The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why remote user is sending 300.000 emails in 2 days?

Discussion in 'E-mail Discussions' started by wemnael, May 17, 2012.

  1. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I discovered at WHM >> Main >> Email >> View Sent Summary that remote user is sending over 400 Successful emails and over 300.000 Failures emails in last 2 days. I'm wonder how this could possible or how can I find the cause of this issue? Thanks !
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In the cPanel of the domain, Default Email address, what is this set to? Not sure if this is helpful at all but worth checking.
     
  3. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Send all unrouted email for:Current Setting: :fail: No Such User Here . This is for one of our domains hosted on this WHM...
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The settings are correct there.

    Where you see -remote- on the WHM >> Main >> Email >> View Sent Summary screen, click it. The result should be helpful in giving you some idea whats going on I think.
     
  5. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Yes, I see many Spam messages there... Here is an example:
    Code:
    Event: success
    User: -remote-
    Domain:
    Sender: laceymaya@urscorp.com
    Sent Time: May 17, 2012 5:16:17 PM
    Sender Host: pmfocsroiqxcd.com
    Sender IP: 58.187.216.84
    Authentication: localdelivery
    Spam Score:
    Recipient: remus.chitoi@rein.ro
    Delivered To: remus.chitoi@rein.ro
    Delivery User: reinro
    Delivery Domain: rein.ro
    Router: virtual_user
    Transport: virtual_userdelivery
    Out Time: May 17, 2012 5:16:17 PM
    ID: 1SV1VC-000vgs-3g
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 819 bytes
    Result: Message accepted
    
    or
    Delivery Event DetailsEvent: success
    User: root
    Domain:
    Sender: root@server.siteulmeu.com
    Sent Time: May 17, 2012 5:31:17 PM
    Sender Host: localhost
    Sender IP: 127.0.0.1
    Authentication: localuser
    Spam Score:
    Recipient: ghl.bestboyyy@yahoo.com
    Delivered To: ghl.bestboyyy@yahoo.com
    Delivery User: -remote-
    Delivery Domain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: May 17, 2012 5:31:17 PM
    ID: 1SV1jS-000zNu-HE
    Delivery Host: mta5.am0.yahoodns.net
    Delivery IP: 209.191.88.254
    Size: 2.62 KB
    Result: Message accepted
    How are the messages being sent exactly? There is a path where I can find a script that send those emails? or the spammer use valid SMTP credentials to send this? How to stop spam email's being sent ?
     
  6. blue-earth

    blue-earth Member

    Joined:
    Feb 9, 2009
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Did anyone fine a cure or fix or know anything about this?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    The first posted log shows the user was a delivery to the machine from what it appears. The second indicates it was "Authentication: localuser" so a local user authenticating.

    If you are having the same issue, please submit a ticket to us and provide some of the logs in question for us to go over the logs.

    Tickets can be submitted in WHM > Support Center > Contact cPanel or using the link in my signature. Please post the ticket number here afterward so we can track the issue for future reference purposes.

    Thanks!
     
Loading...

Share This Page