Tracking down email account with virus

GoWilkes

Well-Known Member
Sep 26, 2006
561
21
168
cPanel Access Level
Root Administrator
I have a shared server, for which I'm the admin. One of the clients has a virus, and according to "Mail Relayers" is sending about 1,400 spam/virus emails a day.

I need to track down which email account is the one sending the viruses. In the "Mail Relayers" list, I see a Message ID field, but a search for this ID in /var/log/maillog doesn't find anything. What does this ID correspond to?

I used rkhunter and ClamAV to confirm that the virus isn't on the server. I'm using CSF to block most foreign IPs, but since these emails are actually originating from the local user, this doesn't seem to have any impact.

I also added this to the end of cpanel_exim_system_filter so that I could track all outgoing emails through the server, and while it has copied emails correctly, I haven't caught any of those being shown in Mail Relayers:

# where example.com represents the actual domain
if first_delivery
and ("$h_from:" contains "example.com")
then
unseen deliver "[email protected]"
endif
#

Any other suggestions on how I might find the offending email account?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,234
93
178
Finland
cPanel Access Level
Root Administrator
I need to track down which email account is the one sending the viruses. In the "Mail Relayers" list, I see a Message ID field, but a search for this ID in /var/log/maillog doesn't find anything. What does this ID correspond to?
You find it in /var/log/exim_mainlog
 

GoWilkes

Well-Known Member
Sep 26, 2006
561
21
168
cPanel Access Level
Root Administrator
For anyone reading this in the future, I did find the offending account. Using the Message ID helped, but wasn't 100% conclusive. However, I used the script pasted in this thread:

http://forums.cpanel.net/f43/prevent-email-spoofing-247841.html

to block all spoofed emails. Then, under "View Mail Statistics" in WHM, I found the error message listed for the account. At that point, it was just a matter of searching the Statistics page for "Incorrect from address".
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
For anyone reading this in the future, I did find the offending account. Using the Message ID helped, but wasn't 100% conclusive. However, I used the script pasted in this thread:

http://forums.cpanel.net/f43/prevent-email-spoofing-247841.html

to block all spoofed emails. Then, under "View Mail Statistics" in WHM, I found the error message listed for the account. At that point, it was just a matter of searching the Statistics page for "Incorrect from address".
Whoever did that guide you link to actually took it from the thread I did on the forum or the exim mailing list, since both of ours predate that guide:

http://forums.cpanel.net/f43/open-relay-170798-p2.html#post777302
Re: [exim] only relay mail for our domain in relay_from_hosts..