Strange emails sent from localhost
i dont know how to fix this. the emails dont come from an ip they seem to come from localhost?!?
this is so strange. i have also attached a screenshot so you can check this:
2016-10-12 19:47:35 SMTP connection from [144.76.xx.xx]:45606 (TCP/IP connection count = 3)
2016-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 sender verify fail for : No Such User Here
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:35042 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F= rejected RCPT : Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 X=TLSv1:ECDHE-RSA-AES128-SHA:128 CV=no F= rejected RCPT : Sender verify failed
2016-10-12 19:47:35 H=atlas.tsweb.name (example.gr) [144.76.xx.xx]:45606 sender verify fail for : No Such User Herethis is so strange. i have also attached a screenshot so you can check this:
-
-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
Hello, There's a thread here where this topic is discussed: Outgoing Email Abuse from localhost Let us know if this helps. Thank you.0 -
Hello, There's a thread here where this topic is discussed: Outgoing Email Abuse from localhost Let us know if this helps. Thank you.
so i need to switch to mod_ruid2 to track down those emails... i am currently on suphp, is it safe for me to go to mod_ruid2 ? this is a production server.0 -
Hello, Mod_Ruid2 isn't required, but it does help with tracking down the source of SPAM. You can find documentation on Mod_Ruid2 at: Apache Module: ModRuid2 - EasyApache - cPanel Documentation Additionally, this document lists some additional options you can enable: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Let us know if you have any additional questions. Thanks! 0 -
so i need to switch to mod_ruid2 to track down those emails... i am currently on suphp, is it safe for me to go to mod_ruid2 ? this is a production server.
If you have suPHP you should automatically be able to track the abusive / compromised user.-10-12 19:47:35 SMTP connection identification H=localhost A=144.76.xx.xx P=45606 U=example ID=919 S=example B=identify_local_connection
The U=example is the user you want to check.The emails are being authenticated with a username and password. In my case it was a cPanel username and password. Mails were going out from a script which was in a WordPress plugin folder. To find out which user was being used to authenticate the mails, after you install mod_ruid2 grep the logs again. I think what cPanel really needs to highlight in the Tweak Settings option explanation is that "The tweak setting 'Prevent "nobody" from sending mail' is a restriction that only applies to emails sent with /usr/sbin/sendmail and does not restrict emails sent as SMTP through a local TCP port." If you still can't find out, open a support ticket with cPanel and do post back here if you bump into something interesting.
0
Please sign in to leave a comment.
Comments
4 comments