The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spaming in different ways?

Discussion in 'E-mail Discussions' started by sunil001, Aug 13, 2009.

  1. sunil001

    sunil001 Member

    Joined:
    Oct 19, 2005
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    HI,

    Can any one tell me this, when i check my exim mail logs i found following

    2009-08-10 23:56:01 1MajOy-0003Cy-Tx <= service@paypal.fr H=(User) [213.175.204.108] P=esmtpa A=fixed_login:mdsutama@banksinar.co.id S=3344

    banksinar.co.id is my customer domain But i wonder how come "From " address had service@paypal.fr
    please tell me how to prevent this type of spaming.

    Regards
    Sunil
     
  2. JawadArshad

    JawadArshad Well-Known Member
    PartnerNOC

    Joined:
    Apr 8, 2008
    Messages:
    447
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    PK
    cPanel Access Level:
    DataCenter Provider
    1- Ask your customer to audit his/her scripts and remove any bulk mailing scripts especially using php mail() function.
    2- Enable SMTP Tweak under "WHM >> Security >> Security Center >> SMTP Tweak". This will help avoid any emails bypassing the mail server and getting logged in exim_mainlog.
    3- If you are running SuPHP/Suexec setup, enable the option "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)" in "WHM >> Tweak Settings".
    4- Enable extended logging in exim to find the exact script sending email.
    5- Limit emails per domain to avoid any script vulnerability exploiting unlimited mailing facility. Set the maximum email per domain option in tweak settings "The maximum each domain can send out per hour (0 is unlimited)".
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    SMTP has no authentication element on the from address.

    Anyone can send any message from any e-mail address.

    This is where anti-spoofing methods such as SPF come into play. The message may say it is from paypal.com, but it is not sent out from an IP address that paypal.com has designated as a legitimate sender.
     
  4. sunil001

    sunil001 Member

    Joined:
    Oct 19, 2005
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    HI sparek-3,

    Yes you are right, but how to prevent this ?

    Also we found it is not generated from scripts, it seems like a normal email. If it is php mail then it will shown as nobody@

    Regards
    sunil
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I would suspend or at the very least write the account owner for the banksinar.co.id domain.

    The mdsutama@banksinar.co.id e-mail account owner is either sending out the spam themselves, or their account has been compromised.

    In either case, suspending the banksinar.co.id account will stop the activity.

    You might also consider blocking the 213.175.204.108 IP address, but I would recommend writing the user, because if their account has been compromised, it's very likely that 213.175.204.108 is not the only IP address that knows the password to the mdsutama@banksinar.co.id account.

    How do you stop this from happening in the future? I don't know if you can. Anyone that signs up for a hosting account will be able to use this method to send out spam. Anyone whose account has been compromised can be used to send out spam. The good thing is, you have logs that show you exactly who is responsible for sending out the messages.
     
Loading...

Share This Page