Locate Account Sending Spam
Our server this weekend started to send a lot of emails from a single user, I've change the password and tweak some settings because We got a email from the server saying that the exim queue was full. But the user continues to send emails.
What can be done to prevent, and/or discover the source of the problem?
Thanks in advance.
-
Sounds like the cPanel account, and or email accounts on it are compromised. You might get some clues about the emails from the tools in WHM here: WHM "Email "Mail Delivery Reports What can be done to prevent
Tough question. If it was just an email account's password that was compromised, changing the password should be helpful. If the site on that account has out of date scripts on it, like a contact form (for example) updating the out of date scripts is important. If the spam is being generated by a malicious script on the account that was uploaded by accessing the cPanel account itself, from an out of date, exploitable wordpress plugin of some sort (for example), that's a whole other thing. I'd be inclined to suspend that account for a bit until I can get a more clear idea of whats going on with it.0 -
I've re-checked the site account now and It seems that this account have a folder named "old" with a flash website and it contains a contact form. ( --') I've zipped the folder let's see if this affects the mails sent from this user. I can't suspend this account right now. I'm going to wait and see if the user will keep to send emails, but if I got a script inside the user account; How hard is to detect something like this? I've checked the process list and everything seems normal. 0 -
Hello :) You can also search /var/log/exim_mainlog to verify if email has been sent from that directory with the following command: awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
The output will show a list of all directories within /home that have sent out email from a script. Thank you.0 -
Hi, the mailing fever is still on! o_O I've executed the command you mentioned Michael and I don't get any results related to that account. (But thanks anyway, I'm going to keep that command, It's very useful :)) Today, the user is still sending a lot of emails from the same account. This is a Delivery Event Detail from one email, I've just renamed the user account to "userX" - Removed - I could block the sender ip, but is not always the same. 0 -
Please don't post output without removing all actual domain names, IPs, and email addresses. I can't suspend this account right now.
He's sending spam. He's doing harm to your IP reputation.0 -
Please don't post output without removing all actual domain names, IPs, and email addresses. He's sending spam. He's doing harm to your IP reputation.
I didn't saw any info related to my ip so I've posted, sorry my bad. :( Should I install LDM and perform a scan on the user home folder? -Edit- Scan done, 0 occurrences.0 -
Try checking your mail queue to see if additional SPAM messages still exist in the queue: "WHM Home " Email " Mail Queue Manager" You can look at the message header and body to see if you can find out if an actual username authenticated, or if it was sent from a script. The following document is useful if you want to prevent email abuse: 0 -
I've cleaned the queue, but there is more message there now. And I can't see the message headers, sorry for my ignorance but most of the mails are being discarded because they exceeded the max defers and failures per hour, and the others that went successfully I can only see the Delivery Event Details. 0 -
Try searching within the account for files that can send out email, or directories with insecure (0777) permissions. This may help you to narrow down which file under the account is utilized for email. Thank you. 0 -
tail -f /var/log/exim_mainlog and watch the abusing account should be painfully obvious if they are currently making a spam run 0 -
I'm kinda lost, can I post here a portion of the log file? 0 -
There's no need to review the log file if you already know which account is the culprit and there's no information about the path of the script. I suggest reviewing my previous post if you are attempting to determine the source of the email. Thank you. 0 -
you should probably hire a system administrator to look into it for you as if your server is spewing out spam your provider is going to null route your IP very surprised they have not all ready as it looks like you been relaying SPAM for over 24 hours now 0 -
I've managed to fix the situation! ;) There was no script, just emails accounts compromised and my customer shared the same password across all emails) Thank you very much for your time! :) ---------------------------- [Maybe not the right place to ask this, but since is related to the same subject] Just one more question, Can you guys point me some way to increase my IP reputation, some docs, tips, advices? Everything seems OK by now, but I want to play safe. 0 -
I am happy to see the issue is now addressed. The following guide offers tips on how to keep your email out of the SPAM folder: How to Keep your Email out of the Spam Folder - cPanel Knowledge Base - cPanel Documentation Thank you. 0
Please sign in to leave a comment.
Comments
15 comments