Skip to main content

Any email uses my server

Comments

7 comments

  • cPanelLauren
    This looks more like a script is being used to send mail. Your profile denotes you as the Root Administrator. If you have root access to the server what is the output of the following: exigrep 1jNzTu-0005MD-2x /var/log/exim_mainlog
    you can do this with any of the message ID's you find as well
    0
  • voope
    This command returns empty, I'm sure my server is missing some configuration, because these emails were sent from Russia, but they pass through my server and return to it also in case they are not delivered. after that: SMTP Restrictions => disabled, now I have enabled it. Greylisting => disabled, now I have enabled "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server." disabled, but this option I cannot activate because I have some clients that their system does not accept this option activated. would that be the biggest problem? regards
    0
  • cPanelLauren
    The issue is that you have a script sending mail and the exim logs have probably just rotated so you aren't able to find that specific message ID. You'd need to find a more recent one. You can check the exim logs as well as track delivery for mail sent in the last couple of hours.
    0
  • voope
    [root@adn012 ~]# exigrep 1jNzTu-0005MD-2x /var/log/exim_mainlog 2020-04-13 10:50:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jNzTu-0005MD-2x 2020-04-13 10:54:59 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mrm 1jNzTu-0005MD-2x 2020-04-13 10:50:34 1jNzTu-0005MD-2x H=(egqs) []:23544 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (4.4/50)" 2020-04-13 10:50:34 1jNzTu-0005MD-2x <= loyeuxyves@gmail.com H=(egqs) []:23544 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:paulinho@domain.com.br S=2375
    **** at that time the server was already with SMTP blocked, so these emails could not get out.
    0
  • voope
    honestly, I changed the password and stopped sending, but besides changing the password I made several other settings so I was in doubt if the problem was really the password. I don't want to believe that the attacker discovered my password, was that it?
    0
  • cPanelLauren
    It's a pretty common exploit, I'd run a virus/malware scan on ANY device you use to check your email prior to updating those with the new password.
    0

Please sign in to leave a comment.