Serious Spam problem

luca.sartori

• July 18, 2014 10:00

I have tons of mails sent from users: "-remote-" I think my server could be compromised but I'm unsure on what to do or what is causing the issue. It seems to me that mails are sent from local uer authenticating to my local exim. My server is not relaying, could it be a php script? :confused: Can anybody help me?

• 

  luca.sartori

  • July 18, 2014 15:53

  Additional detail: There is an header of a spam email: Date: Fri, 18 Jul 2014 23:13:37 +0800 From: "Daily Health eAlert" To: ukmaajmbgf@MYDOMAIN Subject: What happened to me within a season is a miracle! Content-Type: multipart/alternative; boundary="----=_Part_68016_1213225342.3282929346909" Delivery-date: Fri, 18 Jul 2014 17:13:40 +0200 Envelope-to: ukmaajmbgf@MYDOMAIN Errors-To: ukmaajmbgffbe0@domain.com.sg List-Unsubscribe: Message-ID: <2146976893.3546171873374412090.JavaMail.root@103-11-51-210.domain.com.sg> MIME-Version: 1.0 Received: from [10.0.0.147] ([10.0.0.147:7153] helo=103-11-51-210.domain.com.sg) by 715FAF88 (envelope-from ) (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP id D5/DC-5BBC6-DCE97352; Fri, 18 Jul 2014 23:13:42 +0800 Received: from [103.11.51.210] (port=39215 helo=103-11-51-210.domain.com.sg) by MYSERVER with esmtp (Exim 4.82) (envelope-from ) id 1X89qu-0007G4-7r for ukmaajmbgf@MYDOMAIN; Fri, 18 Jul 2014 17:13:40 +0200 Return-path: Sender: ukmaajmbgffbe0@domain.com.sg
  

  0
• 

  kdean

  • July 18, 2014 16:07

  -remote- generally indicates mails being sent to users on your server... all your incoming emails. This is normal unless you're seeing something else suspicious.

  0
• 

  luca.sartori

  • July 18, 2014 16:50

  There is an example of header I've from one of the spammy mail: MYDOMAIN is one of my domains on MYSERVER but the user e2c418134 obviusly does not exist. e2c418134c8@domain.net is a very souspicios sender, and domain.net is NOT one of my domains! Amd I think it's suspect that: Message-ID: <2037766881.69350758227170785605.JavaMail.root@maia-80fe7c2fd8.ddns.domain.net> I've disabled relaying, Discard FormMail-clone message with bcc: ON Mail authentication via domain owner password: OFF Track email origin via X-Source email headers: ON Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): ON Prevent "nobody" from sending mail: ON Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP: OFF Date: Thu, 17 Jul 2014 19:28:59 +0300 From: "About Today" To: e2c418134@MYDOMAIN Subject: This product will become a sensation within month Content-Type: multipart/alternative; boundary="----=_Part_85034_6015826504.4066855935910" Delivery-date: Thu, 17 Jul 2014 18:29:00 +0200 Envelope-to: e2c418134@MYDOMAIN Errors-To: e2c418134c8@cablebg.net List-Unsubscribe: Message-ID: <2037766881.69350758227170785605.JavaMail.root@maia-80fe7c2fd8.ddns.domain.net> MIME-Version: 1.0 Received: from [10.0.0.78] ([10.0.0.78:1815] helo=maia-80fe7c2fd8.ddns.domain.net) by 2E193A31C (envelope-from ) (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP id 39/7B-8D483-C58BCD29; Thu, 17 Jul 2014 19:29:08 +0300 Received: from 130-204-140-40.2073348467.ddns.domain.net ([130.204.140.40]:2058 helo=maia-80fe7c2fd8.ddns.domain.net) by MYSERVER with esmtp (Exim 4.82) (envelope-from ) id 1X7oYG-0003OB-6k for e2c418134@domain.it; Thu, 17 Jul 2014 18:29:00 +0200 Return-path: Sender: e2c418134c8@domain.net
  

  0
• 

  kdean

  • July 18, 2014 18:00

  Looks like an incoming spam email to me. Spammers often send to addresses that don't exist. If there was a problem the To: field would not be going to your MYDOMAIN. [COLOR="silver">- - - Updated - - - Also, if you're actually receiving the email even though it's sent to an email that doesn't exist you may want to log into your cPanel account and go to "Set Default Address" and set "Send all unrouted email" to "Discard with error to sender (at SMTP time)".

  0
• 

  triantech

  • July 18, 2014 19:37

  Yea, it seems like incoming spam mails. Make sure SpamAssassin is enabled and configured. Also, you can configure the RBLs checker from WHM. (Home >> Service Configuration >> Exim Configuration Editor >> RBLs)

  0
• 

  cPanelMichael

  • July 21, 2014 12:44

  Hello :) Ensure the "Default Address" in cPanel for this account is set to "Discard with error to sender (at SMTP time)" as mentioned in a previous post. This will ensure email sent to non-existent email accounts is automatically discarded. Thank you.

  0
• 

  luca.sartori

  • July 22, 2014 07:44

  Thanks, I'll follow your advices. I'm only worried about one thing: If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem. Thank you again!

  0
• 

  cPanelMichael

  • July 24, 2014 16:31

  [quote="luca.sartori, post: 1692011">Thanks, I'll follow your advices. I'm only worried about one thing: If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem. Thank you again!
  You can search for the term "backscatter" on our forums and there are a few threads where users discuss potential solutions. Thank you.

  0

Please sign in to leave a comment.