The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam Problem

Discussion in 'E-mail Discussions' started by madpato, Jun 26, 2012.

  1. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hello

    I have a customer on my cpanel server that is sending spam i get the AUTHRELAY message from csf on my email inbox (lots of them now...), and turns out that when i go see the problem the supposed script or whatever is doing... it creates aliases of the domain in question and sends spam... here is an example of one of the emails its sending:


    Code:
    1Sjelt-0001cp-Ux-H
    mailnull 47 12
    <qyjiro@MYDOMAIN.COM>
    1340751729 0
    -helo_name nqkecamx
    -host_address 186.52.51.68.3691
    -host_auth courier_login
    -interface_address MYSERVERIPADDRESS.25
    -received_protocol esmtpa
    -body_linecount 4
    -max_received_linelength 185
    -auth_id hnayem@MYDOMAIN.COM
    NN mmetod1@lsu.edu
    8
    anuragkushwaha007@yahoo.com
    golco13@yahoo.com
    jssm-lion@hotmail.fr
    fahad-sheyaa@hotmail.com
    rdblnchrd@yahoo.com
    chess_mgo@yahoo.com
    mmetod1@lsu.edu
    stimulatingone@hotmail.com
    
    194P Received: from [186.52.51.68] (port=3691 helo=nqkecamx)
    by MYSERVER with esmtpa (Exim 4.77)
    (envelope-from <qyjiro@MYDOMAIN.COM>)
    id 1Sjelt-0001cp-Ux; Tue, 26 Jun 2012 19:02:10 -0400
    014 Subject: tica
    038 Date: Wed, 27 Jun 2012 01:45:04 +0200
    047F From: "Yrmiehr Vwyfraevx" <qyjiro@MYDOMAIN.COM>
    186T To: anuragkushwaha007@yahoo.com, golco13@yahoo.com, jssm-lion@hotmail.fr, fahad-sheyaa@hotmail.com, rdblnchrd@yahoo.com, chess_mgo@yahoo.com, mmetod1@lsu.edu, stimulatingone@hotmail.com
    018 Mime-Version: 1.0
    043 Content-Type: text/plain; charset=us-ascii
    
    Data spool file
    
    1Sjelt-0001cp-Ux-D
    giqy http://tcfb5482.tripod.com horul vud
    kibe vihi cu xy 
    This comes from multiple ip addresses so its no use if i blacklist some of them, they just send again from another ip address, i have suspended the account so i can check this isssue, but i believe he has a computer on his local network with the password of an account compromised... or maybe not, im still trying to find out the source of this problem...

    Any ideas are appreciated thank you.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you believe it's his local computer that's compromised, you could try unsuspending the account and changing the email passwords along with the cPanel password to see the results. If the user still manages to send out more spam, then that's not the mechanism.
     
  3. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Yes it was indeed a certain account, password was changed and it kept sending spam so i asked my customer to unplug the computer from the internet, and the spam stopped.

    Best regards
     
Loading...

Share This Page