Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam issue, trying to understand exim log

Discussion in 'E-mail Discussion' started by fernandomm, Nov 26, 2009.

  1. fernandomm

    fernandomm Active Member

    Joined:
    Nov 25, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Hello,

    I am having some issues with spam on my server. I have received a report from aol and, using the from header, got the message IDs. Here it is one of them:

    Code:
    2009-11-24 23:00:10 [25870] 1ND3Qg-0006jG-8y <= medsex1@yahoo.com H=localhost (myhostname.com) [127.0.0.1]:44846 I=[127.0.0.1]:25 P=smtp S=1084 id=003d01c45ea6$231c589f$b2b07d80@ljfvbxnv T="SEX NO PROBLEMS!" from <medsex1@yahoo.com> for mbayguy@comcas.net
2009-11-24 23:00:10 [25873] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y ** mbayguy@comcas.net F=<medsex1@yahoo.com> R=fail_remote_domains: The mail server could not deliver mail to mbayguy@comcas.net.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-11-24 23:00:10 [25878] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25878] 1ND3Qg-0006jO-K9 <= <> R=1ND3Qg-0006jG-8y U=mailnull P=local S=2025 T="Mail delivery failed: returning message to sender" from <> for medsex1@yahoo.com
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y Completed QT=0s
    I can't identify how the spam is being send and who is sending it. According to this logs the user is using a script, right?

    Shouldn't the username appear at U=mailnull? Because mailnull is the user that exim runs, right?

    Thanks!
     
    #1 fernandomm, Nov 26, 2009
  2. thewebhostingdi

    thewebhostingdi Well-Known Member

    Joined:
    Jan 10, 2008
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    66
    You can check the mail logs if you have an access to the server by firing the below command:

    cat /var/log/exim_mainlog | grep 1ND3Qg-0006jG-8y

    By firing the above command you might get the domain name from which SMTP authentication the spam mail was sent.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 thewebhostingdi, Nov 28, 2009
  3. Denis Mischenko

    Denis Mischenko Registered

    Joined:
    Apr 17, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Hello,

    I've found this issue too.
    With the default cPanel configuration(setup) you are able to connect to localhost port 25 and send the messages without authentification.
    Usually it's used along with server hostname in the from field.

    Code:
    [18:04] [server1 etc] # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-server1.xxx.tld ESMTP Exim 4.69 #1 Wed, 02 Dec 2009 18:04:35 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo server1.xxx.tld
250 server1.xxx.tld Hello localhost [127.0.0.1]
mail from: <support@server1.xxx.tld>
250 OK
rcpt to: <ard@xyy.tld>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: Testing spam!!!
SPAMMED.
.
250 OK id=1NFyG5-0006t1-BZ
quit
221 server1.xxx.tld closing connection
Connection closed by foreign host.
    And such messages are accepted and set to external addresses. This can be stopped by removing main domain from /etc/localdomains or by adding deny acl for the following conditions:

    Code:
    hosts = 127.0.0.1
condition = ${if match_domain{$sender_address_domain}{${primary_hostname}}{yes}{no}}
    However this does not protect from use of the other domains owned by the other users. So anyone who will find what domains are hosted on the server will be able to send spam on behalf of that users.

    Enable authentification on localhost? Changes in the /etc/exim.conf are not persistent. Also can authentification create issues for the other services?
     
    #3 Denis Mischenko, Dec 3, 2009
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,554
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    There is not enough detail in the provided log data to know for certain what generated the initial SMTP connection from localhost.

    To help with future occurrences, please consider adjusting the Exim configuration via the Exim Configuration Editor in WHM.

    WHM, Main >> Service Configuration >> Exim Configuration Editor:
    "Set the Sender: Header when the mail sender changes the sender (-f flag passed to sendmail)."
    Set to Enabled by ensuring the checkbox is ticked.
    The above option will ensure the e-mail sender header is properly set as the true sender, such as "nobody" or whichever user ran the script if using SuPHP or which e-mail account the script used for authentication; this also helps with tracking Spam that slipped by and is later reported back to you by way of receiving a copy of the full e-mail headers.

    WHM, Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor
    In the first text box on the above page add the following line:
    Code:
    log_selector = +all -ident_timeout -pid
    This step will help generate more detailed Exim logging data.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelDon, Dec 15, 2009
  5. tiolalu

    tiolalu Registered

    Joined:
    May 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I'm sorry that I rescued this post like an archaeologist, but I'm having the same problem and I can't find the solution after looking for it hardly.

    Can enyone, please, tell me how to make all smtp connections to authenticate?
    So when anyone insert the "rcpt to" the system answer: "550 authentication required"

    Thanks in advance,
    Best regards.

    PD: I forgot it. I'm running an VPS with cPanel 11.25.0-STABLE S45750
     
    #5 tiolalu, May 30, 2010
    Last edited: May 30, 2010
  6. tiolalu

    tiolalu Registered

    Joined:
    May 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    Ok I found the "problem". If you logged in the last 30 min. you are able to send mails without authenticate.

    Now I'll look closely the access log.
     
    #6 tiolalu, Jun 1, 2010
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,554
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To avoid that behavior simply disable Antirelayd via the Service Manager in WHM at the following menu path (with linked documentation): WHM: Main >> Service Configuration >> Service Manager
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelDon, Jun 1, 2010
(You must log in or sign up to post here.)
Loading...
Similar Threads - Spam issue trying
  1. mondhost

    Email going to spam issue

    mondhost, Jul 22, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    79
    cPanelLauren
    Jul 23, 2018
  2. DJMaze2

    SpamAssassin content limit issue?

    DJMaze2, Jul 4, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    114
    cPanelLauren
    Jul 5, 2018
  3. RafaelEbarola

    Apache SpamAssassin issue

    RafaelEbarola, May 2, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    140
    cPanelLauren
    May 2, 2018
  4. K2rool

    SpamAssassin SPF PTR issue

    K2rool, Nov 3, 2017, in forum: E-mail Discussion
    Replies:
    3
    Views:
    334
    cPanelMichael
    Nov 7, 2017
  5. liamwestcoast

    Outgoing Email Spam Issue

    liamwestcoast, Jul 11, 2017, in forum: E-mail Discussion
    Replies:
    11
    Views:
    1,184
    liamwestcoast
    Jul 18, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice