Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Stopping spam user from sending email on server

Discussion in 'E-mail Discussion' started by Bloke2, Feb 9, 2015.

  1. Bloke2

    Bloke2 Well-Known Member

    Joined:
    Feb 4, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Our mail server seems to have been compromised. We had only 100 email relays on Godaddy for a day. So when the spammer maxed it out we could not send or receive email. We have done scans and also Godaddy researched and found no files compromised. But after blocking the IP address the problem remains. The account password was changed and also all email address passwords have been changed. They are logging in with courier. They said it could be a key capture program on a user's computer since this happened after passwords were changed. Is there anything else I can check? All computers have been scanned that check email for this account.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Have you verified the message header and in /var/log/exim_mainlog that the email is sent through valid SMTP authentication? If so, try changing the password and not providing the updated password to the user to verify if their workstation is the source of the issue.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Bloke2

    Bloke2 Well-Known Member

    Joined:
    Feb 4, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    How can I tell if its valid SMTP authentication. I looked at the emails and it says "Authentication:courier_login" The emails get sent out as root user of the account so I can't tell what alias email address is used. Its different IP addresses and domains. I have only a few email addresses and a couple people share the same address.
     
  4. Bloke2

    Bloke2 Well-Known Member

    Joined:
    Feb 4, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    They said to enable cPHulk. But after reading about it, cPHulk will not protect courier mail server. That is what we are using. I was wondering maybe since I did not have outgoing mail server at port 587 using TSL. I was using 25 and not using "my outgoing server requires authentication" It seems I should have been using this. I am not changing mail servers because within days I will have a new server and dovcot will be used. Just trying to clean this up and not make the mistakes on the new server.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    If it's a valid login with a username/password then it means the account's password has been obtained. You may need to have the user verify their workstation has not been exploited. Also, make sure you are using a strong password.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Bloke2

    Bloke2 Well-Known Member

    Joined:
    Feb 4, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Not sure to tell how exactly a password was used. Or on what email account. I used very strong password that was generated. All computers have been scanned. Other than showing courier login, what else can I track or look for?
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice