The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

System account sending spam

Discussion in 'E-mail Discussions' started by Dreanmer, Oct 4, 2011.

  1. Dreanmer

    Dreanmer Registered

    Joined:
    Oct 4, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i have searched many days in this forum about this thread, but could find anything...

    I have a cpanel account that is sending about 20k emails / day, this account have a limit to 100 emails/hour, but this realy slow down my server all the time... thw emails is sending by the system account:

    cpanel-user@myservername.myserverdomain.com
    (cirquito@sistemas.a3sistemas.com.br)

    How can i block this to sending mail, or track from where it being sent?

    i cant block this account, because its my main site, system and mails.

    thanks in advanced

    sorry poor english

    greetings from brazil

    ----------------------------------

    aditional info

    this account has been hacked 1 time, but i have scanned all files by php mail() funtion and can't find anything suspicious;

    my server is CentOS;

    i have CSF and all the warnings in the check server security:

    Check /dev/shm is mounted noexec,nosuid
    Check /etc/cron.daily/logrotate for /tmp noexec workaround
    Check /tmp is mounted as a filesystem
    Check /var/tmp is mounted as a filesystem
    Check Accounts that can access a cPanel user account
    Check apache for FileETag
    Check apache for FrontPage
    Check apache for mod_security
    Check apache for ServerSignature
    Check apache for ServerTokens
    Check apache for TraceEnable
    Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
    Check boxtrapper is disabled
    Check cPanel login is SSL only
    Check cPanel version
    Check csf PT_SKIP_HTTP option
    Check csf SAFECHAINUPDATE option
    Check for cxs
    Check incoming MySQL port
    Check MySQL LOAD DATA disallows LOCAL
    Check nameservers
    Check php for ini_set disabled
    Check php for Suhosin
    Check Referrer Blank Security
    Check Referrer Security
    Check root forwarder
    Check SMTP Tweak
    Check SSH PasswordAuthentication

    anything i can REALY need to do special atention?

    thanks again
     
    #1 Dreanmer, Oct 4, 2011
    Last edited: Oct 4, 2011
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,463
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In that account's cPanel > Mail Section > Default address, what are your settings here?
     
  3. WebHostDog

    WebHostDog Well-Known Member

    Joined:
    Sep 3, 2006
    Messages:
    144
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Recompile Apache with PHP mail patch this will help you to track the origin of folder/file sending the emails.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You should try to determine where the mail is being sent from. If it's coming from the account username, there is likely a PHP script uploaded to the account that is sending email. Try enabling the following option under the "Mail" tab in "WHM >> Server Configuration >> Tweak Settings":

    Code:
    Track email origin via X-Source email headers
    Also, check the following thread for useful information on how to track messages sent from PHP scripts:

    PHP Scripts Sending Mail

    Thank you.
     
  5. Dreanmer

    Dreanmer Registered

    Joined:
    Oct 4, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    thanks for all replys, i'm trying all alternatives, when i got the results i'll post a feedback.

    now again, very thanks!

    @infopro

    this is the cionfig:

    send all unrouted emails to "cirquito" (this is the cpanel account)

    thanks

    @WebHostDog

    cant find this option under "easy apache"... but i have upgrade my php from 5.2.x to 5.3.8
     
    #5 Dreanmer, Oct 5, 2011
    Last edited: Oct 5, 2011
  6. alexmack

    alexmack Member

    Joined:
    Jul 23, 2010
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    where does track email origin show up?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,463
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    All unrouted mail should be set to fail here, not forwarded to your account.
     
Loading...

Share This Page