Spam is sending out through my server

rbray

Registered
Apr 18, 2013
3
0
1
cPanel Access Level
Website Owner
Good day.

About three days ago, i noticed spam messages were sent through two email accounts i have in my server. When i checked the logs in WHM one of them displayed:

Code:
User: admin
Domain: isacol.com
Sender: [email protected]
Sent Time: Apr 15, 2013 9:33:09 AM
Sender Host: isacol.com
Sender IP: 60.244.205.92
Authentication: courier_login
Spam Score:
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: lookuphost
Transport: remote_smtp
Out Time: Apr 15, 2013 9:33:09 AM
ID: 1URkSq-0004xk-Or
Delivery Host: mx1.emailsrvr.com
Delivery IP: 98.129.185.131
Size: 2.37 KB
Result: Message accepted
and in the exim logs this was found:

Code:
2013-04-15 09:33:01 1URkSq-0004xk-Or <= [email protected] H=(isacol.com) [60.244.205.92]:3129 P=esmtpa A=courier_login:[email protected] S=2423 [email protected] T="Quitting love game? Get necessary recommendations delivered worldwide!" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2013-04-15 09:33:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1URkSq-0004xk-Or

I change the email account password then and it stopped but i get many log messages every day saying authentication failed.

Maybe some of our computer users have been hacked or something. Is there any way i can prevent this from happening again? I tried to find out what computer was infected but no luck. The logs shows differente ip address but the same domain (our domain isacol.com) on every time spam is trying to be sent.

Can i run anything or change anything in my configuration to prevent this?.

Thanks in advance.

Reginaldo.
 

arunsv84

Well-Known Member
Oct 20, 2008
373
1
68
127.0.0.1
cPanel Access Level
Root Administrator
Hi,

Normally when an email account password is compromised, spammers will try to access the same from different locations. You have already identified the spamming source and reset the password. So there is no need to worry. "authentication failed" is because spammers are still trying to access this email account using the old password. You can safely ignore it. Just need to make sure that the machines that you use for mailing purpose are free from virus/trojan & the email account password is more complex.

Cheers!!!
 

rbray

Registered
Apr 18, 2013
3
0
1
cPanel Access Level
Website Owner
thank you arunsv84 for your answer.

I guess if i can't identify the compromised computer i will have this problem again shortly, right?. Is there a way to block this from the server, i.e., i noticed that the one all the spam messages uses H=(isacol.com), this is our domain name. I read that removing it from /etc/localdomains will solve this, is this right?

Thank you again.
 

arunsv84

Well-Known Member
Oct 20, 2008
373
1
68
127.0.0.1
cPanel Access Level
Root Administrator
guess if i can't identify the compromised computer i will have this problem again shortly, right?
Yes, that's correct.

I read that removing it from /etc/localdomains will solve this, is this right?
If you remove it mailing for this domain will not work properly. When an email is sent out from a cPanel server, exim checks /etc/localdomains in order to send the email to the correct place. Is that email account so important to you? If you are worried about further spamming, it would be better to delete this account and create another, something like [email protected] or [email protected] or something similar.

Cheers!!!