WHM [System] is sending Spam emails

martin MHC

Well-Known Member
Sep 14, 2016
154
25
28
UK
cPanel Access Level
Root Administrator
I was exploring my Exim Mail Queue Manager in WHM and have quite by chance stumbled across the [system] identifier sending four (4) spam emails to valid email addresses.

I deleted the messages from the mail queue (possibly unfortunately, I should have recorded their contents before deletion) but would like to know:

1) How do I establish what caused these message?

2) Is this indicative of a system wide compromise?

3) Would this be something I should raise in a ticket?

I have seached on this topic and results all come up with CPanel specific mail/account compromises which I'm not certain relate as these were sent by "[system]" rather than by any particular account.

I have checked my exim_mainlog and maillog log files but can't see anything obviously out of the ordinary.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,115
663
263
Houston
cPanel Access Level
DataCenter Provider
Hello,


The header information in the messages would be useful, if the messages did indeed originate from the the system it would be considered a compromise but I highly doubt there would just be 3 messages sent from the system that were spam if there was a compromise I would expect to see hundreds or thousands. If you are concerned about this, I would suggest opening a ticket up with the provider, not with cPanel. This isn't something that cPanel would be able to provide support for.

Have you checked the mail queue again? If you see them again it would be extremely useful to see the header information as well as the transaction in /var/log/exim_mainlog

Thanks!
 

martin MHC

Well-Known Member
Sep 14, 2016
154
25
28
UK
cPanel Access Level
Root Administrator
Hello,


The header information in the messages would be useful, if the messages did indeed originate from the the system it would be considered a compromise but I highly doubt there would just be 3 messages sent from the system that were spam if there was a compromise I would expect to see hundreds or thousands. If you are concerned about this, I would suggest opening a ticket up with the provider, not with cPanel. This isn't something that cPanel would be able to provide support for.

Have you checked the mail queue again? If you see them again it would be extremely useful to see the header information as well as the transaction in /var/log/exim_mainlog

Thanks!
Hello,
Yes I have been keeping eyes on the mail queue but not seen anything since; I had opened the messages in the queue and they where 100% spam and sending to emails not on the server (but known and valid).

I realised only in hindsight that the message headers would have been useful, after I'd manually deleted them from the queue :-(
 

martin MHC

Well-Known Member
Sep 14, 2016
154
25
28
UK
cPanel Access Level
Root Administrator
Hi @martin MHC

Unfortunately, without any information on the messages, it's almost impossible to determine where exactly it originated and how.

Thanks!
Hello. I quite understand in this specific instance but I was asking for the wider methodology of how to get more info (I realise reading the mail logs is key, but what else?) on and if the limited information present is indicative of a wider issue,

Cheers
 

keat63

Well-Known Member
Nov 20, 2014
1,387
108
93
cPanel Access Level
Root Administrator
Probably too late now, but CSF Mailscanner can be configured to retain copies of emails for a short period of time
Whether or not a message deleted from the queue would be saved, I'm not sure.
However, if you were compromised, there's a chance that many other emails may have been sent, Mailscanner would let you search for these quite easy and seemlessly.

It's not free, but it's not expensive either.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,115
663
263
Houston
cPanel Access Level
DataCenter Provider
The most important items for determining where spam email is coming from are the transactional logs in /var/log/exim_mainlog and the headers of the message, for prevention, it depends on where the compromise is occurring. CSF's MailScanner is a good option as suggested by @keat63 You can also have spam assassin scan your outbound mail by enabling "Scan outgoing messages for spam and reject based on defined Apache SpamAssassin" at WHM>>Service Configuration>>Exim Configuration Manager

Thanks!
 

keat63

Well-Known Member
Nov 20, 2014
1,387
108
93
cPanel Access Level
Root Administrator
Further to this, I just happened to look inside my own mail queue and what did a i see, but a message from system to what appears to be a valid email address.

However, inspecting the headers, I can see that system, is actually exim and is responding with:


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed.



Digging further, this was a spammy email sent to an email address on my server which doesnt exists, my server (system) then responding with the fail.

Looking only in the mail queue, I can see why you may have concerns about system sending spam. At first glance, it would look like something dodgy was happening. However, in my case this was just exim doing what it's been configured to do.
 
Last edited: