Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spammer has relayed through my server using a forwarder (no real account) as authentication

Discussion in 'E-mail Discussion' started by GQsm, Nov 1, 2018.

  1. GQsm

    GQsm Registered

    Joined:
    Sep 30, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    An account hit it's email defer limit yesterday so I look at the outbound email and I see a load of email saying it's gone out from a local alias/forwarder (no email account).

    Mail report shows
    Code:
    Event:   success
    Sender User:   ClientUser
    Sender Domain:   clientdomain.com
    Sender:   ForwarderNoAccount@clientdomain.com
    Sent Time:   Oct 31, 2018 12:10:12 PM
    Sender Host:   SpammerIP
    Sender IP:   SpammerIP
    Authentication:   courier_login
    Spam Score:   0
    Recipient:recipientemail@anon.com
    exim_maillog shows
    
    2018-10-31 13:10:52 1gHqGo-0006LX-TY <= ForwarderNoAccount@clientdomain.com H=([SpammerIP]) [SpammerIP]:49169 P=esmtpa A=courier_login:ForwarderNoAccount@clientdomain.com S=1493978 T="Goods Order" for recipientemail@anon.com
    2018-10-31 13:10:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gHqGo-msgID
    2018-10-31 13:10:52 1gHqGo-msgID SMTP connection outbound 1540991452 1gHqGo-msgID clientdomain.com recipientemail@anon.com
    
    Sorry the post is not finished but it won't let me edit it in any shape or form!
    I was in the process of removing the exim log lines from 2018-10-31 13:10:57 onwards

    It was also meant to end with...

    How did they send this mail out? There is no user/password for the account
    ForwarderNoAccount@clientdomain.com and my server is not an open relay.
     
    #1 GQsm, Nov 1, 2018
    Last edited by a moderator: Nov 1, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,260
    Likes Received:
    480
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @GQsm

    Based on the information I have it sounds like a PHP script on the account was compromised, in most cases stems from a vulnerable plugin/theme/component that is added to a CMS installation on the account. To resolve this you'd need to identify the source of the compromise and remove any illegitimate files/modifications to the files. A malware scanner should get you on the right track, there's many to choose from but we do offer ClamAV in WHM Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice