The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam seemingly being sent via users email address without logging in

Discussion in 'E-mail Discussions' started by keithl, Dec 3, 2012.

  1. keithl

    keithl Member

    Joined:
    Jan 14, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Someone seems to be managing to send spam through our server, using one of our clients email accounts without authenticating, but I can't see how. Until we spotted it and suspended the account it had sent shedloads of messages (39,886 between 17:00 on Friday and 18:00 on Saturday), all showing as being from real users email address. From the exim_mainlog there are loads of the following entries :

    ---
    2012-11-30 08:18:52 SMTP connection from [109.197.82.92]:5735 (TCP/IP connection count = 1)
    2012-11-30 08:18:52 no host name found for IP address 109.197.82.92
    2012-11-30 08:18:54 1TeLoE-0002WK-Ei <= real@address.com H=(ezrdqiwp) [109.197.82.92]:5735 P=esmtpa A=courier_login:real@address.com S=1494 T="B .a`ng{i -n~g" for external1@address1.com external2@address2.com external3@address2.com external4@address2.com external5@address3.com external6@address4.com
    2012-11-30 08:18:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TeLoE-0002WK-Ei
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei => external1@address1.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> external2@address2.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> external3@address2.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> external4@address2.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> external5@address3.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> external6@address4.com R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
    2012-11-30 08:18:55 1TeLoE-0002WK-Ei Completed
    ---

    We saw loads for that IP followed by identical occurrences for 109.228.118.145 and 115.79.115.100. Since I don't think the old lady whose account it is has been on a tour of Vietnam, Montenegro and Romania, and paid for it by selling a brand of male speciality pills I don't think they're legitimate!

    We're running cPanel 5.8 and WHM 11.34.0 (build 9) with Exim 4.80 #2 built 2-Oct-2012. I've confirmed that tailwatchd is running so the system should be requiring POP before SMTP authentication (I assume the same applies to IMAP), and when I've tried connecting to port 25 via telnet from an external machine and sending a similar message it correctly blocks me. Looking in maillog there are no login attempts for any of those IP's, and I've checked in several other logs (exim_rejectlog, messages, cphulkd.log, access_log) and none of them have any entries for those IP's either. There are a few login attempts for the actual user herself, but those are from her normal IP address and the times don't correspond with the spam messages.

    Anyone know of have any ideas how this is happening, and more importantly how I can stop it from happening again?

    Thanks
    Keith
     
  2. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    If the log entry shows "A=courier_login" in it, the spammer is logging in with the email account and password. Their email login is compromised.

    What we do when we see this is randomize the password (change it to a random password), and then tell the client that their email password was compromised, and to log into cPanel to reset the password to a unique password that is more secure.

    Compromised passwords seem to be on the rise. We see a lot of spam due to this.
     
  3. keithl

    keithl Member

    Joined:
    Jan 14, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Thanks for the response, I realise now I was misreading / misunderstanding the information in the logs, which is where my confusion was coming from.

    For most legit connections, eg people with an email client, you see a well-defined IMAP/POP3 login shown in /var/log/maillog which then matches with the user receiving their messages and sending them, so I was expecting to see similar with these messages as well. I realise now that when using an authenticated smtp connection (therefore not requiring you to first make a IMAP/POP3 connection) you don't get anything logged there at all. Instead the "P=esmtpa" part of the log indicates the method used to send the message.

    I'd spotted the http://forums.cpanel.net/f43/spam-campaign-being-sent-through-dozens-email-accounts-multiple-servers-305212.html thread but figured this was something different, but now realise it's probably the same thing.
     
Loading...

Share This Page