Spam issue - lmtp(15774): Connect from local

Kennybe

Registered
Jun 2, 2022
4
1
3
Belgium
cPanel Access Level
Root Administrator
For months now I'm struggling with a spam issue. Changing passwords don't work, there are no php scripts on the server ... This morning I changed the password, but not on the clients ... still spam ... don't find the issue.

I found several lines in the log file every time I got a mail that the limit was passed (I putted it on 30 per hour) ... I think ther is no authentication for sending the mails, it's local, but how do I find the source ?

Jun 2 12:52:01 nemesis dovecot: lmtp(15774): Connect from local
Jun 2 12:52:01 nemesis dovecot: lmtp([email protected])<15774><oOWUElGWmGKePQAAL2Bj9A>: msgid=<[email protected]>: saved mail to INBOX
Jun 2 12:52:01 nemesis dovecot: lmtp(15774): Disconnect from local: Logged out (state=READY)
 
Last edited by a moderator:

Kennybe

Registered
Jun 2, 2022
4
1
3
Belgium
cPanel Access Level
Root Administrator
2022-06-02 12:51:44 SMTP connection from [165.227.206.111]:38100 (TCP/IP connection count = 3)
2022-06-02 12:51:44 no host name found for IP address 165.227.206.111
2022-06-02 12:51:46 H=(mail.asticom.com) [165.227.206.111]:38100 Warning: Sender rate 1.0 / 1h
2022-06-02 12:51:48 1nwiQe-00048B-6G <= [email protected] H=(mail.asticom.com) [165.227.206.111]:38100 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_plain:[email protected] S=1175 id=[email protected] T="\357\273\277" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2022-06-02 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nwiQe-00048B-6G
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G SMTP connection outbound 1654167108 1nwiQe-00048B-6G xxx.com [email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G SMTP connection outbound 1654167108 1nwiQe-00048B-6G xxx.com [email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]

and more lines like the last one ...
 

Kennybe

Registered
Jun 2, 2022
4
1
3
Belgium
cPanel Access Level
Root Administrator
It is the spammer ... each time when I receive a mail that the mail limit is exceeded, the same pattern occurs in mainlog and exim maillog.

Today I had 5 mails ...
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,924
1,718
363
cPanel Access Level
Root Administrator
When the log shows "Connect from local" that would mean a webmail connection, or access to webmail through cPanel. I wonder if that user has malware on their local system that is contributing to password changes not working. It would be worth having any users with access to that cPanel account scan their local system for viruses or key loggers.
 

Kennybe

Registered
Jun 2, 2022
4
1
3
Belgium
cPanel Access Level
Root Administrator
Strange ... I changed the password on an iOs device, Mac and a Windows PC from the army (I think the last one would be very strange if there was a keylogger).

Noticed two times that the Facebook account registered with the same email address is hacked ... (password recovery via mail).

Now scanning my two Macs on viruses and other stuff ...
 
  • Like
Reactions: cPRex