Strange emails sent from localhost

theoxgr

Member
Oct 3, 2013
21
0
1
Greece, Thessaloniki
cPanel Access Level
Root Administrator
i dont know how to fix this. the emails dont come from an ip they seem to come from localhost?!?

Code:
2016-10-12 19:47:35 SMTP connection from [144.76.xx.xx]:45606 (TCP/IP connection count = 3)
2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 sender verify fail for <[email protected]>: No Such User Here
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 sender verify fail for <[email protected]>: No Such User Here

this is so strange. i have also attached a screenshot so you can check this:
 

Attachments

Last edited by a moderator:

theoxgr

Member
Oct 3, 2013
21
0
1
Greece, Thessaloniki
cPanel Access Level
Root Administrator

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
so i need to switch to mod_ruid2 to track down those emails...

i am currently on suphp, is it safe for me to go to mod_ruid2 ? this is a production server.
If you have suPHP you should automatically be able to track the abusive / compromised user.


2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
The U=example is the user you want to check.


The emails are being authenticated with a username and password. In my case it was a cPanel username and password. Mails were going out from a script which was in a WordPress plugin folder.

To find out which user was being used to authenticate the mails, after you install mod_ruid2 grep the logs again.

I think what cPanel really needs to highlight in the Tweak Settings option explanation is that "The tweak setting 'Prevent "nobody" from sending mail' is a restriction that only applies to emails sent with /usr/sbin/sendmail and does not restrict emails sent as SMTP through a local TCP port."

If you still can't find out, open a support ticket with cPanel and do post back here if you bump into something interesting.