The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking down a account.

Discussion in 'E-mail Discussions' started by brendanm, Oct 11, 2007.

  1. brendanm

    brendanm Member

    Joined:
    Apr 13, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I was notified by a customer that MSN was blocking mail coming from my cpanel server.

    It seems someone has guested a username and password on the a account on the server and is sending spam from the server.

    By looking at the Exim_Maillog how can i track down which account was guessed if i know which message is the spam message.

    2007-10-06 13:25:05 1IeDOi-00082Q-SO <= everyday16@pediatrician.com H=dzs204.neoplus.adsl.tpnet.pl [83.22.156.204] P=esmtp S=1684 id=2925128$
    2007-10-06 13:25:05 1IeDOi-00082Q-SO => cruedogg@hotmail.com <mlomax@aplsinc.com> R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.244.8]
    2007-10-06 13:25:05 1IeDOi-00082Q-SO Completed

    For instance the message above, how can i see what account/user was used to authenticate the above host and allow him to send mail.
     
  2. linuxserverguy

    linuxserverguy Active Member

    Joined:
    Apr 14, 2005
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    did u find it?

    you can try cat /usr/local/cpanel/log/accesslog | grep cruedogg@hotmail.com

    to see did anyone try sending by webmail, you will get username if he did.
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Actually, what is happening is that you have a customer who is forwarding their mail to Hotmail.com.

    mlomax@aplsinc.com (an email user on a domain hosted by you) is forwarding their email to cruedogg@hotmail.com.

    ANY mail coming in for mlomax@aplsinc.com (including spam) is being forwarded to cruedogg@hotmail.com - UNLESS your customer also has set up a POP3 account called mlomax@aplsinc.com AND their domain has SpamAsassin active on it AND they have the spam settings for the domain (or the individual mlomax@aplsinc.com email account) set to delete the spam that is tagged by spamassassin.

    When setting up forwards, there are a few things to note....

    1. If you set up only a 'forwarder' called bob@domainhostedbyyou.com and you direct it to forward mail to asdfkljasdflkj@hotmail.com, then ALL mail sent to bob@domainhostedbyyou.com (including spam) will be forwarded to asdfkljasdflkj@hotmail.com

    2. If you set up a forwarder called bob@domainhostedbyyou.com and you direct it to forward mail to asdfkljasdflkj@hotmail.com and you set up a POP3 account called bob@domainhostedbyyou.com and SpamAssassin is setup for the domain bob@domainhostedbyyou.com and SpamAssassin is set up to delete all messages it thinks are spam for that domain or individual user level rule is set up for bob@domainhostedbyyou.com POP3 account that deletes any emails that spamassassin thinks are spam, then a lot less spam, possible a minimal amount, will be forwarded from bob@domainhostedbyyou.com to asdfkljasdflkj@hotmail.com

    Ultimate Solution: Instruct your customers to not forward emails to Hotmail.com, or AOL.com or CS.com or Netscape.com, or comcast.net, or yahoo.com, or any other email provider who likes to blacklist servers that forward mail to their userbase. Instead have your customers either set up POP3 accounts in an email client and download their mail, or use webmail to access their mail, or set up their Hotmail.com account (If it is possible) to _retrieve_ the mail from bob@domainhostedbyyou.com instead of forwarding the mail _from_ bob@domainhostedbyyou.com to the Hotmail address.

    Mike
     
Loading...

Share This Page