The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam

Discussion in 'E-mail Discussions' started by captainron19, Nov 26, 2012.

  1. captainron19

    captainron19 Active Member

    Joined:
    Nov 10, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    So I have been getting a lot of spam notifications from AOL over the last couple of days referring to emails being sent from the IP of my server.

    Something similiar happened about a year ago but i contributed it to a forgotton php formmail file on one of my sites which has been removed.

    I went in to the mail statistics of my WHM and found a lot of emails being sent to AOL members from one specific address on a domain on my server. I talked to the user and was able to log in to her email account and saw a bunch of bounced back emails (with the same subject field as the SPAM notifications being sent to me.... Dr Oz Diet)

    I immediately changed her email password but did not notice any of the mails in her outbox showing them as being sent. How exactly do you guys think these were sent out and do you think a change of password will work for now?
     
  2. hsy1505

    hsy1505 Registered

    Joined:
    Nov 26, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What are the settings here:
    cPanel > Mail > Default Address
     
  4. captainron19

    captainron19 Active Member

    Joined:
    Nov 10, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    Current Setting: :fail: No Such User Here

    Checked... Discard with error to sender (at SMTP time)
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Good. Whats the email from AOL say exactly?
     
  6. captainron19

    captainron19 Active Member

    Joined:
    Nov 10, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    If you mean the SPAM notification from AOL letting me know my server sent SPAM.... this came...

    This is an email abuse report for an email message with the message-id of Im5gQkINCh4G.FDW281UQ7MU277RE7@gzLeR received from IP address 66.84.12.101 on Mon, 26 Nov 2012 01:38:32 -0500 (EST)

    For information, please review the top portion of the following page:
    AOL Postmaster | Postmaster / Feedback Loop Information

    For information about AOL E-mail guidelines, please see
    AOL Postmaster | Postmaster / Bulk Sender Best Practices

    If you would like to cancel or change the configuration for your FBL please use the tool located at:
    http://postmaster.aol.com/SupportRequest.FBL.php



    -----Original Message-----
    Date: Sun, 25 Nov 2012 22:38:17 -0800
    From: "Dr.Oz Diet" <eopeduihku@xdccuoedtigu.con>
    Subject: Fwd:
    To: redacted@aol.com
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Although it could have been sent through some sort of script on your webserver under that user's cPanel account, it could just as easily have been an SMTP relay of spam using brute forced / otherwise discovered email credentials.

    For instance, if your client's email password was weak, it may have been brute forced via previous POP3 / SMTP Auth brute forcing. Once the perpetrator knew the email credentials, they could have very easily relayed the SPAM by authenticating as the user.

    grep 'courier_login:user@domain.ext' /var/log/exim_mainlog
    - where user@domain.ext = the email address of the user

    Look through the logs to see if you see any oddball IPs relaying mail through your user's account.

    Also, if you look at the AOL notifications and open the message attachment [containing the original email with munged email addresses], you'll see a message ID that looks something like the highlighted message ID below:

    Received: from some.hostname.at.some.isp.net ([83.172.15.20]:4282 helo=MPC)
    by server.hostname.ext with esmtpa (Exim 4.80)
    (envelope-from <user@emailaddr.ess>)
    id 1TdNKf-0006fU-Py
    for some@spamrecipi.ent; Tue, 27 Nov 2012 10:44:22 -0500

    You could then do this:

    grep '1TdNKf-0006fU-Py' /var/log/exim_mainlog and get more details on how the message was actually pushed through your mail system.

    If you don't want to post information in public [which isn't a good idea] but you'd like to get my opinion, feel free to PM me.

    M
     
Loading...

Share This Page