Other servers using my server to send emails

hugowhs

• February 07, 2020 09:25

I have a problem where other people are using my server to send spam, I checked the email queue for some emails that are not on my server but are using it to send spam. I would like to know if there is any configuration in the WHM that defines that only those on the server can send from the server.

• 

  GOT

  • February 09, 2020 19:12

  You most likely have a compromised email account password OR a comprised site that is sending spam. You'll need to look at the logs or the view email relayers report in WHM to get a handle on where it is coming from exactly. In general, cPanel does only allow mail to be sent from authenticated users on your system or via php.

  0
• 

  keat63

  • February 10, 2020 12:10

  I guess there are only 3 ways this can happen. 1. Compromised email accounts where the user name and passwords have been leaked. 2. A maalicious script somewhere on the server 3. Your server is an open relay. Ideally you need to try and determine where these are coming from.

  0
• 

  hugowhs

  • February 10, 2020 12:17

  Where do I find these logs?

  0
• 

  hugowhs

  • February 10, 2020 12:19

  Where do I check if my server has an open relay?

  0
• 

  keat63

  • February 10, 2020 13:43

  try this for starters.

  0
• 

  keat63

  • February 10, 2020 13:44

  how often are these emails being sent. How many accounts are on the server

  0
• 

  hugowhs

  • February 10, 2020 13:55

  Every day from several emails, I have 154 domains. Whenever I change the password or block the sender's ip it stops sending but not for a long time it starts shooting from another account in the domain and this occurs in several domains. I try the Mxtoolbox and he say : SMTP Reverse DNS Mismatch OK - xx.xxx.xxx.xx resolves to host.xxxxxxxx.com.br SMTP Valid Hostname OK - Reverse DNS is a valid Hostname SMTP Banner Check OK - Reverse DNS matches SMTP Banner SMTP TLS OK - Supports TLS. SMTP Connection Time 0.687 seconds - Good on Connection time SMTP Open Relay OK - Not an open relay. SMTP Transaction Time 3.502 seconds - Good on Transaction Time

  0
• 

  GOT

  • February 10, 2020 13:59

  I would start with view relayers kin WHM, and you can look at your mail queue in whm using mail queue manager. lastly the mail logs are at /var/log/exim_mainlog

  0
• 

  hugowhs

  • February 10, 2020 16:00

  But the problem is that they are using my domain to send e-mails and if I block the ip they use another one and if I block the e-mail they change the domain. I was wondering if there is any option to put that only whoever is on my server can send emails.

  0
• 

  cPanelLauren

  • February 10, 2020 16:54

  Can you please show me the headers of the email as well as the full transaction in the exim logs for one of them. You can get this information if you know the message ID (MID) and run the following: exigrep /var/log/exim_mainlog
  

  0
• 

  GOT

  • February 10, 2020 17:01

  You need to find out HOW they are sending the email in order to make it stop.

  0
• 

  rackaid

  • February 10, 2020 20:48

  Have you changed the cPanel account password? I have worked on cases where the attackers have access to cPanel. They simply loop through the email accounts sending spam. When you change a password, they move onto a new account. As @cPanelLauren says, you need to trace an email through your logs to see how it was injected into the system. If they are using a web form to inject the email, changing passwords will not help.

  0
• 

  hugowhs

  • February 11, 2020 11:31

  cPanelLauren comercial@domain.com.br has no auto response and did not send to contato@eros.domain.br exigrep 1j1SPv-0000ii-8S /var/log/exim_mainlog 2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S +++ 1j1SPv-0000ii-8S has not completed +++ 2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= comercial@domain.com.br H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:comercial@domain.com.br S=2632 M8S=0 RT=0.558s id=000001d5e0ba$79f8b920$6dea2b60$@domain.com.br T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - comercial@domain.com.br" from for contato@eros.domain.br 2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br contato@eros.domain.br 2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuphost defer (-1): host lookup did not complete 2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuphost defer (-1): host lookup did not complete 2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuph:...skipping... 2020-02-11 07:05:19.832 [2782] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1SPv-0000ii-8S +++ 1j1SPv-0000ii-8S has not completed +++ 2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= comercial@domain.com.br H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:comercial@domain.com.br S=2632 M8S=0 RT=0.558s id=000001d5e0ba$79f8b920$6dea2b60$@domain.com.br T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - comercial@domain.com.br" from for contato@eros.domain.br 2020-02-11 07:05:19.853 [2782] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 07:05:19.854 [2782] 1j1SPv-0000ii-8S SMTP connection outbound 1581415519 1j1SPv-0000ii-8S domain.com.br contato@eros.bhz.br 2020-02-11 07:05:27.048 [2782] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuphost defer (-1): host lookup did not complete 2020-02-11 07:33:59.710 [19733] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 07:34:01.488 [19733] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuphost defer (-1): host lookup did not complete 2020-02-11 08:28:39.953 [8716] 1j1SPv-0000ii-8S Sender identification U=industri D=domain.com.br S=comercial@domain.com.br 2020-02-11 08:28:47.536 [8716] 1j1SPv-0000ii-8S == contato@eros.domain.br R=lookuphost defer (-1): host lookup did not complete
  

  0
• 

  cPanelLauren

  • February 11, 2020 16:01

  This transaction looks like comercial@domain.com.br is authenticating with your server using dovecot from the host named BrunaPC (the local PC name is used when accessing using a mail client like Outlook or Thunderbird) 2020-02-11 07:05:19.824 [2772] 1j1SPv-0000ii-8S <= comercial@domain.com.br H=(BrunaPC) [201.27.XXX.XXX]:49209 I=[my server ip]:587 P=esmtpa L- A=dovecot_login:comercial@domain.com.br S=2632 M8S=0 RT=0.558s id=000001d5e0ba$79f8b920$6dea2b60$@domain.com.br T="Lida: Rota Rastreamento - Seu Veiculo Monitorado 24H - comercial@domain.com.br" from for contato@eros.domain.br
  and attempting to send mail to contato@eros.domain.br but the host lookup isn't completing, meaning that the server isn't able to resolve the domain, this can be a result of a couple of things but in this instance its a result of the domain actually not resolving to an IP address (I performed a dig query on the domain before removing it) This transaction does not show any behavior that based on the information you've provided thus far would lead me to believe there is some sort of issue on your server. This doesn't look like spam nor does it appear to be malicious.

  0
• 

  hugowhs

  • February 11, 2020 16:52

  I have another information: [COLOR=rgb(40, 50, 78)]***From Moderator:*** [COLOR=rgb(40, 50, 78)] [COLOR=rgb(40, 50, 78)]Please See

  0

Please sign in to leave a comment.