Abuse notification received

Maning

• May 28, 2019 13:42

I have received an abuse notification for email spam. There is no unusual mail traffic on mail delivery report and when I checked exim maillog I notice this: 2019-05-28 18:36:20 1hVe9C-00026a-TV H=28.ip-51-77-xxx.eu (srver.example.net) [51.77.xxx.xx]:34796 Warning: "SpamAssassin as user1 detected message as spam (11.4)" 2019-05-28 18:36:20 1hVe9C-00026a-TV H=28.ip-51-77-xxx.eu (srver.example.net) [51.77.xxx.xx]:34796 Warning: Message has been scanned: no virus or other harmful content was found 2019-05-28 18:36:20 1hVe9C-00026a-TV <= bounce@example.eu H=28.ip-51-77-xxx.eu (srver.example.net) [51.77.xxx.xx]:34796 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=69754 id=MjU0ODkyNQAC271780Y55BAMTU1OTA1NzcyNzQ4MjAx@imagemail.eu T="\316\224\316\277\316\272\316\271\316\274\316\254\317\203\317\204\316\265 \316\224\316\251\316\241\316\225\316\221\316\235 \317\204\316\267 \317\206\316\271\316\273\316\277\316\276\316\265\316\275\316\257\316\261 \317\204\316\267\317\202 \316\271\317\203\317\204\316\277\317\203\316\265\316\273\316\257\316\264\316\261\317\202 \317\203\316\261\317\202 \317\203\316\265 \316\265" for info@user1domain.com 2019-05-28 18:36:20 SMTP connection from 28.ip-51-77-xxx.eu (srver.example.net) [51.77.xxx.xx]:34796 closed by QUIT 2019-05-28 18:36:20 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1hVe9C-00026a-TV 2019-05-28 18:36:20 1hVe9C-00026a-TV => info R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 IIZ+IXRV7VyNHQAAlSwSEQ Saved" 2019-05-28 18:36:20 1hVe9C-00026a-TV Completed
Multiple times from different ip and other email addresses (even with email addresses that it is not on my server, info@user1domain.com exist on my server). On the exact same time at maillog May 28 18:36:20 hostname spamd[8155]: prefork: child states: I May 28 18:36:20 hostname dovecot: lmtp(7565): Connect from local May 28 18:36:20 hostname dovecot: lmtp(info@user1domain.com)<7565>: msgid=: saved mail to INBOX May 28 18:36:20 hostname dovecot: lmtp(7565): Disconnect from local: Client has quit the connection (state=READY)
Is this normal?

• 

  GOT

  • May 28, 2019 19:13

  I'm not seeing anything in these logs that indicate an outgoing spam issue. But if nothing is showing up in the reports, you should probably review your process list and see if you have any rougue processes running. This can happen when a site gets compromised and these little malware bots can send spam directly and bypass exim completely.

  0
• 

  Maning

  • May 28, 2019 19:45

  No suspicious process is running. So can I determine if spam was send from a compromised page through apache logs?

  0
• 

  GOT

  • May 28, 2019 19:48

  Not really no. How big is your mail queue? Try running this command: echo "Top Senders: "; exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c | sort -nr | head -3; echo "Common Subjects: "; awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n | tail -3; echo "Script Mail: "; sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p" /var/log/exim_mainlog | sort | uniq -c | awk '{printf "%05d %s\n",$1,$2}' | sort | tail -3; echo "Top auth_id Senders:"; find /var/spool/exim/input -name "*-H" -exec grep -q "\-auth_id" {} \; -print | while read MSG; do cat $MSG; done | grep auth_id | awk '{print $2}' | sort | uniq -c| sort -nk 1
  Yes, its a mouthful, but it will scan the logs and queue to see what recent sources of sending mail have been.

  0
• 

  GOT

  • May 28, 2019 19:48

  You may want to post your processlist here too just so we can verify.

