Spam sending through server - need help

cpanelinfoseeker

• June 27, 2014 09:45

I have transferred my accounts to a new server earlier this month and had the configserver package installed. I have one account that is sending spam emails. I have changed the account password and the user changed the email password. The spam still sends. I then went and changed the users email password (generated on the website controlpanel and did not save it to my computer) and you guessed it, the spam still sends. WHM settings: Mail authentication via domain owner password = OFF Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) = ON Prevent "nobody" from sending mail = ON Looking for any help as I am really confused as to how they can authenticate at this point. Thanks in advance! Here are the headers from one email: (MY SERVER replaces the server name, DOMAIN replaces user domain, SERVER-IP replaces my server ip address, MY-INFO replaces the lines added by mailscanner, The IP address 46.225.251.234 shows from Iran, but the ip address and the country change with each email): 1X0WC9-0002Dx-50-H mailnull 47 12 1403875681 0 -deliver_firsttime -body_linecount 5 -auth_id jonathan -interface_address SERVER-IP.25 -received_protocol esmtpa -host_auth dovecot_login -host_address 46.225.251.234.33685 -max_received_linelength 111 -helo_name DOMAIN.com -host_lookup_failed XX 27 - List of emails cc-ed removed - 210P Received: from [46.225.251.234] (port=33685 helo=DOMAIN.com) by MY SERVER.com with esmtpa (Exim 4.82) (envelope-from ) id 1X0WC9-0002Dx-50; Fri, 27 Jun 2014 09:28:01 -0400 048I Message-ID: 038 Date: Fri, 27 Jun 2014 06:27:12 -0700 044F From: "jonathan" 112 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 018 MIME-Version: 1.0 031T To: 023 Subject: Black Cbialis 048 Content-Type: text/plain; charset="iso-8859-1" 032 Content-Transfer-Encoding: 7bit 079 X-MY-INFO-MailScanner-Information: Please contact the ISP for more information 043 X-MY-INFO-MailScanner-ID: 1X0WC9-0002Dx-50 101 X-MY-INFO-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details 034 X-MY-INFO-MailScanner-SpamCheck: 053 X-MY-INFO-MailScanner-From: jonathan@domain.com 018 X-Spam-Status: No

• 

  SS-Maddy

  • June 30, 2014 07:04

  check and ensure that the hosting account is not compromised using effective tools such as maldet. Also make sure that the webserver is enabled with effeciant mod_sec rule sets.

  0
• 

  cPanelMichael

  • June 30, 2014 13:09

  Hello :) I suggest reviewing the account to see if any scripts have the ability to send out email, or check to ensure the user who controls the account is not using a hacked computer. The following document is also helpful: cPanel - Prevent Email Abuse Thank you.

  0
• 

  cpanelinfoseeker

  • July 15, 2014 22:57

  We did the easy fix and terminated that problem email account and opened a new email address instead. The reports came with the subject of " hostname AUTHRELAY Alert for IPinfo" if it were a script the subject would be " hostname LOCALRELAY Alert for account", so it seems they were able to authenticate some how. It was only one email address of the 6 he had active, and even changing the passwords did not stop it. Still puzzled, but stopped the spam! I had configserver install his complete package prior to transferring the accounts over so I believe the server itself to be secure. I did run the CSX scan. I'll be looking into maldet, just to be safe! Thanks!! The help is appreciated. Ron

  0

Please sign in to leave a comment.