one account is sending spam with username @ hostname

Jaro747

October 21, 2020 04:07

I have a problem one account is sending spam with username @ hostname the account has 20 wordpress sites how to locate which page ( script ) is sending spam example

2020-10-21 10:33:19 1kV9Yd-00EdgE-8N <= arp@hostname U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for inixmidoo@gmail.com
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N SMTP connection outbound 1603269199 1kV9Yd-00EdgE-8N arp.webinfocloud.pl inixmidoo@gmail.com
2020-10-21 10:33:19 1kV9Yd-00EdgE-8N => inixmidoo@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269200 k2si1527418wrq.533 - gsmtp"
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S <= arp@hostname U=arp P=local S=1023 T="Page 2019 - Confidential details" for inixmidoo@gmail.com
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S SMTP connection outbound 1603269219 1kV9Yx-00Edk5-8S arp.webinfocloud.pl inixmidoo@gmail.com
2020-10-21 10:33:39 1kV9Yx-00Edk5-8S => inixmidoo@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269220 j5si1562883wrq.31 - gsmtp"
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx <= arp@hostname U=arp P=local S=1033 T="Page 2019 - 2 - Confidential details" for inixmidoo@gmail.com
2020-10-21 10:33:44 1kV9Z2-00Edkt-Kx SMTP connection outbound 1603269224 1kV9Z2-00Edkt-Kx arp.webinfocloud.pl inixmidoo@gmail.com
2020-10-21 10:33:45 1kV9Z2-00Edkt-Kx => inixmidoo@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1603269225 o82si1554517wma.161 - gsmtp"

Comments

6 comments

keat63

October 21, 2020 11:31
I don't know how to find your problem, but have you considered changing the password on that email account. It might save you from landing on an RBL in the mean time.
0
Jaro747

October 21, 2020 11:57
I don't know how to find your problem, but have you considered changing the password on that email account. It might save you from landing on an RBL in the mean time.

email was sent from username@hostname ( no email account ) exigrep inixmidoo /var/log/exim_mainlog* in log no information about script / file location 2020-10-20 03:14:49 1kUgEj-00Aya7-C4 <= arp@hostname U=arp P=local S=1060 T="Page 2019 - Confidential details" for user@gmail.com 2020-10-20 03:14:49 1kUgEj-00Aya7-C4 Sender identification U=arp D=arp.domain.pl S=arp 2020-10-20 03:14:49 1kUgEj-00Aya7-C4 SMTP connection outbound 1603156489 1kUgEj-00Aya7-C4 arp.webinfocloud.pl user@gmail.com 2020-10-20 03:14:50 1kUgEj-00Aya7-C4 => user@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1603156490 j9si204179wrn.28 - gsmtp" 2020-10-20 03:14:50 1kUgEj-00Aya7-C4 Completed
0
andrew.n

October 21, 2020 13:03
You should read the header of the email. You can do so with: exim -Mvh 1kUgEj-00Aya7-C4
0
cPanelLauren

October 21, 2020 17:53
You should read the header of the email. You can do so with: exim -Mvh 1kUgEj-00Aya7-C4

This will only work for messages stuck in queue/messages that haven't been delivered yet. But you should be able to view some stats using the following: perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Which is something we use internally to quickly identify the source of spam mail
0
Jaro747

October 22, 2020 11:12
thank you for perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
script spammer found
0
keat63

October 22, 2020 11:44
I'm an advocate of CSF Maiscanner myself. It's a great tool for things like this, but it's not free.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?