Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM [System] is sending Spam emails

Discussion in 'E-mail Discussion' started by martin MHC, May 31, 2018.

  1. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    88
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I was exploring my Exim Mail Queue Manager in WHM and have quite by chance stumbled across the [system] identifier sending four (4) spam emails to valid email addresses.

    I deleted the messages from the mail queue (possibly unfortunately, I should have recorded their contents before deletion) but would like to know:

    1) How do I establish what caused these message?

    2) Is this indicative of a system wide compromise?

    3) Would this be something I should raise in a ticket?

    I have seached on this topic and results all come up with CPanel specific mail/account compromises which I'm not certain relate as these were sent by "[system]" rather than by any particular account.

    I have checked my exim_mainlog and maillog log files but can't see anything obviously out of the ordinary.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    The header information in the messages would be useful, if the messages did indeed originate from the the system it would be considered a compromise but I highly doubt there would just be 3 messages sent from the system that were spam if there was a compromise I would expect to see hundreds or thousands. If you are concerned about this, I would suggest opening a ticket up with the provider, not with cPanel. This isn't something that cPanel would be able to provide support for.

    Have you checked the mail queue again? If you see them again it would be extremely useful to see the header information as well as the transaction in /var/log/exim_mainlog

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    88
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello,
    Yes I have been keeping eyes on the mail queue but not seen anything since; I had opened the messages in the queue and they where 100% spam and sending to emails not on the server (but known and valid).

    I realised only in hindsight that the message headers would have been useful, after I'd manually deleted them from the queue :-(
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @martin MHC

    Unfortunately, without any information on the messages, it's almost impossible to determine where exactly it originated and how.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    88
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello. I quite understand in this specific instance but I was asking for the wider methodology of how to get more info (I realise reading the mail logs is key, but what else?) on and if the limited information present is indicative of a wider issue,

    Cheers
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    969
    Likes Received:
    37
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Probably too late now, but CSF Mailscanner can be configured to retain copies of emails for a short period of time
    Whether or not a message deleted from the queue would be saved, I'm not sure.
    However, if you were compromised, there's a chance that many other emails may have been sent, Mailscanner would let you search for these quite easy and seemlessly.

    It's not free, but it's not expensive either.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The most important items for determining where spam email is coming from are the transactional logs in /var/log/exim_mainlog and the headers of the message, for prevention, it depends on where the compromise is occurring. CSF's MailScanner is a good option as suggested by @keat63 You can also have spam assassin scan your outbound mail by enabling "Scan outgoing messages for spam and reject based on defined Apache SpamAssassin" at WHM>>Service Configuration>>Exim Configuration Manager

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    969
    Likes Received:
    37
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Further to this, I just happened to look inside my own mail queue and what did a i see, but a message from system to what appears to be a valid email address.

    However, inspecting the headers, I can see that system, is actually exim and is responding with:


    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed.



    Digging further, this was a spammy email sent to an email address on my server which doesnt exists, my server (system) then responding with the fail.

    Looking only in the mail queue, I can see why you may have concerns about system sending spam. At first glance, it would look like something dodgy was happening. However, in my case this was just exim doing what it's been configured to do.
     
    #8 keat63, Jun 1, 2018
    Last edited: Jun 1, 2018
    martin MHC and cPanelLauren like this.
  9. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    88
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thank you for the reassuring comments @keat63 . I'm sorry @cPanelLauren I'd deleted the messages from the queue before properly noting the details.

    Lesson learnt for next time!
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @martin MHC

    If it does happen again though and you'd like help looking at the issue we'd be happy to help!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice