The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam sending through server - need help

Discussion in 'E-mail Discussions' started by cpanelinfoseeker, Jun 27, 2014.

  1. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    325
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    I have transferred my accounts to a new server earlier this month and had the configserver package installed. I have one account that is sending spam emails. I have changed the account password and the user changed the email password. The spam still sends. I then went and changed the users email password (generated on the website controlpanel and did not save it to my computer) and you guessed it, the spam still sends.

    WHM settings:
    Mail authentication via domain owner password = OFF
    Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) = ON
    Prevent “nobody” from sending mail = ON

    Looking for any help as I am really confused as to how they can authenticate at this point.
    Thanks in advance!

    Here are the headers from one email: (MY SERVER replaces the server name, DOMAIN replaces user domain, SERVER-IP replaces my server ip address, MY-INFO replaces the lines added by mailscanner, The IP address 46.225.251.234 shows from Iran, but the ip address and the country change with each email):

    Code:
    1X0WC9-0002Dx-50-H
    mailnull 47 12
    <jonathan@DOMAIN.com>
    1403875681 0
    -deliver_firsttime
    -body_linecount 5
    -auth_id jonathan
    -interface_address SERVER-IP.25
    -received_protocol esmtpa
    -host_auth dovecot_login
    -host_address 46.225.251.234.33685
    -max_received_linelength 111
    -helo_name DOMAIN.com
    -host_lookup_failed
    XX
    27
    
    - List of emails cc-ed removed -
    
    210P Received: from [46.225.251.234] (port=33685 helo=DOMAIN.com)
    	by MY SERVER.com with esmtpa (Exim 4.82)
    	(envelope-from <jonathan@DOMAIN.com>)
    	id 1X0WC9-0002Dx-50; Fri, 27 Jun 2014 09:28:01 -0400
    048I Message-ID: <E41DBA48.38ED1D96@DOMAIN.com>
    038  Date: Fri, 27 Jun 2014 06:27:12 -0700
    044F From: "jonathan" <jonathan@DOMAIN.com>
    112  User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
    rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
    018  MIME-Version: 1.0
    031T To: <bigben1967@otherdomain.net>
    023  Subject: Black Cbialis
    048  Content-Type: text/plain;
    	charset="iso-8859-1"
    032  Content-Transfer-Encoding: 7bit
    079  X-MY-INFO-MailScanner-Information: Please contact the ISP for more
    information
    043  X-MY-INFO-MailScanner-ID: 1X0WC9-0002Dx-50
    101  X-MY-INFO-MailScanner: Not scanned: please contact your Internet E-Mail
    Service Provider for details
    034  X-MY-INFO-MailScanner-SpamCheck: 
    053  X-MY-INFO-MailScanner-From: jonathan@domain.com
    018  X-Spam-Status: No
     
  2. SS-Maddy

    SS-Maddy Well-Known Member

    Joined:
    Mar 28, 2009
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    check and ensure that the hosting account is not compromised using effective tools such as maldet. Also make sure that the webserver is enabled with effeciant mod_sec rule sets.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I suggest reviewing the account to see if any scripts have the ability to send out email, or check to ensure the user who controls the account is not using a hacked computer. The following document is also helpful:

    cPanel - Prevent Email Abuse

    Thank you.
     
  4. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    325
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    We did the easy fix and terminated that problem email account and opened a new email address instead. The reports came with the subject of " hostname AUTHRELAY Alert for IPinfo" if it were a script the subject would be " hostname LOCALRELAY Alert for account", so it seems they were able to authenticate some how.

    It was only one email address of the 6 he had active, and even changing the passwords did not stop it. Still puzzled, but stopped the spam!

    I had configserver install his complete package prior to transferring the accounts over so I believe the server itself to be secure. I did run the CSX scan. I'll be looking into maldet, just to be safe!

    Thanks!! The help is appreciated. Ron
     
Loading...

Share This Page