  0
• 

  Maning

  • May 28, 2019 19:57

  Your command output: Top Senders: 7 5 1 Common Subjects: 85 \316\232\317\201\316\254\317\204\316\267\317\203\316\267 \316\261\317\200\317\214 \317\204\316\277 Domain5 108 Mail delivery failed: returning message to sender 111 Script Mail: 00011 /home/user10/public_html 00037 /home/domain5/public_html 00046 /home/domain6/public_html/include Top auth_id Senders: 5 user17 7 user18
  Process list: top - 22:55:23 up 4 days, 22:29, 1 user, load average: 0.10, 0.10, 0.10 Tasks: 200 total, 1 running, 198 sleeping, 0 stopped, 1 zombie %Cpu(s): 2.9 us, 0.5 sy, 0.0 ni, 96.6 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 65578096 total, 17632584 free, 3064152 used, 44881360 buff/cache KiB Swap: 33521660 total, 33520124 free, 1536 used. 61588568 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7412 mysql 20 0 2369524 921040 9964 S 1.7 1.4 61:46.21 mysqld 2856 root 20 0 S 11:08.47 md2_raid1 6844 named 20 0 767412 130864 2836 S 0.2 6:20.60 named 9 root 20 0 S 4:45.08 rcu_sched 16891 root 20 0 1021836 711720 2368 S 1.1 3:01.09 clamd 1 root 20 0 43912 4060 2576 S 0.0 2:53.97 systemd 8090 root 20 0 179004 31584 2188 S 0.0 2:07.91 lfd - sleeping 2970 root 20 0 S 1:52.02 jbd2/md2-8 16939 nscd 20 0 1669864 3312 1588 S 0.0 1:37.16 nscd 5836 dbus 20 0 58100 2336 1792 S 0.0 1:26.48 dbus-daemon 5828 root 20 0 21668 1268 988 S 0.0 1:18.63 irqbalance 6502 root 20 0 732580 18844 12948 S 0.0 1:00.85 rsyslogd 14833 nobody 20 0 4480076 61608 10592 S 0.1 0:58.11 httpd 3041 root 20 0 137748 90448 90024 S 0.1 0:54.05 systemd-journal 6893 root 20 0 70180 22356 3532 S 0.0 0:53.26 tailwatchd 6670 root 20 0 113692 26412 6564 S 0.0 0:51.57 cpsrvd (SSL) - 6500 root 20 0 500248 26872 19836 S 0.0 0:50.20 php-fpm 6556 dovenull 20 0 57516 15304 3552 S 0.0 0:47.99 imap-login 6499 root 20 0 490720 18688 11496 S 0.3 0.0 0:42.35 php-fpm 5845 root 20 0 26456 1708 1344 S 0.0 0:41.52 systemd-logind 14 root 20 0 S 0:41.02 ksoftirqd/1 2851 root 20 0 S 0:38.52 md0_raid1 6484 root 20 0 358044 15476 8760 S 0.0 0:33.88 php-fpm 3073 root 0 -20 S 0:31.35 kworker/0:1H 2857 root 0 -20 S 0.3 0:30.25 kworker/2:1H 5984 root 0 -20 S 0:30.09 kworker/3:1H 3071 root 0 -20 S 0.3 0:29.21 kworker/1:1H 5960 root 20 0 156276 11032 2140 S 0.0 0:26.79 munin-node 6494 root 20 0 356296 15968 8956 S 0.0 0:25.27 php-fpm 6497 root 20 0 491000 31248 26584 S 0.0 0:24.19 php-fpm 7366 root 20 0 215412 20796 11424 S 0.0 0:23.42 httpd 14831 nobody 20 0 4021324 53752 10452 S 0.1 0:21.82 httpd 14834 nobody 20 0 4283468 54632 10556 S 0.1 0:18.62 httpd 8155 root 20 0 225356 104944 5320 S 0.2 0:16.71 spamd 6555 dovenull 20 0 50800 8532 3500 S 0.0 0:15.51 pop3-login 6481 root 20 0 16544 1844 1476 S 0.0 0:15.47 dovecot 5928 mailnull 20 0 79848 8520 4144 S 0.0 0:13.57 exim 68 root 20 0 S 0:11.30 kswapd0 6780 root 20 0 129068 2688 1932 S 0.0 0:10.94 dnsadmin - dorm
  

