My server is sending spam
Hi,
My VPS server send spams what causes emails to stuck in Mail Queued, and recently I exceeded the SMTP Relays set to 5000 by godaddy, and they refused to temporary increase it.
Anyway, how can I find the source of spam, it seems from my server (server.my-server.com).
From Mail Queue Manager the message info:
In this header info, we can found 2 emails: nbocoze@example.com and purchase@example.net, both do not belong to any user on my server. How can I stop it ?
Date: Mon, 29 Apr 2019 14:17:15 +0300
From: Mail Delivery System
To: nbocoze@example.com
Subject: Mail delivery failed: returning message to sender
Auto-Submitted: auto-replied
Content-Type: multipart/report; report-type=delivery-status; boundary=1556536635-eximdsn-1383029932
Message-Id:
MIME-Version: 1.0
Received: from mailnull by server.my-server.com with local (Exim 4.91)
id 1hL4Hb-0006Zi-I1
for nbocoze@example.com; Mon, 29 Apr 2019 14:17:15 +0300
X-Failed-Recipients:purchase@example.net
In this header info, we can found 2 emails: nbocoze@example.com and purchase@example.net, both do not belong to any user on my server. How can I stop it ?
-
How many accounts do you have on the VPS ? In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these. 0 -
How many accounts do you have on the VPS ? In WHM, navigate to mail delivery reports, run a report and see if you can identify the user account which is sending these.
I have 65 accounts, the header indicate the message is sent from my server Mailer-Daemon@server.my-server.com0 -
I don't know the answer, but i'd still suggest taking a look in mail delivery reports, click on the magnifying glass and see if these are linked to a user account on the server. 0 -
Checkout this website and scroll down to the "Outbound spam from compromised scripts" ConfigServer Services - Searching for Spammers 0 -
Hello @psytanium, The following document is a good place to start in terms of preventing users from sending out SPAM and enabling the options to better detect when it happens: Let me know if this helps. Thank you. 0 -
Alright, may I know some more information please ? I have to learn how to spot the spam source and the solution. For e.g. this account is on my server k**a.com.lb, have sent 12000 email today, from Mail Delivery Report, I can find those details: [removed due to use of real domains] What should I look for and what to do with those information ? is the source of spam my server or user computer or stolen password ? or some other possibilities ? Regards, 0 -
Hello, The most used subjects [removed due to use of real SPAM terms] The most logged in user 126 __cpanel__service__auth__icontact__ 1542 info@the****removed.com 12986 ism@k**removed.lb
The most used mailing script9167 /usr/local/cpanel/whostmgr/docroot
The user ism@k**a.com.lb have sent 12986 email with the subject "removed" and "removed" But what does it mean if the most used mail script is "/usr/local/cpanel/whostmgr/docroot" ? the spam is sent from my server ? or from the user computer or from Jupiter ?0 -
The user ism@k**a.com.lb have sent 12986 email with the subject "removed" and "removed"
Hello @psytanium, This means that email account is authentication with the email account's username and password to send out the SPAM email. You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue. Thank you.0 -
What if there is a malware on my server sending spams from inside. How can I know the source ? In 10 days, I found 3 different domains sending spams and I got blocked by Godaddy relays 3 times, 24h each. 0 -
When I run the command [QUOTE] grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
The out put is [QUOTE] .... 24 /home/user/public_html 29 /home/user1/public_html 35 /home/user2/public_html/automatic 35 /home/user3/public_html/insight 53 /home/user4/public_html 9174 /usr/local/cpanel/whostmgr/docroot
Why all regular emails are sent from the home account, but the 9174 spams are sent from /usr/local/cpanel/whostmgr/docroot , what is it ?0 -
Hello @psytanium, Can you run the following command instead and let us know the output? perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Thank you.0 -
Emails by user: [QUOTE] 6761 : mailnull 106 : user1 56 : user2
Email accounts sending out mail: [QUOTE] 12986 : ism@k**a.com.lb 1542 : info@*******hotel.com 128 : __cpanel__service__auth__icontact__g9f89smfbc2ue90x 56 : rnader@wa*******er.me
Directories mail is originating from: [QUOTE] 56 : /home/user/public_html 35 : /home/user1/public_html/insight 35 : /home/user1/public_html/automatic
Top 20 Email Titles: [QUOTE] 9889 : Industrial Control & Supply Inc. 6761 : Mail delivery failed: returning message to sender 3080 : Azzam Purchase Order #107608 --107609 1502 : Response
Thank you0 -
Hello @psytanium, [QUOTE]6761 : mailnull
[QUOTE]6761 : Mail delivery failed: returning message to sender
The "mailnull" user you see in the report is showing you the number of emails that were returned to the sender. [QUOTE]12986 : ism@k**a.com.lb
This it the account to focus on. I recommend following the advice from my earlier post to this thread: [QUOTE]You'll want to change the password for that email account and let the cPanel account holder associated with that domain name know about the outgoing SPAM. Then, browse to WHM >> Mail Queue Manager , search for the offending email account or the SPAM term, and remove the queued messages from your server's email queue.
