The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking down a account.

Discussion in 'E-mail Discussions' started by brendanm, Oct 11, 2007.

  1. brendanm

    brendanm Member

    Apr 13, 2003
    Likes Received:
    Trophy Points:

    I was notified by a customer that MSN was blocking mail coming from my cpanel server.

    It seems someone has guested a username and password on the a account on the server and is sending spam from the server.

    By looking at the Exim_Maillog how can i track down which account was guessed if i know which message is the spam message.

    2007-10-06 13:25:05 1IeDOi-00082Q-SO <= [] P=esmtp S=1684 id=2925128$
    2007-10-06 13:25:05 1IeDOi-00082Q-SO => <> R=lookuphost T=remote_smtp []
    2007-10-06 13:25:05 1IeDOi-00082Q-SO Completed

    For instance the message above, how can i see what account/user was used to authenticate the above host and allow him to send mail.
  2. linuxserverguy

    linuxserverguy Active Member

    Apr 14, 2005
    Likes Received:
    Trophy Points:
    did u find it?

    you can try cat /usr/local/cpanel/log/accesslog | grep

    to see did anyone try sending by webmail, you will get username if he did.
  3. mtindor

    mtindor Well-Known Member

    Sep 14, 2004
    Likes Received:
    Trophy Points:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Actually, what is happening is that you have a customer who is forwarding their mail to (an email user on a domain hosted by you) is forwarding their email to

    ANY mail coming in for (including spam) is being forwarded to - UNLESS your customer also has set up a POP3 account called AND their domain has SpamAsassin active on it AND they have the spam settings for the domain (or the individual email account) set to delete the spam that is tagged by spamassassin.

    When setting up forwards, there are a few things to note....

    1. If you set up only a 'forwarder' called and you direct it to forward mail to, then ALL mail sent to (including spam) will be forwarded to

    2. If you set up a forwarder called and you direct it to forward mail to and you set up a POP3 account called and SpamAssassin is setup for the domain and SpamAssassin is set up to delete all messages it thinks are spam for that domain or individual user level rule is set up for POP3 account that deletes any emails that spamassassin thinks are spam, then a lot less spam, possible a minimal amount, will be forwarded from to

    Ultimate Solution: Instruct your customers to not forward emails to, or or or, or, or, or any other email provider who likes to blacklist servers that forward mail to their userbase. Instead have your customers either set up POP3 accounts in an email client and download their mail, or use webmail to access their mail, or set up their account (If it is possible) to _retrieve_ the mail from instead of forwarding the mail _from_ to the Hotmail address.


Share This Page