  0
• 

  GOT

  • May 28, 2019 20:00

  The command output would not indicate any spam spam issues currently. Your processlist is not complete though. Use this command: ps axf

  0
• 

  Maning

  • May 28, 2019 20:02

  Sorry. Here you are: PID TTY STAT TIME COMMAND 1 ? Ss 2:54 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 2 ? S 0:00 [kthreadd] 3 ? S 0:05 [ksoftirqd/0] 5 ? S< 0:00 [kworker/0:0H] 7 ? S 0:00 [migration/0] 8 ? S 0:00 [rcu_bh] 9 ? S 4:45 [rcu_sched] 10 ? S< 0:00 [lru-add-drain] 11 ? S 0:01 [watchdog/0] 12 ? S 0:01 [watchdog/1] 13 ? S 0:00 [migration/1] 14 ? S 0:41 [ksoftirqd/1] 16 ? S< 0:00 [kworker/1:0H] 17 ? S 0:01 [watchdog/2] 18 ? S 0:00 [migration/2] 19 ? S 0:00 [ksoftirqd/2] 21 ? S< 0:00 [kworker/2:0H] 22 ? S 0:01 [watchdog/3] 23 ? S 0:00 [migration/3] 24 ? S 0:01 [ksoftirqd/3] 26 ? S< 0:00 [kworker/3:0H] 27 ? S 0:01 [watchdog/4] 28 ? S 0:00 [migration/4] 29 ? S 0:00 [ksoftirqd/4] 31 ? S< 0:00 [kworker/4:0H] 32 ? S 0:01 [watchdog/5] 33 ? S 0:00 [migration/5] 34 ? S 0:00 [ksoftirqd/5] 36 ? S< 0:00 [kworker/5:0H] 37 ? S 0:01 [watchdog/6] 38 ? S 0:00 [migration/6] 39 ? S 0:00 [ksoftirqd/6] 41 ? S< 0:00 [kworker/6:0H] 42 ? S 0:01 [watchdog/7] 43 ? S 0:00 [migration/7] 44 ? S 0:00 [ksoftirqd/7] 46 ? S< 0:00 [kworker/7:0H] 48 ? S 0:00 [kdevtmpfs] 49 ? S< 0:00 [netns] 50 ? S 0:00 [khungtaskd] 51 ? S< 0:00 [writeback] 52 ? S< 0:00 [kintegrityd] 53 ? S< 0:00 [bioset] 54 ? S< 0:00 [bioset] 55 ? S< 0:00 [bioset] 56 ? S< 0:00 [kblockd] 57 ? S< 0:00 [md] 58 ? S< 0:00 [edac-poller] 59 ? S< 0:00 [watchdogd] 68 ? S 0:11 [kswapd0] 69 ? SN 0:00 [ksmd] 70 ? SN 0:06 [khugepaged] 71 ? S< 0:00 [crypto] 79 ? S< 0:00 [kthrotld] 82 ? S< 0:00 [kmpath_rdacd] 83 ? S< 0:00 [kaluad] 84 ? S< 0:00 [kpsmoused] 86 ? S< 0:00 [ipv6_addrconf] 99 ? S< 0:00 [deferwq] 135 ? S 0:00 [kauditd] 853 ? S< 0:00 [nvme-wq] 881 ? S< 0:00 [nvme-reset-wq] 890 ? S< 0:00 [nvme-delete-wq] 902 ? S< 0:00 [ata_sff] 1909 ? S 0:01 [kworker/3:0] 1919 ? S 0:00 [scsi_eh_0] 1934 ? S< 0:00 [scsi_tmf_0] 1943 ? S 0:00 [scsi_eh_1] 1952 ? S< 0:00 [scsi_tmf_1] 1957 ? S 0:00 [scsi_eh_2] 1973 ? S< 0:00 [scsi_tmf_2] 1980 ? S 0:00 [scsi_eh_3] 1988 ? S< 0:00 [scsi_tmf_3] 1996 ? S 0:00 [scsi_eh_4] 2024 ? S< 0:00 [scsi_tmf_4] 2029 ? S 0:00 [scsi_eh_5] 2050 ? S< 0:00 [scsi_tmf_5] 2848 ? S< 0:00 [bioset] 2850 ? S< 0:00 [bioset] 2851 ? S 0:38 [md0_raid1] 2854 ? S< 0:00 [bioset] 2855 ? S< 0:00 [bioset] 2856 ? S 11:08 [md2_raid1] 2857 ? S< 