The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer using Gmail provided smtp (Dovecot_Plain auth, TLS/SSL) ... gmail problem? client problem?..

Discussion in 'E-mail Discussions' started by cass, Jun 5, 2014.

  1. cass

    cass Well-Known Member

    Jul 17, 2002
    Likes Received:
    Trophy Points:
    mailnull 47 12
    1401975745 0
    -helo_name WIN-QR1R9GS1KDE
    -host_address 91.207.60.XX.47907
    -host_auth dovecot_plain
    -interface_address 74.63.XXX.XXX.587
    -received_protocol esmtpsa
    -body_linecount 2
    -max_received_linelength 373
    -tls_cipher TLSv1:DHE-RSA-AES256-SHA:256

    What do you see on this header? .... this is the header of a spam message, sent from one account on cpanel server, account is ... helo name of the machine is known (serach on google, you found lot of this same id) WIN-QR1R9GS1KDE .... and what really weird, is that it uses DOVEVOT_PLAIN login, as well as TLS ... not a normal spam on port 25...

    One thing is that... this user, uses google (gmail) with this account to send mail.

    WHERE exactly is the problem?
    HOW could the attacker/spammer, able to login ... the password was impossible to guess, and client dont even uses that password, because its linked to gmail, so YES, password was "saved" on gmail... and gmail account is using that authenticated token, that any new device, needs that token to login, so double security....

    Now.... someone cracked google? ... how is possible that someone got that SMTP information from google account? is the only place where is stored.

    I also see weird why its dovecot auth, instead of normal smtp auth, but maybe its just like this cause the spammer just does it the way google does it... or maybe the spammer fakes being google to have pre-authenticated and able to send spam?...

    Anyone... iluminate me please! thanks.:confused:
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Re: Spammer using Gmail provided smtp (Dovecot_Plain auth, TLS/SSL) ... gmail problem? client proble

    Hello :)

    SMTP authentication is required even if the sender is using Google. The "Send mail as" feature in GMail requests the SMTP authentication details for this purpose. Is it possible the user's google account was compromised (either through brute force or a virus)? Do the sent emails show up in the clients email client? Were you able to find additional information about the email deliveries in /var/log/exim_mainlog?

    Thank you.

Share This Page