stop spam from authenticated local user

megahost

Member
PartnerNOC
Jun 10, 2012
12
0
51
cPanel Access Level
Root Administrator
Hello,

i have this problem lately and i don't know what to do anymore to stop it.

Maybe someone here can tell me how is this possible.

A shared hosting account on one server is sending spam.
The spam from what i can see is sent using the cPanel user:
2017-08-02 17:10:46 ########## SMTP connection identification H=localhost A=127.0.0.1 P=44918 M=########## U=XXXXXXXX ID=1213 S=XXXXXXXX B=authenticated_local_user

how can he still send spam after changing the cpanel password with a long/strong generated one. we don't even know the the password.

Thanks.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
472
113
UK
cPanel Access Level
Root Administrator
Are you changing the cPanel password, or the mail account password ?
 

megahost

Member
PartnerNOC
Jun 10, 2012
12
0
51
cPanel Access Level
Root Administrator
the cPanel password. as a precautionary measure we've changed the email accounts passwords even thou the emails are sent from the cpanel user not from an email account.

we restarted the imap and exim after changing the cpanel password.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
472
113
UK
cPanel Access Level
Root Administrator

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello,

You may also want to see if the account has setup any cron jobs that send out emails, or verify if any scripts uploaded to the account can be used to send email. Here's a link that can help with finding offending scripts:

Spam emails being sent from cPanel account

Generally, the difficult part is finding the offending account. Since you've already done that, you may want to suspend the cPanel account (or try suspending outgoing email) and contact the offending user to verify how they are sending the email.

Thank you.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
472
113
UK
cPanel Access Level
Root Administrator