0:30 [kworker/2:1H] 2858 ? S< 0:00 [bioset] 2859 ? S< 0:00 [bioset] 2860 ? S 0:00 [md1_raid1] 2970 ? S 1:52 [jbd2/md2-8] 2971 ? S< 0:00 [ext4-rsv-conver] 3041 ? Ss 0:54 /usr/lib/systemd/systemd-journald 3055 ? Ss 0:00 /usr/sbin/lvmetad -f 3071 ? S< 0:29 [kworker/1:1H] 3072 ? Ss 0:00 /usr/lib/systemd/systemd-udevd 3073 ? S< 0:31 [kworker/0:1H] 3082 ? S< 0:03 [kworker/4:1H] 3085 ? S< 0:03 [kworker/5:1H] 3658 ? S 0:00 [irq/145-mei_me] 4626 ? S< 0:00 [kvm-irqfd-clean] 4843 ? S 0:00 [kworker/0:0] 5571 ? S 0:00 [kworker/7:0] 5763 ? S 0:00 [jbd2/md1-8] 5766 ? S< 0:00 [ext4-rsv-conver] 5803 ? S 11791 ? S 0:00 strace -p 31675 12044 ? S 0:00 [kworker/2:1] 12403 ? S 0:00 [kworker/6:1] 13134 ? S 0:00 [kworker/1:2] 13974 ? S 0:00 dovecot/auth 14106 ? S 0:00 dovecot/auth -w 14631 ? S 0:00 dovecot/lmtp 14634 ? S 0:00 /usr/sbin/exim -ps -bd -q1h -oP /var/spool/exim/exim-daemon.pid 14661 ? Z 0:00 [cpsrvd (SSL) - ] 14668 ? S 0:00 php-fpm: pool domain1 14670 ? S 0:00 php-fpm: pool domain1 14671 ? S 0:00 php-fpm: pool domain2 14672 ? S 0:00 php-fpm: pool domain2 14674 ? S 0:00 php-fpm: pool domain3 14678 pts/0 R+ 0:00 ps axg 14826 ? S 0:02 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=server.host.name --suffix=-bytes_log 14827 ? S 0:02 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=server.host.name --mainout=/etc/apache2/logs/access_log 14828 ? S 0:00 /usr/sbin/httpd -k start 14830 ? S 0:00 /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect 14831 ? Sl 0:21 /usr/sbin/httpd -k start 14832 ? Sl 0:09 /usr/sbin/httpd -k start 14833 ? Sl 1:00 /usr/sbin/httpd -k start 14834 ? Sl 0:18 /usr/sbin/httpd -k start 16891 ? Ssl 3:01 /usr/local/cpanel/3rdparty/bin/clamd 16939 ? Ssl 1:37 /usr/sbin/nscd 18822 ? S 0:00 dovecot/imap 20758 ? S 0:03 spamd child 22866 ? S 0:00 [kworker/7:1] 23128 ? S 0:01 [kworker/2:0] 23791 ? S 0:00 [kworker/0:2] 28468 ? S 0:00 [kworker/4:2] 28997 ? S 0:00 [kworker/5:2] 29851 ? S 0:01 [kworker/6:0] 30776 ? S 0:07 [kworker/1:1] 31675 ? Ss 0:00 sshd: root@notty 31678 ? Ss 0:00 /usr/libexec/openssh/sftp-server
  

  0
• 

  cPanelMichael

  • May 31, 2019 19:03

  I have received an abuse notification for email spam.

  
  Hello @Maning, Can you share more information about the abuse notification you received? Was it from your data center, or from a remote mail server? Did it include any information about the abusive email? Thank you.

  0

Please sign in to leave a comment.