WHM [System] is sending Spam emails

[martin MHC]

I was exploring my Exim Mail Queue Manager in WHM and have quite by chance stumbled across the [system] identifier sending four (4) spam emails to valid email addresses.

I deleted the messages from the mail queue (possibly unfortunately, I should have recorded their contents before deletion) but would like to know:

1) How do I establish what caused these message?

2) Is this indicative of a system wide compromise?

3) Would this be something I should raise in a ticket?

I have seached on this topic and results all come up with CPanel specific mail/account compromises which I'm not certain relate as these were sent by "[system]" rather than by any particular account.

I have checked my exim_mainlog and maillog log files but can't see anything obviously out of the ordinary.

 

[cPanelLauren]

Hello,


The header information in the messages would be useful, if the messages did indeed originate from the the system it would be considered a compromise but I highly doubt there would just be 3 messages sent from the system that were spam if there was a compromise I would expect to see hundreds or thousands. If you are concerned about this, I would suggest opening a ticket up with the provider, not with cPanel. This isn't something that cPanel would be able to provide support for.

Have you checked the mail queue again? If you see them again it would be extremely useful to see the header information as well as the transaction in /var/log/exim_mainlog

Thanks!

 

[martin MHC]

Hello,


The header information in the messages would be useful, if the messages did indeed originate from the the system it would be considered a compromise but I highly doubt there would just be 3 messages sent from the system that were spam if there was a compromise I would expect to see hundreds or thousands. If you are concerned about this, I would suggest opening a ticket up with the provider, not with cPanel. This isn't something that cPanel would be able to provide support for.

Have you checked the mail queue again? If you see them again it would be extremely useful to see the header information as well as the transaction in /var/log/exim_mainlog

Thanks!

Hello,
Yes I have been keeping eyes on the mail queue but not seen anything since; I had opened the messages in the queue and they where 100% spam and sending to emails not on the server (but known and valid).

I realised only in hindsight that the message headers would have been useful, after I'd manually deleted them from the queue :-(

 

[cPanelLauren]

Hi @martin MHC

Unfortunately, without any information on the messages, it's almost impossible to determine where exactly it originated and how.

Thanks!

 

[martin MHC]

Hi @martin MHC

Unfortunately, without any information on the messages, it's almost impossible to determine where exactly it originated and how.

Thanks!

Hello. I quite understand in this specific instance but I was asking for the wider methodology of how to get more info (I realise reading the mail logs is key, but what else?) on and if the limited information present is indicative of a wider issue,

Cheers

 

[keat63]

Probably too late now, but CSF Mailscanner can be configured to retain copies of emails for a short period of time
Whether or not a message deleted from the queue would be saved, I'm not sure.
However, if you were compromised, there's a chance that many other emails may have been sent, Mailscanner would let you search for these quite easy and seemlessly.

It's not free, but it's not expensive either.

 

[cPanelLauren]

The most important items for determining where spam email is coming from are the transactional logs in /var/log/exim_mainlog and the headers of the message, for prevention, it depends on where the compromise is occurring. CSF's MailScanner is a good option as suggested by @keat63 You can also have spam assassin scan your outbound mail by enabling "Scan outgoing messages for spam and reject based on defined Apache SpamAssassin" at WHM>>Service Configuration>>Exim Configuration Manager

Thanks!

 

[keat63]

Further to this, I just happened to look inside my own mail queue and what did a i see, but a message from system to what appears to be a valid email address.

However, inspecting the headers, I can see that system, is actually exim and is responding with:


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed.


Digging further, this was a spammy email sent to an email address on my server which doesnt exists, my server (system) then responding with the fail.

Looking only in the mail queue, I can see why you may have concerns about system sending spam. At first glance, it would look like something dodgy was happening. However, in my case this was just exim doing what it's been configured to do.

 

[martin MHC]

Thank you for the reassuring comments @keat63 . I'm sorry @cPanelLauren I'd deleted the messages from the queue before properly noting the details.

Lesson learnt for next time!

 

[cPanelLauren]

HI @martin MHC

If it does happen again though and you'd like help looking at the issue we'd be happy to help!