Hundreds of emails being sent from fake email accounts
Hello, this week I found that my servers IP is on several blacklists. I checked my mail logs and hundreds of emails are being sent from emails addressed from my FQDN, not even the website that are on the server.
ex.
I have a website called domain.com
My servers FQDN is server.domain.com
Emails are being sent via epochera@server.domain.com
I have SPF enabled and in my cPanel I had the nobody setting turned on. Yet these emails are still being sent. What can I do to solve this?
-
Hello :) Are you able to view the message header of one of these messages to see if more information is available? For instance, have you reviewed the account to see if any scripts with the ability to send out email have been exploited or are being used for SPAM? Thank you. 0 -
]Hello :) Are you able to view the message header of one of these messages to see if more information is available? For instance, have you reviewed the account to see if any scripts with the ability to send out email have been exploited or are being used for SPAM? Thank you.
Hello, How can I check the header of the emails? Currently I am looking at the mail deliver reports and the queues and I dont see how to view them there0 -
I had a very similar situation recently. Just a hunch but look for a menu87.php ( find / -name menu87.php) deep in that domains public_html directory. delete it and restart services. or do below If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines: mail.add_x_header = On mail.log = /var/log/php_mail.log to the [mail] section of: /usr/local/lib/php.ini D- 0 -
]Hello, How can I check the header of the emails? Currently I am looking at the mail deliver reports and the queues and I dont see how to view them there
You can click on a message in the mail queue to view more information about it. Thank you.0 -
Just chiming in, In my experience with this kind of situation it's either been a compromised email account (if it's one account in particular sending the spam) or an infected computer sending a ton of spam. Though it could be something like dmacomber said above, a malicious script. For me I started to see a ton of failed delivery messages being returned to one user in particular. Hundreds of them. So I immediately remotely connected to the infected computer and ran TCPview to see if something was abusing port 25 on their machine. Sure enough, something was. This has happened twice for us at different locations and each time blocking port 25 on the router or firewall stopped the emails from going out. We just made sure to use port 587 for our email afterwards. If you can view your mail activity you can look for scripts that have sent a lot of mail. I don't know who your host is, but check out this link here from InmotionHosting. It should give you an idea of how to go about it: [url=http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim]Find spam script location with Exim | InMotion Hosting If you can see that it's only one account sending the spam, change that accounts password and make sure it's nice and secure. If you think it's an infected computer, get on that computer then download and run TCPview. This will show you TCP and UDP activity. If there are a ton of SMTP or Port 25 connections being made (green) and then dying (red) you know you've found the problem. Here is a link to TCPview [url=http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx]TCPView for Windows If it is an infected machine, you can track down which service is sending the emails through TCPview. You're going to have to clean it out thoroughly. I typically run a combination of programs like MalwareBytes, CCleaner, and TDSSKiller. Getting yourself removed from the blacklists isn't hard but it requires a little time. Also, make sure the problem is resolved before requesting de-listing, otherwise, if you are de-listed and re-listed multiple times they'll just permanently list you. 0
Please sign in to leave a comment.
Comments
5 comments