Webmail email spamming issue

[retechpro]

Hi All Members & cPanel Team.
From last month i am facing to much issues in mails. Suddenly my some clients emails are doing spamming and emails sent to unknown mails. How can i protect from mail spamming. Is there any tool to protect from mail spamming as I’m already using mails & deferred mails limit. But facing mail spamming issue yet. Im

 

[quietFinn]

Is it local relay or remote relay?

 

[cPRex]

I would also recommend ensuring that WHM >> Tweak Settings >> "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" is enabled to prevent spam from being sent from automated scripts.

You can check the mail log on the server with this command to get a list of directories that are sending mail:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

Just ignore the common directories from that output, such as "/var/spool/exim" or "/etc/csf" if you have that tool installed.

 

[retechpro]

Is it local relay or remote relay?

Local relay

 

[quietFinn]

If SMTP Tweak is enabled then the command cPRex gave is a good starting point.

 

[retechpro]

If SMTP Tweak is enabled then the command cPRex gave is a good starting point.

Yes it’s enabled.

 

[retechpro]

After running command.
Output is
55303 cwd=/var/spool/exim
3303 cwd=/
2924 cwd= /home/domain/public_html
Some other same as cwd =/home/domain/public_html
Is it good?

Also i am facing some issue in one account. I have suspend outgoing mail for this cpanel. But still mail is sending to [email protected] but outgoing is suspend and it is sending through hostname

 

[cPRex]

That would indicate that domain inside of domain.com's home directory is sending email, so you'll want to track down if that is legitimate traffic or not.

 

[retechpro]

That would indicate that domain inside of domain.com's home directory is sending email, so you'll want to track down if that is legitimate traffic or not.

I’m not technical person could you please let me know how can i track it.
Also Could you let me know why account is sending mail to [email protected] since the outgoing is suspend for this domain. Lot of acc are sending mail through hostname like [email protected] serverhost is hostname of server.

 

[cPRex]

There isn't going to be a good way to track it - you'll just have to look through the files on the account and see if there's anything there that shouldn't be.

I'm not sure why it would be the hostname. You could check the mail log (/var/log/exim_mainlog) and find the full transaction for one of those messages to see if that would give you more details.