Strange emails sent from localhost

theoxgr · Oct 12, 2016

i dont know how to fix this. the emails dont come from an ip they seem to come from localhost?!?

Code:

2016-10-12 19:47:35 SMTP connection from [144.76.xx.xx]:45606 (TCP/IP connection count = 3)
2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 sender verify fail for <[email protected]>: No Such User Here
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 sender verify fail for <[email protected]>: No Such User Here

this is so strange. i have also attached a screenshot so you can check this:

cPanelMichael · Oct 12, 2016

theoxgr said:
2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection

Hello,

There's a thread here where this topic is discussed:

Outgoing Email Abuse from localhost

Let us know if this helps.

Thank you.

theoxgr · Oct 13, 2016

cPanelMichael said:
Hello,

There's a thread here where this topic is discussed:

Outgoing Email Abuse from localhost

Let us know if this helps.

Thank you.

so i need to switch to mod_ruid2 to track down those emails...

i am currently on suphp, is it safe for me to go to mod_ruid2 ? this is a production server.

cPanelMichael · Oct 14, 2016

Hello,

Mod_Ruid2 isn't required, but it does help with tracking down the source of SPAM. You can find documentation on Mod_Ruid2 at:

Apache Module: ModRuid2 - EasyApache - cPanel Documentation

Additionally, this document lists some additional options you can enable:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Let us know if you have any additional questions.

Thanks!

ruzbehraja · Oct 15, 2016

theoxgr said:
so i need to switch to mod_ruid2 to track down those emails...

i am currently on suphp, is it safe for me to go to mod_ruid2 ? this is a production server.

If you have suPHP you should automatically be able to track the abusive / compromised user.

theoxgr said:
2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection

The U=example is the user you want to check.

ruzbehraja said:
The emails are being authenticated with a username and password. In my case it was a cPanel username and password. Mails were going out from a script which was in a WordPress plugin folder.

To find out which user was being used to authenticate the mails, after you install mod_ruid2 grep the logs again.

I think what cPanel really needs to highlight in the Tweak Settings option explanation is that "The tweak setting 'Prevent "nobody" from sending mail' is a restriction that only applies to emails sent with /usr/sbin/sendmail and does not restrict emails sent as SMTP through a local TCP port."

If you still can't find out, open a support ticket with cPanel and do post back here if you bump into something interesting.

Thread starter	Similar threads	Forum	Replies	Date
P	Strange issue while downloading emails localy	Email	4	Dec 3, 2012
N	new account emails use strange host name	Email	3	Jun 2, 2012
N	Strange error emails after new update to WHM 11.30.0	Email	12	Jun 2, 2011
B	Strange mailman bounce emails	Email	0	Mar 3, 2011
S	Strange CP-Wrap logs within Logwatch emails	Email	1	May 6, 2007

Search

Search

Strange emails sent from localhost

theoxgr

Member

Attachments

cPanelMichael

Administrator

theoxgr

Member

cPanelMichael

Administrator

ruzbehraja

Well-Known Member