Server Sending Spam
Hey Guys
I posted a thread in the security section however now when I go into the thread the post shows empty for me. I posted the thread and also responded to the thread with more info.
Can anyone advise if this shows blank for them also
Original Post
HI All
I have been having serious issues with my server being used to send out spam. I appear to be getting targeted quite badly.
I receive quite a few emails showing that someone is trying to brute force passwords however I have set the server to ban these after 7 attempts.
I have also severely restricted how many emails an account can send an hour, I have ensured that SMTP authentication is required. I have also setup outgoing scanning and have a very tighht restriction on how many rejection emails are acceptable however none of this helped at all.
Today it appears that around 40,000 emails have been sent and as can be shown below these are directly through exim.
My queue is so big I cannot open the page in WHM to view them. From prvious times that have allowed me to see I know that each time an account is compromised we change the password but another email on another account entirely is later compromised and used instead. A person I personally use was 1 of those to be compromised and was used to send spam, I know the password on this was stupidly secure. I am at a complete loss on how to rectify this issue.
Can anyone direct me to what I can do to see if it helps. I have now given up even unblocking my IP from black list sites as every time i think it has cleared up and stopped I end up being compromised again. [COLOR="silver">- - - Updated - - - Ok I am now not convinced that the emails I thought were compromised were actually compromised. I have now managed to get into my email queue and here is an example of an email being sent:
The from email address does not exist however the domain is on the server (it is the first time I have seen this domain used, a different email address for this domain does exist.). Looking through the queue they have been alternating using loads of variations. Does the way cPanel is configured allow people to send as a different email?
67528 cwd=/var/spool/exim
2325 cwd=/
2140 cwd=/etc/csf
45 cwd=/home/flexiweb
30 cwd=/home/flexiweb/public_html/tools
24 cwd=/usr/local/cpanel/whostmgr/docroot
20 cwd=/home/petermcd/public_html/blog
18 cwd=/root
1 cwd=/home/munin
1 cwd=/home/karkii/public_html/sveCan anyone direct me to what I can do to see if it helps. I have now given up even unblocking my IP from black list sites as every time i think it has cleared up and stopped I end up being compromised again. [COLOR="silver">- - - Updated - - - Ok I am now not convinced that the emails I thought were compromised were actually compromised. I have now managed to get into my email queue and here is an example of an email being sent:
Date: Sat, 3 May 2014 17:06:26 -0700
From: zyzu@domain.com
To: someuser@yahoo.fr
Subject: muscular for boy
Content-Type:
text/plain; charset="utf-8"
Mime-Version: 1.0
Received: from [178.150.xx.xx] (port=58177 helo=vqfpnxafjnv)
by vps.domain.com with esmtpa (Exim 4.82)
(envelope-from )
id 1WgaYo-0000uD-PI
for someuser@yahoo.fr; Sat, 03 May 2014 15:05:03 +0100The from email address does not exist however the domain is on the server (it is the first time I have seen this domain used, a different email address for this domain does exist.). Looking through the queue they have been alternating using loads of variations. Does the way cPanel is configured allow people to send as a different email?
-
[QUOTE]Hey Guys I posted a thread in the security section however now when I go into the thread the post shows empty for me. I posted the thread and also responded to the thread with more info. Can anyone advise if this shows blank for them also
As a new user, your post was in moderation. I've merged your posts here.0 -
The 'from' user in an email is set by the client sending it - it can technically be anything. It's just how email works (read: Email Spoofing), and is not specific to cPanel, nor is it directly preventable. What you need to look at is this: (envelope-from )
This is the true sender of the email. Either you have spammers, or the email passwords to the accounts doing this are compromised. You can probably confirm by checking the message ID in /var/log/exim_mainlog and for the sender in /var/log/maillog. You may want to consider enabling the outgoing spam scanning in WHM -> Exim Configuration Manager.0 -
ahh cheers Vanessa I missed the outgoing scanning options, had enabled similar options elsewhere. With regards to the sender. They are definitely being sent from the server and appears to be using SMTP authentication. I will double check those logs to narrow it down. I found a function someone posted that ensures the sender is sending from the email address they are logged in with which should also help. Just very concerning how they are compromising the machine so easily. 0 -
Ok so much for stopping the emails getting sent that do not match the user. WHile I was typing the reply further emails went into the queue for dummy emails that dont exist. 0
Please sign in to leave a comment.
Comments
4 comments