If you're concerned that you're missing something, feel free to open a0 -
Thank you for the explanation, the missing point is clear now. What is more important is how to make sure I receive a notification email before my server get blocked by Godaddy or blacklisted. This discussion is opened in another topic in this forums. Thanks again :) 0 -
I have a shared hosting with GoDaddy. It hosts numerous WP installations/websites. Yesterday on the cpanel i noticed file usage had maxed out, gone past limit of 250K I contacted GoDaddy who tried to sell me upgrades to the hosting. I declined then started deleting loads of files and old plugins. Got it down to 50% usage. Today i noticed the file usage had gone up again. So I checked ftp folders and in a folder located here: "home/mysite/mail/new/" There are like 1500 new files with names similar to this: 15.4P421231.example.prod.ams1.secureserver.net,S=4411,W=4490 This is the content of one of those files: Return-Path: <> Delivered-To: mysite@example.prod.ams1.secureserver.net Received: from example.prod.ams1.secureserver.net by examle.prod.ams1.secureserver.net with LMTP id YHdzMlGmLV1vbQYAqVQW0Q (envelope-from <>) for ; Tue, 16 Jul 2019 03:26:25 -0700 Return-path: <> Envelope-to: mysite@example.prod.ams1.secureserver.net Delivery-date: Tue, 16 Jul 2019 03:26:25 -0700 Received: from mailnull by example.prod.ams1.secureserver.net with local (Exim 4.92) id 1hnKfB-001mvT-Oo for mysite@example.prod.ams1.secureserver.net; Tue, 16 Jul 2019 03:26:25 -0700 X-Failed-Recipients: testmail@testmail.com Auto-Submitted: auto-replied From: Mail Delivery System To: mysite@example.prod.ams1.secureserver.net Content-Type: multipart/report; report-type=delivery-status; boundary=1563272785-eximdsn-224566932 MIME-Version: 1.0 Subject: Mail delivery failed: returning message to sender Message-Id: Date: Tue, 16 Jul 2019 03:26:25 -0700 --1563272785-eximdsn-224566932 Content-type: text/plain; charset=us-ascii This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: testmail@example.com host n1nlshrout-v02.shr.prod.ams1.secureserver.net [188.121.43.247] SMTP error from remote mail server after end of data: 552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content :: Please include this entire message when contacting support :: v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 :: 100.00 --1563272785-eximdsn-224566932 Content-type: message/delivery-status Reporting-MTA: dns; example.prod.ams1.secureserver.net Action: failed Final-Recipient: rfc822;testmail@example.com Status: 5.0.0 Remote-MTA: dns; n1nlshrout-example.prod.ams1.secureserver.net Diagnostic-Code: smtp; 552 5.2.0 nKfBhoqrWtepr :: CPANEL :: Message rejected for spam or virus content :: Please include this entire message when contacting support :: v=2.3 cv=MOUeZ/Rl c=1 sm=1 tr=0 p=KJD1t2hDAAAA:8 a=r9Bl8V4KkuNHnxc9opHAaQ==:117 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=8leYwG_D0f8A:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=HKoSam3bM6MA:10 a=bktHx2K8ArkA:10 a=0o9FgrsRnhwA:10 a=rspIfaWkwMkA:10 a=CjxXgO3LAAAA:8 a=OGcbRibh8eA8wha6igoA:9 a=QEXdDO2ut3YA:10 a=QvZW9KSDK1oA:10 a=wPMxKhUWycEA:10 a=pTznbiGrbv8A:10 a=ob5DfPJ9V6cA:10 a=4cSDUiFOmQsdoIEnurUK:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 :: 100.00 --1563272785-eximdsn-224566932 Content-type: message/rfc822 Return-path: Received: from mysite by example.prod.ams1.secureserver.net with local (Exim 4.92) (envelope-from ) id 1hnKfB-001muY-GU for tst@example.com; Tue, 16 Jul 2019 03:26:25 -0700 To: tst@example.com Subject: =?UTF-8?Q?Sample_Site_1_"some test here_=D0=93?= =?UTF-8?Q?=C2=some test here"?= X-PHP-Script: PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Kei***ix Subject: some test here Message Body: some more text here: - Removed- --1563272785-eximdsn-224566932--
I Need To Know How Do I Find Out If These Emails Are Being Sent From My Server By Say A Script/hacker/virus Or Malware? Or Are They Being Sent To Me From Outside I Dont Know, I Need To Find The Php Mail Sent Log File But I Cant See One. Thanks0 -
If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner. X-PHP-Script: ' for 134.90.xxx.xxx X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx 0 -
Hello @rafhelp, I moved your thread into this one so you can see the advice offered in the past to someone facing a similar issue. Thank you. 0 -
If you have that file in your hosting account, at that path, than for sure that file is used to send emails, I'm an old school web developer, never been a fan of wordpress, but on my server, the only websites that got malicious scripts, the only websites that are hacked are either joomla, or wordpress, not updated to the latest version by their owner. X-PHP-Script: ' for 134.90.xxx.xxx X-PHP-Filename: /home/mysite/public_html/example.com/index.php REMOTE_ADDR: 134.90.xxx.xxx
but on mine the file is index.php and it has no additional code in it just the original wp code. are you saying this file has a virus on it or something?X-PHP-Script: www.example.com/index.php for 77.243.xxx.xx X-PHP-Filename: /home/maindomain/public_html/example.com/index.php REMOTE_ADDR: 77.243.xxx.xx0 -
Hello @rafhelp, I moved your thread into this one so you can see the advice offered in the past to someone facing a similar issue. Thank you.
Ok but the issue was not solved on this thread, even now after installing wordfence to all my wp sites and deleting those old spam email logs/error files in domain/mail/new/ folder new ones have popped up though the amount is down from 1000 per day to like 5 per day. someone is still sending spam out0 -
dear I just received a SpamHaus penalty [Moderator Note: Links to third-party image hosting websites are not permitted. Please update images directly to the thread as attachments] I have already solved the problem with SpamHaus Anyone know how I can detect, which hosting account, was the cause of such an attack on that IP 12.34.xxx.xxx? I have Clamav installed and I have not detected any abnormality 0 -
Your profile doesn't mention your access level. If you are a root admin, then you could try installing Maldet I guess, and maybe RKHunter. Also, do you have CSF Firewall installed ? Maybe you could temporarily block the ascociated port until you can get to the bottom of it.. 0
Please sign in to leave a comment.
Comments
22 comments