Spam sent from standard node via distributed mail account

did-vmonroig

• June 20, 2023 06:07

Hello. We've a standard node for web hosting with a linked mail node. From one of the distributed mail accounts some spammer is using standard node SMTP in order to send spam. We've changed passwords and restarted Exim and Dovecot but immediately continues sending. As their are using standard node SMTP directly I think the problem could be password change is not applied to standard node SMTP, only in the linked mail node. Could it be? I'm thinking this because /home/%user%/etc/%domain%/shadow are different between servers. Not only the hash, ase there are lines in the file for new accounts created after distribution that are in the linked mail node but not in the standard, and this make me think about an unmantained file open for spammers. Any thought? It's safe to delete shadow file in the standard node?

• 

  did-vmonroig

  • June 20, 2023 11:48

  With help from , in standard node I've renamed shadow file and @pwcache folder, issued a /usr/bin/doveadm auth cache flush and problem has stopped, disabling SMTP access for this distributed mail account, and webmail is working properly in linked mail node. If this is correct, this is a major security flaw and should be corrected ASAP by cPanel.

  0
• 

  cPRex Jurassic Moderator

  • June 20, 2023 15:37

  Hey there! Can you provide me a bit more detail on how that user was connecting to the standard node? While cPanel users would access the parent node, any mail traffic should have been routed to the mail node, so if you have more details on how this is happening it would be great if you could share those.

  0
• 

  did-vmonroig

  • June 20, 2023 16:25

  Of course. Spammers were connecting direct to SMTP in standard node and sending mail authenticated using an old password, that was in use before distributing this mail account to linked mail server. I think that resetting password via cPanel only affected linked node server and spammers could still use standard node SMTP server with old password and if this is correct I think it's major fault in you software. If you need logs I could provide in a ticket or private message.

  0
• 

  cPRex Jurassic Moderator

  • June 20, 2023 17:22

  Interesting - if you could submit a ticket to our team with the data you're seeing that would be very helpful!

  0
• 

  did-vmonroig

  • June 20, 2023 17:30

  Interesting - if you could submit a ticket to our team with the data you're seeing that would be very helpful!

  
  Ticket submitted: #95079306

  0
• 

  cPRex Jurassic Moderator

  • June 20, 2023 17:47

  Thanks so much - I'm following along with that ticket now.

  0
• 

  cPRex Jurassic Moderator

  • January 08, 2024 16:58

  @... - I checked the ticket just now and we were not able to replicate the behavior in a test environment.

  1

Please sign in to leave a comment.