Skip to main content

how to prevent spammers sending as cpanel user?

kazar
Hi everyone -- Please be gentle as I am NOT a professional (maybe not even amateur) web server administrator. I simply host a website and email services as a volunteer for a local community garden. I started getting forwarded messages from my hosting provider that the domain is being reported as a spammer. I have done everything on my server I feel safe enough (as someone who could easily completely screw up a server) to do -- i.e., just using WHM control panel interface and following _some_ of the recommendations that came up when I ran the Security Advisor tool. It's clear that spammers are sending, or trying to send, email as the domain user svgarden. (server host name is vm1.bubbleup.us) How can they do this? At my hosting provider's recommendation I already changed the user's pw over a week ago and it is not even written anywhere on a piece of paper and my connections are always via secure ports. So I don't think the domain user's password is the issue. What I need to know if anyone can help with answers to these 3 Q's. I have already spent significant time trying to solve this on my own (by reading Cpanel docs that are usually way over my head, and googling around for answers) but I don't think I have: 1. Is my server still being used for spam? I do not know how to decipher the exim log (pasted in below)? 2. If answer to #1 is "yes", what else do I need to do on my server to stop this from happening? (I have also pasted in below my notes re what I have changed so far on my server) 3. I enabled the ClamAV connector and ran a virus scan for the domain that is experiencing this problem, but where can I see the results? I have looked all over the WHM and cpanel screens and can't see whether the scan was clean or whether any infected files were found. My hosting provider recommended I use a third-party service to look into the situation, but the cost is $350 which I cannot pay, I already pay for the VPS for the garden's website & email and for other small community groups. I would so appreciate any help!! Thanks in advance! kazar ===========SAMPLE RECENT ENTRIES FROM EXIM_MAINLOG============= ======(ENTRIES ARE *AFTER* THE CHANGES I MADE ON SERVER THAT ARE NOTED BELOW)=== =========ARE SPAMMERS STILL SENDING MAIL THROUGH MY SERVER?======= - Removed - ========================================== My notes of what changes I made on my server before the above Exim log items were written Do I need to do anything else? ========================================== In Tweak Settings Prevented "nobody" from sending mail Enabled SMTP restrictions Jailed all user shells Tweak Settings / Mail -- changed initial default/catch-all forwarder destination to Fail NOTE: Mail authentication via domain owner password was already OFF so how is someone sending as svgarden@vm1 Track email origin via X-Source email headers - turned ON Max hourly emails per domain: 50 Maximum percentage of failed or deferred messages a domain may send per hour - set to 5% In Exim Configuration Manager - Basic Editor ACL Options Reject remote mail sent to the server's hostname - turned ON [?]Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target. Mail Log sender rates in the exim mainlog. - turned ON Set SMTP Sender: headers - turned ON [?](-f flag passed to sendmail) This will create "On behalf of" notices in Microsoft" Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message. Security Scan outgoing messages for malware - turned ON Apache Spam-Assassin options Apache SpamAssassin": Forced Global ON - turned on Scan outgoing messages for spam and reject based on the Apache SpamAssassin" internal spam_score setting - turned ON

Comments

4 comments

Date Votes
  • Infopro
    The documentation should be helpful: How to Prevent Email Abuse - cPanel Documentation
    0
  • kazar
    ]The documentation should be helpful: How to Prevent Email Abuse - cPanel Documentation

    Thanks much. I had already followed everything in that page except for suPHP ... I felt stuck (and newbie-scared) because I would not know whether to enable suPHP vs mod_suPHP vs mod_ruid2. The server has a few tiny domains (small, low-traffic) with sites running on Drupal and WP. I think the suPHP is key, though, because I notice in exim_mainlog that there are references to a "media" plug-in in the CKeditor module of the site, which (even though I know next to nothing) I imagine is being exploited by having php somehow send out emails. Any recommendation re suPHP vs the other two? Thanks again!! kazar
    0
  • kazar
    [for now I just removed ckeditor/plugins/media/ -- really seems there is some sort of big hole in that plugin]
    0
  • kazar
    Wow, I think it's actually a Drupal exploit:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post