-168.telkomadsl.co.za
    -host_auth courier_login
    -interface_address 66.135.38.165.465
    -received_protocol esmtpsa
    -body_linecount 1
    -max_received_linelength 207
    -auth_id jcbuilde
    -tls_cipher TLSv:D1HE-RSA-AES256-SHA:256 
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    143
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Re: Spam from info@hp.com

    Hey,

    Check if your server has got any vulnerable scripts employed which is causing all these spams to go out.
    Do you have any domain or account with name 'jcbuilde' ?

    Also,

    Post the o/p of this command :

    # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
     
  3. mauinet

    mauinet Active Member

    Joined:
    Mar 2, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Maui
    Re: Spam from info@hp.com

    Hello trantech, thank you much for a very valuable tip. I think we have located the vulnerability with the jcbuilde account.

    TR
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am happy to see you were able to locate the vulnerable script. You may also find the following document helpful:

    Prevent Email Abuse

    Thank you.
     
  5. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    143
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey mauinet,

    Great to know you have fixed it \o/
     
Loading...

Share This Page