Relay Problem / Spam
hello i am getting trouble with my one domain. exim getting connections from different ip addresses and one domain sends lots of spam mail.
there is track delivery logs from this domain.
i did not understand how this is possible. exim not accept open relay connections. and this guy sends lots of mails from my domain with different mail address. i changed 3 times for this user password but spams still coming. i scanned web folders for any harmfull script but nothing found. any solution?
Event:failure
User: domainuser
Domain: mydomain.com
Sender: play@example.org //spammer address
Sent Time: Nov 24, 2016 3:32:15 PM
Sender Host: ip70-170-53-xxx.lv.lv.cox.net
Sender IP: 70.170.53.xxx //spammer ip (there is lots of different ip addresses)
Authentication: dovecot_login
Spam Score: 0
Recipient: someusr@domain.com
Delivery User:
Delivery Domain:
Delivered To:
Router: enforce_mail_permissions
Transport: remote_smtp
Out Time: Nov 24, 2016 3:32:15 PM
ID: 1c9tCD-00064r-KH
Delivery Host:
Delivery IP:
Size: 30.77 KB
Result: Domain mydomain.com has exceeded the max emails per hour (125/100 (125%)) allowed. Message discarded.
i did not understand how this is possible. exim not accept open relay connections. and this guy sends lots of mails from my domain with different mail address. i changed 3 times for this user password but spams still coming. i scanned web folders for any harmfull script but nothing found. any solution?
-
here is another track delivery log with success Event:success User: domainuser Domain: mydomain.com Sender: play@domain.org Sent Time: Nov 24, 2016 3:09:15 PM Sender Host: 170-231-226-19.static.example.com.br Sender IP: 170.231.xxx.x Authentication: dovecot_login Spam Score: 0 Recipient: someusr@domain.pl Delivery User: -system- Delivery Domain: Delivered To: >play24@example.org Router: check_mail_permissions Transport: address_reply Out Time: Nov 24, 2016 3:09:15 PM ID: 1c9sqS-0005ku-9f Delivery Host: localhost Delivery IP: 127.0.0.1 Size: 30.92 KB Result: Accepted
how this is possible, the guy sends mail with different domain mail from my mail server?0 -
i changed 3 times for this user password but spams still coming.
Hello, Have you changed both the email account password, and the password to the cPanel account username? Thank you.0 -
yea, i changed domain main user and mail users passwords. at the end i found the problem, one of mail users computer infected kind of crypto virus and after entering password on outlook client spams starting again. here is part of exim_mainlog 2016-11-28 15:16:11 1cBKqw-0006To-UL <= noreply@example.it H=(8.27.123.27) [8.27.123.27]:53040 P=esmtpa A=dovecot_login:user@mydomain.com S=5311 id=0FF5B4AD86527CCF13165FEBEFC267FD@sda.it T="si dispone di una spedizione" for stefano@domain.com 2016-11-28 15:16:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cBKqw-0006To-UL 2016-11-28 15:16:11 1cBKqw-0006To-UL ** stefano@domain.com R=enforce_mail_permissions: Domain mydomain.com has exceeded the max defers and failures per hour (25/25 (27%)) allowed. Message discarded.
in this situation, attacker obtained my mail users password, and authenticate with his credentials to mail server then start spamming with different mail address as sender. how can i block this? sending mail as different sender accessed with user@mydomain.com[/EMAIL]0 -
Hello, In cases where authentication is obtained from an end-user through a virus/trojan, you'd want to rely on the settings on the system to prevent email abuse. You can find them documented at: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation You may also want to use a firewall management application such as CSF, which includes an email relay tracking feature that you can configure to notify you when accounts send a set number of emails: ConfigServer Security & Firewall (csf) Thank you. 0
Please sign in to leave a comment.
Comments
4 comments