The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spams generated from X-Mailer: PHPMailer.

Discussion in 'E-mail Discussions' started by pendias, Jun 2, 2017.

Tags:
  1. pendias

    pendias Member

    Joined:
    Oct 11, 2014
    Messages:
    6
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello guys,

    I'm facing this issue from the last few days, and donno what to do. There's spamming going on from my server, when checked it shows X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP).

    You can check the log below.
    Code:
    ---------------------------------
    2dGEfbv-0003DVFf-4d
    mailnull 47 12
    <asfffrtcm@mydomain.com>
    1496274065 1
    -helo_name XN--90AFEMJVCHBGOMN0I.XN--P1AI
    -host_address xx.xx.xx.xx.x.
    -host_name snake.example.net
    -host_auth dovecot_login
    -interface_address xx.xx.xx.xx.xxx
    -received_protocol esmtpsa
    -body_linecount 27
    -max_received_linelength 129
    -auth_id asfffrtcm@mydomain.com
    -tls_cipher TLSv1:DHE-RSA-AES256-SHA:256
    -tls_sni xx.xx.xx.xx.xxx
    -tls_ourcert -----BEGIN CERTIFICATE-----\nMIIF4DCCBMigAwIBAgIQcp36QNPDzY5kMTeFCKl1hjANBgkqhkiG9w0BAQsFADBC\nMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS\nUmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDQyMDAwMDAwMFoXDTE5MDYxOTIzNTk1\nOVowFjEUMBIGA1UEAwwLKi5taWNmby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC4jhcr3f33zeaw/o9MWancjbBhdBkZQ9LlgdncbIO+xExaZyiE\nc1NBk0kcBQ4vGIO9owhQl9m/Xx1yemJctNRX54yJQKI8zv8Y3i2aWtLi58oCn1He\nJ/9w8h20GJra5NPH2jfH7FNV03KS9TitItUfbHF7qia35zDiy8H03ZL7q90GuiLF\nvIHq7XJ2YLtKy0aZ6yHHTFYMjIor67xnfwZwAXXvH958YB7kqrxvD2cAFG6IOLAw\nvUJByQSSdO3EqQdPBvceJGfyDvdKoj8UPFGtNZOmNLCAjGifPbMe3KRCBbQxJVLd\nhA1SAgMgUvKXykqsYXV50OSjMsMSlrAjAgMBAAGjggL8MIIC+DAhBgNVHREE\nGjAYggsqLm1pY2ZvLmNvbYIJbWljZm8uY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw\nIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk\nBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t\nL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s\nZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E\nBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB\nBEswSTAfBggrBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw\nAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF/BgorBgEEAdZ5AgQCBIIB\nbwSCAWsBaQB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABW4vR\nvtUAAAQDAEcwRQIgIlmNWmdNBN356NstWsdIsCFbc+H3wyZPVTY3yciB+JICIQCC\nojtb8z24UsaFd//t/wb1Y6tFfBzVd+RayiurBsdPsgB2AKS5CZC0GFgUh7sTosxn\ncAo8NZgE+RvfuON3zQ7IDdwQAAABW4vRvxEAAAQDAEcwRQIgJPnSwhUuIP/n2czt\n8Jwzo+fjQa6RvTyVRE0bIDhRhoECIQCaY55fghCJfrmMDNlhxYnMLLaLCfxT5Z6W\nHSpntyZUNAB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABW4vR\nwNYAAAQDAEgwRgIhAPrwHQ71JQi2Us/aeAKMDeYG2p13A3eq7X/+zq8Vagt9AiEA\nphX2z+Qj7R3/xHRt21P8PMggWtxzxd0gIIEIeLrnEJwwDQYJKoZIhvcNAQELBQAD\nggEBAF9ua6kOGRdyrWlrEre91npkOA4IdYedCSOnNGLh7wAV9ocQxS09CoXcXyoD\nIMoOiQY2oozsFAn7qJ8kXGoJBh1V/xjvBqWIUJ14ixQvtsfA4YyfP9D1nodm3xjU\nsn++pInHw1II3Yh1xzb2061KmzF6sRF\n/0+Ow7nCN7YfaQw97i4cGioKhu8HEDCx/zO7vFTZBJExUYTcTcr9BY8eqtmyNla1\nDiC6OfKJ3kmDvuvhkJ9rlqS2/gnnL3yyPW6hfzfctVkLDS4ZliFijZEwoqcrogWJ\nzHHAxiMT9BjYcfyc3Iv5MCYb6Dc=\n-----END CERTIFICATE-----\n
    NN >asfffrtcm@mydomain.com:crunchs@domain.pl
    1
    crunchs@sxzfnmax.pl
    
