The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam going out from an Account

Discussion in 'E-mail Discussions' started by mauinet, Sep 17, 2014.

  1. mauinet

    mauinet Active Member

    Joined:
    Mar 2, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maui
    Hello, one of our servers is sending out 1,000s of spams with the From address as info@hp.com. The message header show them authenticating as H=(User). These emails are coming in from around the world, then going out as info@hp.com. I have checked several relaying sites to see if we are a relaying server. They all say we do not relay. What else can I check or do to block these? Here is a header from one:

    Code:
    1XULzM-0007uw-1O-H
    mailnull 47 12
    <info@hp.com>
    1410986288 0
    -helo_name User
    -host_address 41.150.116.168.61594
    -host_name 8ta-150-116-168.telkomadsl.co.za
    -host_auth courier_login
    -interface_address 66.135.38.165.465
    -received_protocol esmtpsa
    -body_linecount 1
    -max_received_linelength 207
    -auth_id jcbuilde
    -tls_cipher TLSv:D1HE-RSA-AES256-SHA:256 
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Re: Spam from info@hp.com

    Hey,

    Check if your server has got any vulnerable scripts employed which is causing all these spams to go out.
    Do you have any domain or account with name 'jcbuilde' ?

    Also,

    Post the o/p of this command :

    # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
     
  3. mauinet

    mauinet Active Member

    Joined:
    Mar 2, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maui
    Re: Spam from info@hp.com

    Hello trantech, thank you much for a very valuable tip. I think we have located the vulnerability with the jcbuilde account.

    TR
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey mauinet,

    Great to know you have fixed it \o/
     
Loading...

Share This Page