SPAM Source Identification not possible..

musti19

Well-Known Member
Jan 20, 2013
111
1
18
cPanel Access Level
Root Administrator
Hello,
last days my system sends/receive spam mails and i cant find out where the problem is.
the spams were sent over the additional exim mail IP.

Currently i have CSF Firewall and limitation for cPanel User (maximum percentage failed...)

Lot of spam mails to a spefic email adress:
[bounce] to username @ hotmail.com:
Code:
1VJA2p-0004Ud-BK-H
mailnull 47 12
<>
1378766095 0
-ident mailnull
-received_protocol local
-body_linecount 54
-max_received_linelength 130
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1378766097
-localerror
XX
1
username @ domain.com.br

157P Received: from mailnull by [B]EDITED[/B] with local (Exim 4.80.1)
	id 1VJA2p-0004Ud-BK
	for username @ domain.com.br; Tue, 10 Sep 2013 00:34:55 +0200
048  X-Failed-Recipients: [email protected][B]MY Serverdom[/B]
029  Auto-Submitted: auto-replied
065F From: Mail Delivery System <[email protected][B]EDITED[/B]>
028T To: [email protected] domain.com.br
059  Subject: Mail delivery failed: returning message to sender
054I Message-Id: <[email protected][B]EDITED[/B]>
038  Date: Tue, 10 Sep 2013 00:34:55 +0200
FROM username @ hotmail.com (4 emails in queue) :
Code:
1VJBdC-0002gn-1X-H
mailnull 47 12
<username @ hotmail.com>
1378772194 0
-helo_name localhost
-host_address 127.0.0.1.52360
-host_name localhost
-interface_address 127.0.0.1.25
-received_protocol esmtp
-aclc _authenticated_local_user 4
root
-body_linecount 17
-max_received_linelength 69
XX
1
username @ peoplepc.com

224P Received: from localhost ([127.0.0.1]:52360)
	by [B]EDITED[/B] with esmtp (Exim 4.80.1)
	(envelope-from <username @ hotmail.com>)
	id 1VJBdC-0002gn-1X
	for username @ peoplepc.com; Tue, 10 Sep 2013 02:16:34 +0200
059F From: username here. <username @ hotmail.com>
033R Reply-To: username @ gmail.com
021  Subject: RE: URGENT!
018  MIME-Version: 1.0
025  Content-Type: text/plain
032  Content-Transfer-Encoding: 8bit
can anyone help me, thank you
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Try checking your mail queue to see if additional SPAM messages still exist in the queue:

"WHM Home » Email » Mail Queue Manager"

You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script.

The following document is useful if you want to prevent email abuse:

cPanel - Prevent Email Abuse

Thank you.
 

musti19

Well-Known Member
Jan 20, 2013
111
1
18
cPanel Access Level
Root Administrator
hello,
i cant see any usernames in message header or body. This is why i asked for other ways to find the source problem :)

The steps except: "Step 3 suphp" , is already configured.
i use fcgi.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
It's possible that the message was sent out by an authenticated email account. It's difficult to determine the exact source or to know if an account username was listed in the email headers because those aspects were edited out of your original message.

Thank you.