Spams generated from X-Mailer: PHPMailer.

pendias

Member
Oct 11, 2014
11
2
53
cPanel Access Level
Root Administrator
Hello guys,

I'm facing this issue from the last few days, and donno what to do. There's spamming going on from my server, when checked it shows X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP).

You can check the log below.
Code:
---------------------------------
2dGEfbv-0003DVFf-4d
mailnull 47 12
<[email protected]>
1496274065 1
-helo_name XN--90AFEMJVCHBGOMN0I.XN--P1AI
-host_address xx.xx.xx.xx.x.
-host_name snake.example.net
-host_auth dovecot_login
-interface_address xx.xx.xx.xx.xxx
-received_protocol esmtpsa
-body_linecount 27
-max_received_linelength 129
-auth_id [email protected]
-tls_cipher TLSv1:DHE-RSA-AES256-SHA:256
-tls_sni xx.xx.xx.xx.xxx
-tls_ourcert -----BEGIN CERTIFICATE-----\nMIIF4DCCBMigAwIBAgIQcp36QNPDzY5kMTeFCKl1hjANBgkqhkiG9w0BAQsFADBC\nMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS\nUmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDQyMDAwMDAwMFoXDTE5MDYxOTIzNTk1\nOVowFjEUMBIGA1UEAwwLKi5taWNmby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC4jhcr3f33zeaw/o9MWancjbBhdBkZQ9LlgdncbIO+xExaZyiE\nc1NBk0kcBQ4vGIO9owhQl9m/Xx1yemJctNRX54yJQKI8zv8Y3i2aWtLi58oCn1He\nJ/9w8h20GJra5NPH2jfH7FNV03KS9TitItUfbHF7qia35zDiy8H03ZL7q90GuiLF\nvIHq7XJ2YLtKy0aZ6yHHTFYMjIor67xnfwZwAXXvH958YB7kqrxvD2cAFG6IOLAw\nvUJByQSSdO3EqQdPBvceJGfyDvdKoj8UPFGtNZOmNLCAjGifPbMe3KRCBbQxJVLd\nhA1SAgMgUvKXykqsYXV50OSjMsMSlrAjAgMBAAGjggL8MIIC+DAhBgNVHREE\nGjAYggsqLm1pY2ZvLmNvbYIJbWljZm8uY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw\nIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk\nBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t\nL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s\nZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E\nBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB\nBEswSTAfBggrBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw\nAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF/BgorBgEEAdZ5AgQCBIIB\nbwSCAWsBaQB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABW4vR\nvtUAAAQDAEcwRQIgIlmNWmdNBN356NstWsdIsCFbc+H3wyZPVTY3yciB+JICIQCC\nojtb8z24UsaFd//t/wb1Y6tFfBzVd+RayiurBsdPsgB2AKS5CZC0GFgUh7sTosxn\ncAo8NZgE+RvfuON3zQ7IDdwQAAABW4vRvxEAAAQDAEcwRQIgJPnSwhUuIP/n2czt\n8Jwzo+fjQa6RvTyVRE0bIDhRhoECIQCaY55fghCJfrmMDNlhxYnMLLaLCfxT5Z6W\nHSpntyZUNAB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABW4vR\nwNYAAAQDAEgwRgIhAPrwHQ71JQi2Us/aeAKMDeYG2p13A3eq7X/+zq8Vagt9AiEA\nphX2z+Qj7R3/xHRt21P8PMggWtxzxd0gIIEIeLrnEJwwDQYJKoZIhvcNAQELBQAD\nggEBAF9ua6kOGRdyrWlrEre91npkOA4IdYedCSOnNGLh7wAV9ocQxS09CoXcXyoD\nIMoOiQY2oozsFAn7qJ8kXGoJBh1V/xjvBqWIUJ14ixQvtsfA4YyfP9D1nodm3xjU\nsn++pInHw1II3Yh1xzb2061KmzF6sRF\n/0+Ow7nCN7YfaQw97i4cGioKhu8HEDCx/zO7vFTZBJExUYTcTcr9BY8eqtmyNla1\nDiC6OfKJ3kmDvuvhkJ9rlqS2/gnnL3yyPW6hfzfctVkLDS4ZliFijZEwoqcrogWJ\nzHHAxiMT9BjYcfyc3Iv5MCYb6Dc=\n-----END CERTIFICATE-----\n
NN >[email protected]:[email protected]
1
[email protected]

307P Received: from snake.example.net ([xx.xx.xx.xx.xxx]:45044 helo=XN--90AFEMJVCHBGOMN0I.XN--P1AI)
by server.myserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.89)
(envelope-from <[email protected]>)
id 1dGDEf-00085T-4d
for [email protected]; Wed, 31 May 2017 19:41:05 -0400
037 Date: Thu, 1 Jun 2017 02:41:05 +0300
025T To: [email protected]
047F From: Kiara <[email protected]>
051R Reply-To: Kiara <[email protected]>
039 Subject: xxxxxxxxxxxxxxxxxxxx
078I Message-ID: <[email protected]>
068 X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP)
018 MIME-Version: 1.0
085 Content-Type: multipart/alternative;
boundary="b1_77922e782d28426747060512612339cf"
032 Content-Transfer-Encoding: 8bit
-----------------
[[email protected] ~]# exim -Mvb 2dGEfbv-0003DVFf-4d
1dGDEf-00085T-4d-D
This is a multi-part message in MIME format.

--b1_77922e782d28426747060512612339cf
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit


--b1_77922e782d28426747060512612339cf
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
<body>
- Removed -
</body>
</html>



--b1_77922e782d28426747060512612339cf--
---------------------------------
I deleted few PHPMailer files but nothing has worked.

Can someone please help me out with this irritating thing ?
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello,

You may also want to try removing this email account, or changing it's password if you have confirmed no additional scripts exist under the account with the ability to send email. Additionally, review the mail queue on the server to verify none of the offending messages are queued for delivery from before the PHP mailing files were removed.

Thank you.
 
  • Like
Reactions: 24x7serversecurity

pendias

Member
Oct 11, 2014
11
2
53
cPanel Access Level
Root Administrator
Hello Michael,

The email account [email protected] (I've changed the actual name) doesn't exist on the server. It's generating such random non-existing email accounts and spamming with X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

First of all if auth_id is generating in the mail header, you can try enabling sender verification on the server, so it will verify first and then deliver whether locally or remotely.
auth_id generates when mail server is queried, so try below things first to check what is the cause:

1) Disable mail sending through nobody.
2) Disable PHP mail function.
3) Enable SMTP restriction.

Try doing it one by one to see what happens, so you can get to the root cause..
 

pendias

Member
Oct 11, 2014
11
2
53
cPanel Access Level
Root Administrator
Hello,

From the three advises by '24x7server' memeber, I cannot apply 2. Disable PHP mail function - as I've too many accts using PHP for this purpose, and is required; SMTP restriction & Prevent “nobody” from sending mail are already enabled on the server.

Jcats, I've applied the scripts suggested by you but yet to pull out the culprit script or reason exactly how's it happening. Please help me out.
 

pendias

Member
Oct 11, 2014
11
2
53
cPanel Access Level
Root Administrator
Hello,

You may also want to try removing this email account, or changing it's password if you have confirmed no additional scripts exist under the account with the ability to send email. Additionally, review the mail queue on the server to verify none of the offending messages are queued for delivery from before the PHP mailing files were removed.

Thank you.
Okay, Michael. You were right and I got rid of the spamming. I followed all the things you asked to. Also, I thank Jcats for his help. :)
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
I'm glad to see you were able to address the issue. Thank you for updating us with the outcome.