Spam seemingly being sent via users email address without logging in

keithl

Member
Jan 14, 2010
24
0
51
cPanel Access Level
DataCenter Provider
Someone seems to be managing to send spam through our server, using one of our clients email accounts without authenticating, but I can't see how. Until we spotted it and suspended the account it had sent shedloads of messages (39,886 between 17:00 on Friday and 18:00 on Saturday), all showing as being from real users email address. From the exim_mainlog there are loads of the following entries :

---
2012-11-30 08:18:52 SMTP connection from [109.197.82.92]:5735 (TCP/IP connection count = 1)
2012-11-30 08:18:52 no host name found for IP address 109.197.82.92
2012-11-30 08:18:54 1TeLoE-0002WK-Ei <= [email protected] H=(ezrdqiwp) [109.197.82.92]:5735 P=esmtpa A=courier_login:[email protected] S=1494 T="B .a`ng{i -n~g" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2012-11-30 08:18:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TeLoE-0002WK-Ei
2012-11-30 08:18:55 1TeLoE-0002WK-Ei => [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei Completed
---

We saw loads for that IP followed by identical occurrences for 109.228.118.145 and 115.79.115.100. Since I don't think the old lady whose account it is has been on a tour of Vietnam, Montenegro and Romania, and paid for it by selling a brand of male speciality pills I don't think they're legitimate!

We're running cPanel 5.8 and WHM 11.34.0 (build 9) with Exim 4.80 #2 built 2-Oct-2012. I've confirmed that tailwatchd is running so the system should be requiring POP before SMTP authentication (I assume the same applies to IMAP), and when I've tried connecting to port 25 via telnet from an external machine and sending a similar message it correctly blocks me. Looking in maillog there are no login attempts for any of those IP's, and I've checked in several other logs (exim_rejectlog, messages, cphulkd.log, access_log) and none of them have any entries for those IP's either. There are a few login attempts for the actual user herself, but those are from her normal IP address and the times don't correspond with the spam messages.

Anyone know of have any ideas how this is happening, and more importantly how I can stop it from happening again?

Thanks
Keith
 

acenetgeorge

Well-Known Member
PartnerNOC
Mar 6, 2008
68
4
58
Southfield, MI
cPanel Access Level
DataCenter Provider
If the log entry shows "A=courier_login" in it, the spammer is logging in with the email account and password. Their email login is compromised.

What we do when we see this is randomize the password (change it to a random password), and then tell the client that their email password was compromised, and to log into cPanel to reset the password to a unique password that is more secure.

Compromised passwords seem to be on the rise. We see a lot of spam due to this.
 

keithl

Member
Jan 14, 2010
24
0
51
cPanel Access Level
DataCenter Provider
Thanks for the response, I realise now I was misreading / misunderstanding the information in the logs, which is where my confusion was coming from.

For most legit connections, eg people with an email client, you see a well-defined IMAP/POP3 login shown in /var/log/maillog which then matches with the user receiving their messages and sending them, so I was expecting to see similar with these messages as well. I realise now that when using an authenticated smtp connection (therefore not requiring you to first make a IMAP/POP3 connection) you don't get anything logged there at all. Instead the "P=esmtpa" part of the log indicates the method used to send the message.

I'd spotted the http://forums.cpanel.net/f43/spam-campaign-being-sent-through-dozens-email-accounts-multiple-servers-305212.html thread but figured this was something different, but now realise it's probably the same thing.