Customer sending spam via -remote- user, but how?
Hello,
so I discovered I have a customer that is sending very large amounts of email. I have all the rate limits on in Tweak Settings, so outgoing spam i normally stopped very quickly and i monitor PHP scripts.
While fiddling about in the "Email" section in WHM looking at the mail queue I notice that a certain customer, lets call his domain "spammer.com" has 3 messages queued, but each has a metric ton of recipients. Alarm bells go off, and I search for email sent by mail@spammer.com and find 4000 just in the last few days. Some fail (many more than Tweak Settings allows) and some are delivered. I find it very odd as this has not happened before.
To find exactly how much mail it is, I go to "View Sent Summary" expecting to find the spammer.com domain at the top of the list. He isn't even on the list.
Fast forward a few confusing minutes, and I see that all the emails are being sent with the user -remote-, not the actual username like everyone else.
I have coped and pasted the Delivery Event Details below:
How is he doing this? I don't think I understand enough about the -remote- user to know what is going on. I see the sender host and sender IP is not my servers address and they are different. In most cases they point to the same address. Thanks for any explanations. EDIT: I should add I have seen this explanation to the -remote- user several places, but it does not make sense to me that a sender can be remote. All other users sending from their local Outlook installations etc (I would guess is a remote user? As opposed to a local user sending from web mail?) are identified with their account name as "user" and show up in all logs and follow my anti-spam rules, but this -remote- seems to get around all that: "The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote."
Event: success success
User: -remote-
Domain:
Sender: mail@spammer.com
Sent Time: Jun 4, 2014 11:37:11 AM
Sender Host: 192.x.x.x
Sender IP: 64.x.x.x
Authentication: localdelivery
Spam Score:
Recipient: mail@receipient.com
Delivered To: mail@receipient.com
Delivery User: -remote-
Delivery Domain:
Router: lookuphost
Transport: remote_smtp
Out Time: Jun 4, 2014 11:42:11 AM
ID: 1Ws7dS-0001Aa-AS
Delivery Host: receipient.com.mail.eo.outlook.com
Delivery IP: 213.x.x.x
Size: 2.41 MB
Result: Message acceptedHow is he doing this? I don't think I understand enough about the -remote- user to know what is going on. I see the sender host and sender IP is not my servers address and they are different. In most cases they point to the same address. Thanks for any explanations. EDIT: I should add I have seen this explanation to the -remote- user several places, but it does not make sense to me that a sender can be remote. All other users sending from their local Outlook installations etc (I would guess is a remote user? As opposed to a local user sending from web mail?) are identified with their account name as "user" and show up in all logs and follow my anti-spam rules, but this -remote- seems to get around all that: "The "-remote-" user is used for incoming and outgoing mails that are not local. Effectively, it's used for when an email is sent out of the server or when an email is sent to the server and the sender or recipient are remote."
-
Hello :) Have you been able to isolate the offending account in /var/log/exim_mainlog? If so, what method was used to send out the emails? Was it through SMTP authentication or through a script? The following document is helpful in the event you have not already enabled the suggested options: How to Prevent Email Abuse Thank you. 0 -
[QUOTE]I discovered I have a customer that is sending very large amounts of email.
Change this users email password as well.0 -
[quote="cPanelMichael, post: 1657952">Hello :) Have you been able to isolate the offending account in /var/log/exim_mainlog? If so, what method was used to send out the emails? Was it through SMTP authentication or through a script? The following document is helpful in the event you have not already enabled the suggested options: How to Prevent Email Abuse Thank you.
Hi, everything in that link you posted was done beforehand and has served me well. For some reason this user is bypassing all these rules, and the difference from him to anyone else is that he is listed as using the -remote- user. mail@spammer.com is the account he is using and it is hosted on my server. I can find all his traffic in the exim_mainlog, but I am unsure exactly what you want me to look for there. The first line in one batch email he tried to send out is:2014-06-04 13:06:18 1Ws91N-0002MZ-Ry <= mail@spammer.com H=([192.x.x.x]) [64.x.x.x]:59295 P=esmtp S=2531604 id=11A39226-5134-4975-A93F-FADB0609DAF2@spammer.com T="TOPIC OF SPAM EMAIL" for
The mail log in WHM shows 785 email sent at the same time, 400+ were delivered, and my system has a 200 pr hour limit that has held up nicely for other customers. If I GREP for the minute all these emails were sent in the exim_mainlog I also find this hundreds of times, with a different domain after "routed_domain=" each time. Each of these domains seems to be one of the recipients:2014-06-04 13:06:42 1Ws91N-0002MZ-Ry SMTP connection identification H= A=64.x.x.xP=59295 M=1Ws91N-0002MZ-Ry U= ID= S= B=relayhosts_domain 2014-06-04 13:06:42 1Ws91N-0002MZ-Ry check_mail_permissions could not determine the sender domain [routed_domain=strXX.com message_exim_id=1Ws91N-0002MZ-Ry sender_host_address=64.x.x.xrecipients_count=588]
@Infopro I'd just call them up and tell them we have to cancel their account normally, but I'm too curious as to what is actually happening here to do that yet.0 -
[quote="domeneas, post: 1658652">The mail log in WHM shows 785 email sent at the same time, 400+ were delivered, and my system has a 200 pr hour limit that has held up nicely for other customers.
