What is the best way to monitor for compromised accounts/emails that are sending spam emails form the server -WHM

Jeromero

Active Member
Aug 6, 2019
25
3
3
Johannesburg , South Africa
cPanel Access Level
Website Owner
Hi all,
I just had another email from my WHM/server sending the spam messages and after I managed to sanitize that I actually realized that I need a stable solution for this.
I was lucky that I have set up "Maximum percentage of failed or deferred messages a domain may send per hour " to 30 and that saved me from trouble of delisting the IP from spamlists.
Now what would be a better solution to monitor all the domains and emails on the server so I will know before the IP gets blacklisted?
Is OSM (Outgoing spam monitor - Outgoing Spam Monitor (osm)) plugin solution for this or there is somthing else I can do to avoid these problems?
 

keat63

Well-Known Member
Nov 20, 2014
1,840
220
93
cPanel Access Level
Root Administrator
I run our own corporate server, so I don't really have an issue with unknown senders sending many emails.
However, I do have something configured that emails me when an email address has sent more than 250 emails.

In Tweak Settings / Mail
Number of emails a domain may send per day before the system sends a notification.
and
Number of unique recipients per hour to trigger potential spammer notification.

This should assist me in identifying if a user account or pc had been compromised.
 
Last edited:
  • Like
Reactions: Jeromero

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
164
53
28
Australia
cPanel Access Level
Root Administrator
I was lucky that I have set up "Maximum percentage of failed or deferred messages a domain may send per hour " to 30 and that saved me from trouble of delisting the IP from spamlists.
We've never used the software you mentioned but we have used CXS, as probably most hosts have.

We set our email limits conservatively. Why was spam being related? Was a website hacked?

If it was, a solution like Imunify is a good option IMHO.

You can monitor IP reputation using mxtoolbox.com.

They have a free and paid service.

There are also plugins you can purchase and install which monitor your IP reputation.
 

cPAdminsMichael

Well-Known Member
Dec 19, 2016
129
40
103
Denmark
cPanel Access Level
Root Administrator
Just continueing on the others' posts.. I think setting right limits in tweak settings is the way forward.
Also would be good to know if spam is because of:

a) hacked website, sending scripts
b) bad coded website, sending spam through contact forms, etc.
c) Hacked mail account
d) Hacked client

All these may require different actions.

For blacklist monitoring, there are many tools out there. I'm in favor of Hetrix Tools (Free Blacklist Monitoring | Blacklist Check - HetrixTools) :)
 
Last edited by a moderator:
  • Like
Reactions: Jeromero

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
Short of standing over the shoulder of all of your clients and smacking them across the back of their heads everytime they use a stupid password, reuse a password, install or visit a website that might install malware or keyloggers on their system... you really can't do much proactively. You can set monitors in place to notify you when potential spam activity is happening on your server, but it's only going to catch it after the fact.
 
  • Like
Reactions: Jeromero

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
422
96
328
cPanel Access Level
DataCenter Provider
OSM is a decent solution (but you still need to monitor it). One of the default things you can do is to simply have it 'hold' the email for the offending account/mailbox and it will sit in Exim's queue. It uses existing cPanel functionality to do the outbound hold. You can then review if it's spam, remove it from the queue (CMQ works well for that) and then release the hold.

We had to do tweaking when we first put it in. We have customers with legit newsletters etc. so we added exceptions in (pretty easy to do). Now it pretty much catches everything. Compromised mailboxes (because "people" use easy passwords) as well as web site compromises and contact form spam.
 
  • Like
Reactions: Jeromero