Skip to main content

SPAM from -Remote- user

Tornado
Hi unfortunately from my server sending many spam from -remote- user which i could not find any users... i dont know how i can stop this see the screenshot i fight with this about 40 days.. sometimes datacenter got suspend my server ... please help us thanks54661 54665

Comments

17 comments

Date Votes
  • keat63
    While we wait for the experts to come along, do you recognise the 195.201.x.x IP address. Do you have SPF and DKIM configured for your domain.
    0
  • keat63
    Lets see if you are an open relay. Maybe check the following in WHM. Tweak Settings >> Mail >> Initial default/catch-all forwarder destination Change this to 'Fail'
    0
  • sparek-3
    Yea, perhaps someone with a better understanding of the Mail Stats feature thingy in cPanel/WHM will be able to help. I don't use that feature, so I really don't understand what all is being displayed here. But outside of that, I would recommend examining the logs for one of the specific message ids listed here, i.e.: cat /var/log/exim_mainlog | grep 1g5ry3-000AQu-2Q That's how I diagnose issues like this. If you copy that information into this thread, be sure to redact any confidential or identifying information.
    0
  • garconcn
    Can you click on the "View Message" action on one email, then, click "Show Control Data", check "Mail control Data" to find the cpanel username or email address, those might be the one got hacked. In tweak settings >> Mail >> Number of emails a domain may send per day before the system sends a notification >> Change from unlimited to a number, you may get notification about which account sent lots of emails. Also, in tweak settings, set following: Maximum percentage of failed or deferred messages a domain may send per hour: I use 25% Number of failed or deferred messages a domain may send before protections can be triggered: I use 25 This will stop the user to send email if they've too many failed messages.
    0
  • Tornado
    While we wait for the experts to come along, do you recognise the 195.201.x.x IP address. Do you have SPF and DKIM configured for your domain.

    Hi its MAIN IP
    Lets see if you are an open relay. Maybe check the following in WHM. Tweak Settings >> Mail >> Initial default/catch-all forwarder destination Change this to 'Fail'

    its already set to Fail everything email sent from : Sender User: -remote- i want stop sending email from -Remote- user how i can stop it
    0
  • rpvw
    I would think twice before you disallow remote senders - it may have a consequence that no one will be able to send legitimate mail to any of the domains hosted on your server. To test if your server is an open relay use the following website: Tweak Settings - Mail - Version 74 Documentation - cPanel Documentation and ensure you have followed all the security suggestions, notes and warnings. You may also like to check the various Tweak Settings for the word spam, as well as the Exim Configuration Manager (the default values are always a good place to start) and you may want to consider enabling and configuring: Scan outgoing messages for spam and reject based on defined Apache SpamAssassin" score (Minimum: 0.1; Maximum: 99.9) Hope this helps
    0
  • rpvw
    I had another thought: Check that no-one has configured a forwarder that shouldn't be there - we have seen several cases of email accounts having been hacked and forwarders set up for the purpose of spamming from supposedly legitimate accounts. You might also want to check that your users have not had any scripts injected or uploaded to their /public_html space that might trigger a mail event from a specially crafted browser request. Good luck
    0
  • catys sun
    I am facing same issue. From one Ip address many Spam messages coming daily.
    0
  • kdean
    I'm confused. His screenshots show that the server is already rejecting the relay attempts, so everything is good. So, what's the problem? Remote is any email coming in from outside the server, so you can't block that. Remote senders trying to relay through your server to another remote address are being rejected(22,957), so that's correct. The 64 successful ones are likely local deliveries/incoming mail.
    0
  • kdean
    To add, turn on your Authentication column and it was tell you "unauthorized", "localdelivery" or "forwarder".
    0
  • Tornado
    I had another thought: Check that no-one has configured a forwarder that shouldn't be there - we have seen several cases of email accounts having been hacked and forwarders set up for the purpose of spamming from supposedly legitimate accounts. You might also want to check that your users have not had any scripts injected or uploaded to their /public_html space that might trigger a mail event from a specially crafted browser request. Good luck

    Hi how i can find which users set forwarders ?
    To add, turn on your Authentication column and it was tell you "unauthorized", "localdelivery" or "forwarder".

    from where i can turn on Authentication ?
    0
  • kdean
    The icon in your screen shots at the upper right of the Mail Delivery Reports with 3 dots and 3 lines will allow you to add/remove columns.
    0
  • Tornado
    Hi thanks guys is there possible completely disable sending email from Remote user? because i feeling someone use our mail sevrer as remote
    0
  • rpvw
    If you are going to disable remote mail (which is ALL mail sent TO your server) - you may as well just stop the mail daemons, and use some external mailer service. We seem to be going around in circles with you asking the same question over and over again. I am sorry if you don't like the answers, but they are unlikely to change to something you want to hear. Since you don't seem to have got a grip on this at all, I suggest you retain the services of a server administrator to help you - see
    0
  • kdean
    Hi thanks guys is there possible completely disable sending email from Remote user? because i feeling someone use our mail sevrer as remote

    In the evidence you've shown so far, attempts to use your server as a relay are being rejected. This is correct. Spammers will continue to try, but it won't work. So unless you show evidence of spam emails being sent through your server by a local account or script. Not all errors in the mail log are bad. Some and many in your case are indicating the correct response to relay attempts.
    0
  • Tornado
    Hi finally today datacenter contact us and send Warning... : == It has come to our attention that the IP address of a server you have with us is sending emails to Microsoft accounts (outlook.com, msn.com), and that these emails are being marked as spam by the recipients. == here logs - Removed -
    0
  • cPanelLauren
    The answers provided in this thread are pretty comprehensive but @Tornado if you're still experiencing issues please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post