How can I prevent a user to send emails
On my Server, a lot of emails are being sent using the cpanel default user account of a domain.
I would like to:
1. prevent this account from sending any emails.
2. Understand how and why it happens.
thank you.
-
Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem. If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way. 0 -
Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem. If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.
I do get a lot of alerts like this one on my server, and even from domains that don't have a website attached to it. Time: Mon Mar 18 11:23:29 2019 -0400 Account: someusr Resource: Virtual Memory Size Exceeded: 474 > 400 (MB) Executable: /opt/cpanel/ea-php72/root/usr/bin/php-cgi Command Line: /opt/cpanel/ea-php72/root/usr/bin/php-cgi PID: 16483 (Parent PID:14428) Killed: No0 -
That is most likely not related. 0 -
That is most likely not related.
I've tried to disable the mail function, but ofcourse then the users of that domains cannot receive and send emails anymore. What can I do?0 -
Hello . prevent this account from sending any emails.
You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.. Understand how and why it happens.
Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Thanks!0 -
Hello You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail. Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here:
0 -
You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script. The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful: perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s0 -
You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script. The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Emails by user: 144 : root 66 : lapaixadmin 51 : mailnull 40 : liellesinvestmen 2 : pitadmin =================== Total: 303 =================== Email accounts sending out mail: 2 : muller@belilan.com 1 : batcheva@chabad.be =================== Total: 3 =================== Directories mail is originating from: 66 : /home/lapaixadmin/public_html 39 : /home/liellesinvestmen/public_html 2 : /home/pitadmin/public_html 1 : /home/liellesinvestmen/public_html/administrator =================== Total: 107 =================== Top 20 Email Titles: 65 : [Wordfence Alert] lapaix.eu User login blocked for insecure password 44 : Mail delivery failed: returning message to sender 5 : lfd on host.abscomputer.net: WHM/cPanel root access alert from 207.96.147.218 (CA/Canada/-) 5 : lfd on host.abscomputer.net: Suspicious process running under user abscompadmin 4 : lfd on host.abscomputer.net: Suspicious process running under user casheradmin 3 : rkhunter Daily Run on host.abscomputer.net 2 : lfd on host.abscomputer.net: System Integrity checking detected a modified system file 2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (27322 (Parent PID:27160)) 2 : lfd on host.abscomputer.net: Excessive resource usage: casheradmin (10084 (Parent PID:27160)) 2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (6189 (Parent PID:27160)) 2 : lfd on host.abscomputer.net: blocked distributed cpanel attack on account [belexcha] 2 : lfd on host.abscomputer.net: Suspicious process running under user cpaneleximscanner 2 : Nouveau message de votre site internet 2 : Cron (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron) 1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (32673 (Parent PID:2642)) 1 : Account Details for Esther tried to contact you 6 times [REMOVED] 1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (28243 (Parent PID:2642)) 1 : lfd on host.abscomputer.net: Excessive resource usage: businessadmin (28305 (Parent PID:2642)) 1 : Account Details for Nancy tried to contact you 2 times ?????????? ?????? ????? 1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (12669 (Parent PID:2642)) =================== Total: 304 ===================0 -
This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed: 66 : /home/lapaixadmin/public_html 39 : /home/liellesinvestmen/public_html
I'd check the scripts present in the public_html for both of these accounts. Thanks!0 -
This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:
66 : /home/lapaixadmin/public_html 39 : /home/liellesinvestmen/public_html
I'd check the scripts present in the public_html for both of these accounts. Thanks!
