Spam with two email addresses in From
Hello everyone,
I'm getting tons of email accounts hacked and later exploited for spam purposes. I discovered most of the spam share something in common: The From header contains two email addresses. For example:
From: Prasenjit Deka
Does anybody know a way to send all these emails straight to the garbage instead of sending them?
Thank you in advance
Kindly,
Zhongshan
-
Hello @zhongshan, The first step should be to determine how the email accounts are hacked and implement procedures to prevent that from happening. You can then supplement that by enabling options to help prevent outgoing SPAM. The following documents are a good place to start when attempting to prevent email abuse overall: How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation In particular, note the information under the Experimental: Rewrite From: header to match actual sender section on the first link listed above. Additionally, we added a new feature in cPanel & WHM version 74 to reject and hold email for suspected spammers. You can read more about it at: 0 -
Rather than just trying to stop the spam mails being sent by your server, it would probably be a good idea to identify where they were coming from, and how, and indeed if, the hacker gained access to the server in the first place. You state that you have multiple email accounts hacked - either your users are all using lamentably poor passwords, or you have had a rootkit or similar software installed on the server, or the server is leaking data on the network, or the spam is all remote and being relayed through your server. To stop plaintext passwords travelling over the network, you might want to consider switching ON the following: Service Configuration >> Exim Configuration Manager >> Security > Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server, but be warned, it might require your clients to re-configure their mail client connections. Some other considerations: - The fact that the from address has 2 separate addresses attached to it, suggests that the email is being generated by a badly configured script, and is probably NOT using an authenticated SMTP connection from a hacked email account. The whole purpose of using a compromised email account is to make the mail look as authentic as possible to bypass any spam or filtering software.
- Check to see if the -sender user- is remote, or a user on the system. It is possible that the mails are being spoofed from off-server.
- Check the sender host to see if it is recorded as localhost or some other host.
- Check the accounts web-root fileset for any unexpected or recently changed files.
- Ensure that all the core/themes/add-ons/plug-ins for any CMS or other deployed software are patched fully up-to-date. I would suspect that a file has been uploaded via an unpatched exploitable plugin.
- If the exploits are happening across several users, try and determine if there is any commonality between them, like the same CMS or plug-ins etc.
- Run an antivirus scan on at least the web-roots (and server wide would be better), and you should also probably run a server wide scan using some tool like rkhunter or similar to ensure that no rootkits or web shells have been deployed on the server.
- Change the cPanel user password, as well as any suspected email password; for any account that you suspect has been compromised.
0
Please sign in to leave a comment.
Comments
2 comments