The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam is sending out through my server

Discussion in 'Security' started by rbray, Apr 18, 2013.

  1. rbray

    rbray Registered

    Joined:
    Apr 18, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Good day.

    About three days ago, i noticed spam messages were sent through two email accounts i have in my server. When i checked the logs in WHM one of them displayed:

    Code:
    User: admin
    Domain: isacol.com
    Sender: rbray@isacol.com
    Sent Time: Apr 15, 2013 9:33:09 AM
    Sender Host: isacol.com
    Sender IP: 60.244.205.92
    Authentication: courier_login
    Spam Score:
    Recipient: katkel@bvunet.net
    Delivered To: katkel@bvunet.net
    Delivery User: -remote-
    Delivery Domain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: Apr 15, 2013 9:33:09 AM
    ID: 1URkSq-0004xk-Or
    Delivery Host: mx1.emailsrvr.com
    Delivery IP: 98.129.185.131
    Size: 2.37 KB
    Result: Message accepted
    and in the exim logs this was found:

    Code:
    2013-04-15 09:33:01 1URkSq-0004xk-Or <= rbray@isacol.com H=(isacol.com) [60.244.205.92]:3129 P=esmtpa A=courier_login:rbray@isacol.com S=2423 id=3AEFF677.A8D9FD07@isacol.com T="Quitting love game? Get necessary recommendations delivered worldwide!" for lou@btitravel.com superstar@budweiser.com scholtes@buymybikes.com williammckenzie_81@buzell.com katkel@bvunet.net bet@bw.beachwood.k12.oh.us mra-z@c0mcast.net malik721@ca.rr.com fend.vermietung@cable.vol.at yougsan@cableandwireless.com debbiefunke@cableone.net ricoc@calldcap.com harris@callquest.org rnarod@cambridgewhoswho.com tom@campak.com joangregory.9@cannel.net info@canta-songel.com terrib@capitolabstract.com enkca@carltonfields.com rljordan@carolina.rr.com
    2013-04-15 09:33:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1URkSq-0004xk-Or

    I change the email account password then and it stopped but i get many log messages every day saying authentication failed.

    Maybe some of our computer users have been hacked or something. Is there any way i can prevent this from happening again? I tried to find out what computer was infected but no luck. The logs shows differente ip address but the same domain (our domain isacol.com) on every time spam is trying to be sent.

    Can i run anything or change anything in my configuration to prevent this?.

    Thanks in advance.

    Reginaldo.
     
  2. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Hi,

    Normally when an email account password is compromised, spammers will try to access the same from different locations. You have already identified the spamming source and reset the password. So there is no need to worry. "authentication failed" is because spammers are still trying to access this email account using the old password. You can safely ignore it. Just need to make sure that the machines that you use for mailing purpose are free from virus/trojan & the email account password is more complex.

    Cheers!!!
     
  3. rbray

    rbray Registered

    Joined:
    Apr 18, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    thank you arunsv84 for your answer.

    I guess if i can't identify the compromised computer i will have this problem again shortly, right?. Is there a way to block this from the server, i.e., i noticed that the one all the spam messages uses H=(isacol.com), this is our domain name. I read that removing it from /etc/localdomains will solve this, is this right?

    Thank you again.
     
  4. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Yes, that's correct.

    If you remove it mailing for this domain will not work properly. When an email is sent out from a cPanel server, exim checks /etc/localdomains in order to send the email to the correct place. Is that email account so important to you? If you are worried about further spamming, it would be better to delete this account and create another, something like rbray1@domainame.com or brayr@domainname.com or something similar.

    Cheers!!!
     
  5. rbray

    rbray Registered

    Joined:
    Apr 18, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    You are right.

    Thank you very much for your help.
     
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    No problem.
     
Loading...

Share This Page