Any email uses my server
Hello,
Someone is using my CPANEL (email) to send spam using my email, my queue has gotten huge, the server has fallen into several blacklists, what remains to be configured in "exim config" or "Tweak Settings" to solve this problem?
best regards
-
This looks more like a script is being used to send mail. Your profile denotes you as the Root Administrator. If you have root access to the server what is the output of the following: exigrep 1jNzTu-0005MD-2x /var/log/exim_mainlog
you can do this with any of the message ID's you find as well0 -
This command returns empty, I'm sure my server is missing some configuration, because these emails were sent from Russia, but they pass through my server and return to it also in case they are not delivered. after that: SMTP Restrictions => disabled, now I have enabled it. Greylisting => disabled, now I have enabled "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server." disabled, but this option I cannot activate because I have some clients that their system does not accept this option activated. would that be the biggest problem? regards 0 -
The issue is that you have a script sending mail and the exim logs have probably just rotated so you aren't able to find that specific message ID. You'd need to find a more recent one. You can check the exim logs as well as track delivery for mail sent in the last couple of hours. 0 -
[root@adn012 ~]# exigrep 1jNzTu-0005MD-2x /var/log/exim_mainlog 2020-04-13 10:50:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jNzTu-0005MD-2x 2020-04-13 10:54:59 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mrm 1jNzTu-0005MD-2x 2020-04-13 10:50:34 1jNzTu-0005MD-2x H=(egqs) []:23544 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (4.4/50)" 2020-04-13 10:50:34 1jNzTu-0005MD-2x <= loyeuxyves@gmail.com H=(egqs) []:23544 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:paulinho@domain.com.br S=2375
**** at that time the server was already with SMTP blocked, so these emails could not get out.0 -
I removed the log output that was referencing actual domain names and IP addresses - see for our guidelines on this. Can you change the password for the user paulinho@domain.com.br and let me know if email is still being sent - do not change the password in any mail clients etc. 0 -
honestly, I changed the password and stopped sending, but besides changing the password I made several other settings so I was in doubt if the problem was really the password. I don't want to believe that the attacker discovered my password, was that it? 0 -
It's a pretty common exploit, I'd run a virus/malware scan on ANY device you use to check your email prior to updating those with the new password. 0
Please sign in to leave a comment.
Comments
7 comments