Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam sent through ::1

Discussion in 'E-mail Discussions' started by Mortekai, Jan 11, 2017.

Tags:
  1. Mortekai

    Mortekai Member

    Joined:
    Nov 28, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    cPanel Access Level:
    Root Administrator
    I have a problem with spam going out through the IP ::1 that I seem unable to stop. If I restart Exim it seem to stop for about 24 hours, but then it resume again...

    The emails sent out are all info@ for all customer accounts in cPanel.

    Anyone else had this issue and can advice on how to solve it?

    Here is an example header:

    Code:
    Received: from [::1] (port=56621 helo=********.com)
       by ************ with esmtp (Exim 4.87)
       (envelope-from <info@********.com>)
       id 1cRHfS-002ZnK-Op
       for *****@msn.com; Wed, 11 Jan 2017 13:06:15 +0100
    Date: Wed, 11 Jan 2017 12:06:14 +0000 (UTC)
    From: info@******.com
    To: *****@msn.com
    Message-ID: <191071212.39277147.1484136374237@******.com>
    Subject: Fw:  Hey.
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
       boundary="----=_Part_39277146_630495959.1484136374237"
    
     
    #1 Mortekai, Jan 11, 2017
    Last edited by a moderator: Jan 12, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend enabling the following option in "WHM >> Exim Configuration Manager"

    Experimental: Rewrite From: header to match actual sender

    This will help you to determine the source of the sender for these types of messages. More information about this option is available at:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  3. Mortekai

    Mortekai Member

    Joined:
    Nov 28, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    cPanel Access Level:
    Root Administrator
    Thank you Michael, I have activated that and will see if that add some more information :)
     
  4. Mortekai

    Mortekai Member

    Joined:
    Nov 28, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    cPanel Access Level:
    Root Administrator
    I got this output:
    Code:
    etc/exim_outgoing.conf -Mc 1cS73K-002NtY-Px
    2017-01-13 19:58:32 1cS73K-002NtY-Px SMTP connection identification H= A=::1 P=57453 M=1cS73K-002NtY-Px U=masked client id ID=554 S=masked client id B=authenticated_local_user
    2017-01-13 19:58:32 1cS73K-002NtY-Px SMTP connection identification H= A=::1 P=57453 M=1cS73K-002NtY-Px U=masked client id ID=554 S=masked client id B=authenticated_local_user
    2017-01-13 19:58:32 1cS73K-002NtY-Px From: header (rewritten was: [info@domain.com], actual sender is not the same system user) original=[info@domain.com] actual_sender=[masked client id@hostname.tld]
    
    So somehow the client id seem to be able to send out emails from within the server and spoofing other clients info mail?
     
    #4 Mortekai, Jan 13, 2017
    Last edited by a moderator: Jan 16, 2017
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You'd should reach out to the contact of the account that sent the email and consider changing the password to that account. Also, ensure there are no scripts uploaded to that account with the ability to send email.

    Thank you.
     
Loading...

Share This Page