Spam sending through server - need help

cpanelinfoseeker

Well-Known Member
Oct 25, 2002
325
3
168
NE Illinois
cPanel Access Level
Root Administrator
I have transferred my accounts to a new server earlier this month and had the configserver package installed. I have one account that is sending spam emails. I have changed the account password and the user changed the email password. The spam still sends. I then went and changed the users email password (generated on the website controlpanel and did not save it to my computer) and you guessed it, the spam still sends.

WHM settings:
Mail authentication via domain owner password = OFF
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) = ON
Prevent “nobody” from sending mail = ON

Looking for any help as I am really confused as to how they can authenticate at this point.
Thanks in advance!

Here are the headers from one email: (MY SERVER replaces the server name, DOMAIN replaces user domain, SERVER-IP replaces my server ip address, MY-INFO replaces the lines added by mailscanner, The IP address 46.225.251.234 shows from Iran, but the ip address and the country change with each email):

Code:
1X0WC9-0002Dx-50-H
mailnull 47 12
<[email protected]>
1403875681 0
-deliver_firsttime
-body_linecount 5
-auth_id jonathan
-interface_address SERVER-IP.25
-received_protocol esmtpa
-host_auth dovecot_login
-host_address 46.225.251.234.33685
-max_received_linelength 111
-helo_name DOMAIN.com
-host_lookup_failed
XX
27

- List of emails cc-ed removed -

210P Received: from [46.225.251.234] (port=33685 helo=DOMAIN.com)
	by MY SERVER.com with esmtpa (Exim 4.82)
	(envelope-from <[email protected]>)
	id 1X0WC9-0002Dx-50; Fri, 27 Jun 2014 09:28:01 -0400
048I Message-ID: <[email protected]>
038  Date: Fri, 27 Jun 2014 06:27:12 -0700
044F From: "jonathan" <[email protected]>
112  User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
018  MIME-Version: 1.0
031T To: <[email protected]>
023  Subject: Black Cbialis
048  Content-Type: text/plain;
	charset="iso-8859-1"
032  Content-Transfer-Encoding: 7bit
079  X-MY-INFO-MailScanner-Information: Please contact the ISP for more
information
043  X-MY-INFO-MailScanner-ID: 1X0WC9-0002Dx-50
101  X-MY-INFO-MailScanner: Not scanned: please contact your Internet E-Mail
Service Provider for details
034  X-MY-INFO-MailScanner-SpamCheck: 
053  X-MY-INFO-MailScanner-From: [email protected]
018  X-Spam-Status: No
 

SS-Maddy

Well-Known Member
Mar 28, 2009
124
14
68
cPanel Access Level
Root Administrator
check and ensure that the hosting account is not compromised using effective tools such as maldet. Also make sure that the webserver is enabled with effeciant mod_sec rule sets.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

I suggest reviewing the account to see if any scripts have the ability to send out email, or check to ensure the user who controls the account is not using a hacked computer. The following document is also helpful:

cPanel - Prevent Email Abuse

Thank you.
 

cpanelinfoseeker

Well-Known Member
Oct 25, 2002
325
3
168
NE Illinois
cPanel Access Level
Root Administrator
We did the easy fix and terminated that problem email account and opened a new email address instead. The reports came with the subject of " hostname AUTHRELAY Alert for IPinfo" if it were a script the subject would be " hostname LOCALRELAY Alert for account", so it seems they were able to authenticate some how.

It was only one email address of the 6 he had active, and even changing the passwords did not stop it. Still puzzled, but stopped the spam!

I had configserver install his complete package prior to transferring the accounts over so I believe the server itself to be secure. I did run the CSX scan. I'll be looking into maldet, just to be safe!

Thanks!! The help is appreciated. Ron