Someone seems to be managing to send spam through our server, using one of our clients email accounts without authenticating, but I can't see how. Until we spotted it and suspended the account it had sent shedloads of messages (39,886 between 17:00 on Friday and 18:00 on Saturday), all showing as being from real users email address. From the exim_mainlog there are loads of the following entries :
---
2012-11-30 08:18:52 SMTP connection from [109.197.82.92]:5735 (TCP/IP connection count = 1)
2012-11-30 08:18:52 no host name found for IP address 109.197.82.92
2012-11-30 08:18:54 1TeLoE-0002WK-Ei <= [email protected] H=(ezrdqiwp) [109.197.82.92]:5735 P=esmtpa A=courier_login:[email protected] S=1494 T="B .a`ng{i -n~g" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2012-11-30 08:18:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TeLoE-0002WK-Ei
2012-11-30 08:18:55 1TeLoE-0002WK-Ei => [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei Completed
---
We saw loads for that IP followed by identical occurrences for 109.228.118.145 and 115.79.115.100. Since I don't think the old lady whose account it is has been on a tour of Vietnam, Montenegro and Romania, and paid for it by selling a brand of male speciality pills I don't think they're legitimate!
We're running cPanel 5.8 and WHM 11.34.0 (build 9) with Exim 4.80 #2 built 2-Oct-2012. I've confirmed that tailwatchd is running so the system should be requiring POP before SMTP authentication (I assume the same applies to IMAP), and when I've tried connecting to port 25 via telnet from an external machine and sending a similar message it correctly blocks me. Looking in maillog there are no login attempts for any of those IP's, and I've checked in several other logs (exim_rejectlog, messages, cphulkd.log, access_log) and none of them have any entries for those IP's either. There are a few login attempts for the actual user herself, but those are from her normal IP address and the times don't correspond with the spam messages.
Anyone know of have any ideas how this is happening, and more importantly how I can stop it from happening again?
Thanks
Keith
---
2012-11-30 08:18:52 SMTP connection from [109.197.82.92]:5735 (TCP/IP connection count = 1)
2012-11-30 08:18:52 no host name found for IP address 109.197.82.92
2012-11-30 08:18:54 1TeLoE-0002WK-Ei <= [email protected] H=(ezrdqiwp) [109.197.82.92]:5735 P=esmtpa A=courier_login:[email protected] S=1494 T="B .a`ng{i -n~g" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2012-11-30 08:18:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TeLoE-0002WK-Ei
2012-11-30 08:18:55 1TeLoE-0002WK-Ei => [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei -> [email protected] R=smart_route T=remote_smtp H=our.smtp.server.com [123.345.789.10]
2012-11-30 08:18:55 1TeLoE-0002WK-Ei Completed
---
We saw loads for that IP followed by identical occurrences for 109.228.118.145 and 115.79.115.100. Since I don't think the old lady whose account it is has been on a tour of Vietnam, Montenegro and Romania, and paid for it by selling a brand of male speciality pills I don't think they're legitimate!
We're running cPanel 5.8 and WHM 11.34.0 (build 9) with Exim 4.80 #2 built 2-Oct-2012. I've confirmed that tailwatchd is running so the system should be requiring POP before SMTP authentication (I assume the same applies to IMAP), and when I've tried connecting to port 25 via telnet from an external machine and sending a similar message it correctly blocks me. Looking in maillog there are no login attempts for any of those IP's, and I've checked in several other logs (exim_rejectlog, messages, cphulkd.log, access_log) and none of them have any entries for those IP's either. There are a few login attempts for the actual user herself, but those are from her normal IP address and the times don't correspond with the spam messages.
Anyone know of have any ideas how this is happening, and more importantly how I can stop it from happening again?
Thanks
Keith