In "Tweak Settings", under the "Mail" tab, what do you have configured for these options below? "The percentage of email messages (above the account"s hourly maximum) to queue and retry for delivery." "Maximum percentage of failed or deferred messages a domain may send per hour" "Number of failed or deferred messages a domain may send before protections can be triggered" "Count mailman deliveries towards a domain"s Max hourly emails." Thank you.0 -
[quote="cPanelMichael, post: 1659002">In "Tweak Settings", under the "Mail" tab, what do you have configured for these options below? "The percentage of email messages (above the account"s hourly maximum) to queue and retry for delivery." "Maximum percentage of failed or deferred messages a domain may send per hour" "Number of failed or deferred messages a domain may send before protections can be triggered" "Count mailman deliveries towards a domain"s Max hourly emails." Thank you.
"The percentage of email messages (above the account"s hourly maximum) to queue and retry for delivery." 125 "Maximum percentage of failed or deferred messages a domain may send per hour" 50 "Number of failed or deferred messages a domain may send before protections can be triggered" 5 "Count mailman deliveries towards a domain"s Max hourly emails." Off I have set the values to 125 - 25% - 5 - ON after I started investigating, but they were as above on June 4th which I am looking into. If I widen my search past exactly 13:06 on June 4th, and include a period from 9 AM til 2 PM I get 4306 delivery events in WHM where 2521 were delivered in 4 rounds. 784 events - 434 delivered 02:06PM 1954 events - 1093 delivered 12:46PM 637 events - 435 delivered 11:37AM 343 events - 224 delivered 10:49AM All of those are over the 200 pr hour limit, even counting queues and such. And all have -remote- as both sender and recipient. Again, no other emails I've come across has that.0 -
Feel free to open a support ticket if you would like us to access your server and take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Case 5081447 0 -
Is there anything to add with this case? I'm experiencing the same problem, or a similar one. I have a user on one of my servers who has had two of her email accounts hacked to send spam. I've changed the passwords in the meantime myself. The thing I'm worried about is how the mail bypassed the server limits. The mail from the compromised accounts on my server was going out by the thousands, but I have her domain limited to 20 emails per hour. I did only just now include mailman in her total limit, but it doesn't seem as though that has anything to do with it anyway. And just like the other person in this thread, the mail seems to come from a user listed as remote. I have 105% as the amount above the limit to queue and retry; percentage of failed or deferred messages per hour at 50%; number of failed messages to send before protections kick in is set to 5. And I have the formerly known as SMTP tweak on. So I have no idea how this account managed about 2500 emails in a few hours. Any ideas? 0 -
Were you able to isolate the offending messages in /var/log/exim_mainlog? If so, what method was used to send out the emails? Was it through SMTP authentication or through a script? Thank you. 0 -
They were sent through SMTP authentication. I had an easy time locating the messages because this server typically only sends a few hundred messages a day in total. So messages by the thousand tend to get noticed. But I did find it odd to see user -remote- in the message details. And I can't understand how they just kept blowing past the limit. I now have CSF setup to permanently block IPs after a set number of emails sent per hour, but that only prevents the one IP from sending and doesn't tell me how the domain limits are being surpassed anyway. I'd appreciate any nudges in the right direction. Thanks! Oh and this is what one of the failed messages looked like, after my server limit was reached at the godaddy data center: Event: failure error User: -remote- Domain: Sender: ni@xxxxxxxxx.com Sent Time: Jul 30, 2014 4:25:16 PM Sender Host: 192.168.1.97 Sender IP: 46.216.xx.xx Authentication: courier_login Spam Score: 0 Recipient: xxxxxx@hotmail.com Delivered To: Delivery User: Delivery Domain: Router: send_to_smart_host Transport: remote_smtp Out Time: Jul 30, 2014 4:41:16 PM ID: 1XCaR1-00038I-0o Delivery Host: dedrelay.where.secureserver.net Delivery IP: 64.202.xxx.xx Size: 653 bytes Result: SMTP error from remote mail server after initial connection: host dedrelay.where.secureserver.net [64.202.xxx.xx]: 554 m1plded02-02.prod.mesa1.secureserver.net : DED : YkhD1o0193FgbK901 : DED : You've reached your daily relay quota0 -
Feel free to open a support ticket if you would like us to access your server and take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
11 comments