    307P Received: from snake.example.net ([xx.xx.xx.xx.xxx]:45044 helo=XN--90AFEMJVCHBGOMN0I.XN--P1AI)
    by server.myserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.89)
    (envelope-from <asfffrtcm@mydomain.com>)
    id 1dGDEf-00085T-4d
    for crunchs@domain.pl; Wed, 31 May 2017 19:41:05 -0400
    037 Date: Thu, 1 Jun 2017 02:41:05 +0300
    025T To: crunchs@domain.pl
    047F From: Kiara <asfffrtcm@mydomain.com>
    051R Reply-To: Kiara <asfffrtcm@mydomain.com>
    039 Subject: xxxxxxxxxxxxxxxxxxxx
    078I Message-ID: <77922e782d28426747060512612339cf@XN--90AFEMJVCHBGOMN0I.XN--P1AI>
    068 X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP)
    018 MIME-Version: 1.0
    085 Content-Type: multipart/alternative;
    boundary="b1_77922e782d28426747060512612339cf"
    032 Content-Transfer-Encoding: 8bit
    -----------------
    [root@server.myserver.com ~]# exim -Mvb 2dGEfbv-0003DVFf-4d
    1dGDEf-00085T-4d-D
    This is a multi-part message in MIME format.
    
    --b1_77922e782d28426747060512612339cf
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 8bit
    
    
    --b1_77922e782d28426747060512612339cf
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 8bit
    
    <html>
    <body>
    - Removed -
    </body>
    </html>
    
    
    
    --b1_77922e782d28426747060512612339cf--
    
    ---------------------------------
    I deleted few PHPMailer files but nothing has worked.

    Can someone please help me out with this irritating thing ?
     
    #1 pendias, Jun 2, 2017
    Last edited by a moderator: Jun 2, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may also want to try removing this email account, or changing it's password if you have confirmed no additional scripts exist under the account with the ability to send email. Additionally, review the mail queue on the server to verify none of the offending messages are queued for delivery from before the PHP mailing files were removed.

    Thank you.
     
    24x7serversecurity likes this.
  3. pendias

    pendias Member

    Joined:
    Oct 11, 2014
    Messages:
    6
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    The email account asfffrtcm@mydomain.com (I've changed the actual name) doesn't exist on the server. It's generating such random non-existing email accounts and spamming with X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,399
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    First of all if auth_id is generating in the mail header, you can try enabling sender verification on the server, so it will verify first and then deliver whether locally or remotely.
    auth_id generates when mail server is queried, so try below things first to check what is the cause:

    1) Disable mail sending through nobody.
    2) Disable PHP mail function.
    3) Enable SMTP restriction.

    Try doing it one by one to see what happens, so you can get to the root cause..
     
  5. pendias

    pendias Member

    Joined:
    Oct 11, 2014
    Messages:
    6
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    Alright ! I'll work according to your suggestion and will let know the outcome.
     
  6. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  7. pendias

    pendias Member

    Joined:
    Oct 11, 2014
    Messages:
    6
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    From the three advises by '24x7server' memeber, I cannot apply 2. Disable PHP mail function - as I've too many accts using PHP for this purpose, and is required; SMTP restriction & Prevent “nobody” from sending mail are already enabled on the server.

    Jcats, I've applied the scripts suggested by you but yet to pull out the culprit script or reason exactly how's it happening. Please help me out.
     
  8. pendias

    pendias Member

    Joined:
    Oct 11, 2014
    Messages:
    6
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Okay, Michael. You were right and I got rid of the spamming. I followed all the things you asked to. Also, I thank Jcats for his help. :)
     
    cPanelMichael likes this.
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm glad to see you were able to address the issue. Thank you for updating us with the outcome.
     
Loading...

Share This Page