The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking down email account with virus

Discussion in 'E-mail Discussions' started by GoWilkes, Dec 12, 2011.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have a shared server, for which I'm the admin. One of the clients has a virus, and according to "Mail Relayers" is sending about 1,400 spam/virus emails a day.

    I need to track down which email account is the one sending the viruses. In the "Mail Relayers" list, I see a Message ID field, but a search for this ID in /var/log/maillog doesn't find anything. What does this ID correspond to?

    I used rkhunter and ClamAV to confirm that the virus isn't on the server. I'm using CSF to block most foreign IPs, but since these emails are actually originating from the local user, this doesn't seem to have any impact.

    I also added this to the end of cpanel_exim_system_filter so that I could track all outgoing emails through the server, and while it has copied emails correctly, I haven't caught any of those being shown in Mail Relayers:

    # where example.com represents the actual domain
    if first_delivery
    and ("$h_from:" contains "example.com")
    then
    unseen deliver "backup@example.com"
    endif
    #

    Any other suggestions on how I might find the offending email account?
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You find it in /var/log/exim_mainlog
     
  3. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Excellent! I did find it there, thanks.
     
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    For anyone reading this in the future, I did find the offending account. Using the Message ID helped, but wasn't 100% conclusive. However, I used the script pasted in this thread:

    http://forums.cpanel.net/f43/prevent-email-spoofing-247841.html

    to block all spoofed emails. Then, under "View Mail Statistics" in WHM, I found the error message listed for the account. At that point, it was just a matter of searching the Statistics page for "Incorrect from address".
     
  5. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Whoever did that guide you link to actually took it from the thread I did on the forum or the exim mailing list, since both of ours predate that guide:

    http://forums.cpanel.net/f43/open-relay-170798-p2.html#post777302
    Re: [exim] only relay mail for our domain in relay_from_hosts..
     
Loading...

Share This Page