The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unsolicited email (SPAM) complaint

Discussion in 'Security' started by emalbum, Jan 15, 2012.

  1. emalbum

    emalbum Member

    Joined:
    Jun 5, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I received an email from my server provided that they received an unsolicited email (SPAM) complaint from one of my IP's. The sample they provided is at the bottom.

    I've been researching all morning and haven't been able to determine the cause. They claim that the headers are not spoofed. I checked WHM > Email > View Relayers, and there are two clients that have a lot of messages sent.

    How do I go about identifying the problem and solving it?

    Thanks!

    Code:
    Received: from server.MYSERVER.com (ns1.MYSERVER.com [X.X.X.178])
    by mtain-mg02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 030E2380000AD
    for <redacted@aol.com>; Wed, 11 Jan 2012 11:28:25 -0500 (EST)
    Received: from pat.petoftheday.com ([67.19.42.178] helo=localhost.localdomain)
    by server.MYSERVER.com with esmtpa (Exim 4.69)
    (envelope-from <service@CLIENTDOMAIN.com>)
    id 1RkztU-0003PR-1P
    for redacted@aol.com; Wed, 11 Jan 2012 07:15:16 -0800
    From:"GlobalPayments, Inc"<virtualT@global-paymts.com>
    To:redacted@aol.com
    >
    Date:Wed, 11 Jan 2012 10:15:11 -0500
    Subject: Account Update
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="==frontier=="
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.MYSERVER.com
    X-AntiAbuse: Original Domain - aol.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - CLIENTDOMAIN.com
    x-aol-global-disposition: G
    X-AOL-VSS-INFO: 5400.1158/77652
    X-AOL-VSS-CODE: clean
    X-AOL-SCOLL-SCORE: 1:2:425587840:93952408
    X-AOL-SCOLL-URL_COUNT: 2
    x-aol-sid: 3039ac1d60ca4f0db8a97c57
    X-AOL-IP: X.X.X.178
    X-AOL-SPF: domain : CLIENTDOMAIN.com SPF : none
    
    (multipart/mixed)
    Multipart prefix (text/plain)
    This is a multi-part message in MIME format.
    
    MIME element (text/plain)
    Dear GlobalPayments Customer,
    
    Because we registrated to many frauds we decided to lock your Virtual Terminal account.
    To unlock it please download the file attached to this e-mail and update your login info.
    
    2012 Copyright Global Payments ,Inc. 
    
     
  2. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi

    1. Are you sure the IP X.X.X.178 is not listed in any of the Blacklists checks, did you check that?
    2. Do you have the access to the server so that you can tail the mail logs, its the best practice to know about email flows completely so you can become to knowwhich is the spam cause?
     
  3. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    * Ensure that the user nobody cannot send out mail:
    WHM >> Tweak Settings >> Mail >> Prevent “nobody” from sending mail

    This will ensure that all mails going out will need authentication with a valid email id and password.
    This will apply to all web forms sending out email through websites.

    This means that unless an email password has been compromised, no mail will go out through your server.

    * Then go to:
    WHM >> Mail Queue Manager

    If there are any mails that look suspicious, you can open them and should be able to see the php script sending them out.

    * Then go to:
    WHM >> Mail Queue Manager >> Delete all messages in Queue

    This will prevent any queued mails from being retried.

    * If need be, then suspend all accounts and unsuspend them one by one.

    The Config Server Firewall is great at monitoring processes that are using excessive resources or acting suspiciously. Its free.

    You should seriously consider installing it: ConfigServer Security & Firewall
     
  4. ChrisFirth

    ChrisFirth Active Member
    PartnerNOC

    Joined:
    Apr 10, 2008
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Looking at the headers, it was sent via SMTP from an external client, ie. not originating from a script on your server:

    With that in mind, confirm that a login was used to send the email by checking the mail logs (grep for "1RkztU-0003PR-1P" in /var/log/exim_mainlog, you may need to check the rotated logs as well). You should find it was sent via the login "service@CLIENTDOMAIN.com". Once that has been found, change the password and optionally restart the mail server to flush the password cache (so that the change is immediate).

    As suggested above, delete any of the emails in the queue that would have been sent from the spammer as you will probably get black listed if you have not already being. If you prefer to do it via the CLI, tools such as exiqgrep make it nice and quick.

    I see this commonly, usually its caused by having a weak password, a trojan on a PC that checks the emails or the password has been used somewhere else and the attacker just guessed that the same one is used elsewhere.

    In future, if you have not already, its generally good to limit the maximum messages per hour that can be sent out to limit how effective this method of sending spam would be.

    Also as suggested above the SMTP tweak (only allowing root/MTA to send emails) is generally good too although that will not help in this particular situation as it appears to be a standard incoming SMTP connection. Also helpful is the PHP mail header patch to add the source script - if a PHP script was being abused such as the sm3XXX.php ones the headers will then show you exactly where it came from. The patch can be applied via EasyApache or found here.

    Unless this has changed since I last looked at it (admittedly a good couple of years ago) this feature adds iptables rules stopping users except the MTA/root from sending mail to external mail servers. Common PHP spam scripts will still work as long as they use the local mail server, from memory the very first rule it adds was an accept for 127.0.0.1 on port 25. A while back the dark mailer script was a rather popular spam script and this tended to stop it dead as it used external mail servers rather than the one on the same box.
     
    #4 ChrisFirth, Jan 16, 2012
    Last edited: Jan 16, 2012
  5. emalbum

    emalbum Member

    Joined:
    Jun 5, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thank you all very much for the responses! I needed the tips on figuring out that it was sent remotely. I had set a max emails per hour limit and now I will reset the password and inform the client.

    Thanks!
     
  6. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    That is not the purpose of the tweak, not exactly.

    nobody is not an "anonymous" user. nobody is the user that Apache runs as. This tweak was implemented back when the default PHP handler was DSO (Apache module), and suexec was not always used. The purpose of this was to prevent scripts that were not running via suexec from sending mail.

    Now that suPHP is the default PHP handler, and CGI scripts run using suexec, there is no legitimate script that should be sending mail as nobody anyway. All outgoing mail from the server should be sent as a system user other than nobody.

    The purpose of the tweak is to prevent the user nobody from sending mail, no more, no less. It is not a way to force authentication to be used to send mail.
     
  7. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I think you may be thinking of Main >> Security Center >> SMTP Tweak. This is the same as Restrict outgoing SMTP to root, exim, and mailman in Main >> Server Configuration >> Tweak Settings. Prevent “nobody” from sending mail does not set any iptables rules; it simply sets a configuration in Exim that prevents the user nobody from sending mail.
     
  8. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Right. Thanks for the clarification.
     
Loading...

Share This Page