Email Account Is Not Valid, Yet sending mail Out

Ken Roy

• March 01, 2016 18:26

I have a domain that has minimal email account on it. Yet when I check the mail deliver reports on the server I see email accounts that is sending out emails. I have locked down the SMTP, and the nobody from send mail.. Yet when you look at the attached image there is a user sending out email. How are they getting by the configuration in Exim Sender Host: Local Host Sender IP : 127.0.0.1 Authentication : local user35281

• 

  cPanelMichael

  • March 02, 2016 03:59

  I have locked down the SMTP, and the nobody from send mail

  
  Hello :) Could you elaborate on the specific steps you have taken to disable email for the account? Thank you.

  0
• 

  Ken Roy

  • March 02, 2016 04:36

  When you look into the site email folder.... It is not there. When you look in the cpanel area it is not there ... See Images

  0
• 

  cPanelMichael

  • March 15, 2016 16:51

  It's possible a script is uploaded to the account with the ability to send out email using any sender address. Try searching the account for files with the ability to send out email, or use the following command to see if you notice any scripts sending out large amounts of email:
  awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
  Thank you.

  0
• 

  Ken Roy

  • March 19, 2016 11:31

  It's possible a script is uploaded to the account with the ability to send out email using any sender address. Try searching the account for files with the ability to send out email, or use the following command to see if you notice any scripts sending out large amounts of email:
  awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
  Thank you.

  
  Thanks for that information I ran this command grep 1agwpj-0006cZ-1I /var/log/exim_mainlog To see what was the specific email in the mainlog. Then I get back the following which makes no sense. If it is NOT smtp why is allowed to go out. 2016-03-18 12:01:08 1agwpj-0006cZ-1I U=dubocom Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (0.8)" - Removed -

  0
• 

  Infopro

  • March 19, 2016 12:07

  Please remove any actual emails, IPs or domain names from any output you post.

  0
• 

  cPanelMichael

  • March 21, 2016 06:07

  Could you use the "exigrep" command instead of the "grep" command when searching specific message IDs? This will ensure all aspects of the message delivery are provided in the output. Thank you.

  0

Please sign in to leave a comment.