stop spam from authenticated local user

[megahost]

Hello,

i have this problem lately and i don't know what to do anymore to stop it.

Maybe someone here can tell me how is this possible.

A shared hosting account on one server is sending spam.
The spam from what i can see is sent using the cPanel user:
2017-08-02 17:10:46 ########## SMTP connection identification H=localhost A=127.0.0.1 P=44918 M=########## U=XXXXXXXX ID=1213 S=XXXXXXXX B=authenticated_local_user

how can he still send spam after changing the cpanel password with a long/strong generated one. we don't even know the the password.

Thanks.

 

[rpvw]

Are you changing the cPanel password, or the mail account password ?

 

[megahost]

the cPanel password. as a precautionary measure we've changed the email accounts passwords even thou the emails are sent from the cpanel user not from an email account.

we restarted the imap and exim after changing the cpanel password.

 

[Ko Tun]

This spam email is use to send spam mail with something plugin or script in your hosting account.

 

[rpvw]

You may want to see if you can extrapolate any more information - a great resource to start with is Reading and Understanding the exim main_log

 

[cPanelMichael]

Hello,

You may also want to see if the account has setup any cron jobs that send out emails, or verify if any scripts uploaded to the account can be used to send email. Here's a link that can help with finding offending scripts:

Spam emails being sent from cPanel account

Generally, the difficult part is finding the offending account. Since you've already done that, you may want to suspend the cPanel account (or try suspending outgoing email) and contact the offending user to verify how they are sending the email.

Thank you.

 

[rpvw]

A post from cPanelMichael in another thread might also be useful: Outgoing Email Abuse from localhost