I can't see any. Could it be in subfolders? How can I track them?0 -
Hello @Alain Bensimon Based on that output no, it'd be coming from a script in the public_html. Keep in mind it could be a legitimate script as well - or could look like one. This is something that would be best suited to a system administrator to assist with further. If you don't have one you might find one here: System Administration Services | cPanel Forums Thanks! 0 -
I know that it's a non legitimate one because one of the email sender (lielleinvestment) was sending spams. I went to Joomla and have disabled the php mail for that website within Joomla. Then it has stopped of course. I want to find the script, but I only see scripts that looks legitimate to me as you can see in the print capture below. I really want to find by myself. Can you help me with that. Thanks. 57757 0 -
When you look at the scripts present such as the index.php do you see anything that looks potentially abnormal? 0 -
This is the content of index.php setStart($startTime, $startMem)->mark('afterLoad') : null; // Instantiate the application. $app = JFactory::getApplication('site'); // Execute the application. $app->execute();0 -
Hi @Alain Bensimon There's no need to post the index.php here but I would suggest looking through all the files present there - including txt files. But again, this is something that you need to address with your system administrator for further assistance. 0 -
I did check every file, even the hidden ones, and I didn't see anything suspicious. What I need is to find a way to locate a malware script. You can probably advise me some tools for that? 0 -
malware scanners such as Linux Malware Detect, ClamAV etc. should be able to do this for you for most compromises, unfortunately they can't and don't claim to be able to catch everything. 0 -
I have ClamAv installed, and I also have run Maldet multiple times. Maldet always find malwares, and put them in quarantine, and then I purge the quarantine. But they always come back. 0 -
Hello @Michael, Thank you for your answer. So I've looked in the txt file, and it says that it's to prevent Exim to send emails. Like I said in the beginning of that post, I have created an ACL that prevent some users to send emails, and it worked since I was prevented from sending emails through webmail with these users. But the spamming kept going, and it's only when I enetred the joomla admin and disabled the "sendmail" function that it stopped, whcih makes me think that it wasn't using exim, so the LF_SCRIPT_LIMIT wouldn't work since it's for exim. 0 -
But the spamming kept going, and it's only when I enetred the joomla admin and disabled the "sendmail" function that it stopped, whcih makes me think that it wasn't using exim, so the LF_SCRIPT_LIMIT wouldn't work since it's for exim.
Emails sent through PHP scripts such as Joomla without SMTP authentication are still processed through Exim. You can test this by searching /var/log/exim_mainlog for one of the offending emails to see if the cwd= path entry exists. EX:exigrep MSGSUBJECT /var/log/exim_mainlog
Replace MSGSUBJECT with the subject of one of the offending messages. Note that the CSF Readme suggests making changes to the log_selector Exim configuration option, but that's no longer required because cPanel & WHM uses the following entry by default:+incoming_port +smtp_connection +all_parents +retry_defer +subject +arguments +received_recipients
Thank you.0 -
You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script. The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
[root@cia ~]# /usr/local/cpanel/3rdparty/bin/perl perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s Can't open perl script "perl": No such file or directory [root@cia ~]#
other file, URL please?0 -
@000 - you don't need that second "perl" in there. The whole line would just be this: /usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Can you try that instead?0 -
@000 - you don't need that second "perl" in there. The whole line would just be this:
/usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Can you try that instead?
Thanks, My result is:[root@cia ~]# /usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s Emails by user: 2706 : mailnull ... =================== Total: 5432 =================== Email accounts sending out mail: 4 : __cpanel__service__auth__icontact__beocpd7wbtyl3gat ... =================== Total: 2701 =================== Top 20 Email Titles: 2706 : Mail delivery failed: returning message to sender [root@cia ~]#
please: thinking in STOP SPAM: #1 what is the best config for manage "mailnull" ?? #2 what/who is "__cpanel__service__auth__icontact__beocpd7wbtyl3gat" ?? #3 "2706 : Mail delivery failed" what I can do to STOP that ? from 2020 I have this problem, I am checked SPF, DKIM, my server NO is rellay, more of 1 month back I delete account problematic, etc...0 -
Can you let me know what specific issue you're trying to solve at this time? mailnull is just the system user where the process runs under, and you can find more discussion on that here: grep "Mail delivery failed" /var/log/exim_mainlog
and then search for an individual message to see what the issue was.0 -
Can you let me know what specific issue you're trying to solve at this time?
Thanks, my problem is:[root@cia ~]# grep "Mail delivery failed" /var/log/exim_mainlog | wc -l 2846 [root@cia ~]#It would be best to check individual messages by searching for this in the mail log:
0 -
In order to get more details I'd remove the "| wc -l" from the command so you can see the full message log. That will show you the message ID number in the log which will look something like this: 1l7jmi-00DZWH-90 and then you can run this command to see the full log of that message: grep 1l7jmi-00DZWH-90 /var/log/exim_mainlog
That will show you why the message failed, and you can move forward from there.0
Please sign in to leave a comment.
Comments
27 comments