Match local SMTP connection to proper log file/entry?
Hello,
i wanted to ask if following log entry in exim_mainlog is the reswult of someone accessed a .php file
2017-01-03 17:20:40 SMTP connection from [::1]:48527 (TCP/IP connection count = 1)
2017-01-03 17:20:41 SMTP connection identification H=localhost A=::1 P=48527 U=example ID=553 S=example B=identify_local_connection
or is it that someone know my mail account password and using SMTP? Or means something else? because i am unable to find any suspicious entries in apache access logs around that date and time: cat /home/example/access-logs/*|grep "03/Jan/2017:17:20" grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n|grep example
is not helpful this time My aim is to stop these connections, find bad script or hole that is abused to initiate these connections.
or is it that someone know my mail account password and using SMTP? Or means something else? because i am unable to find any suspicious entries in apache access logs around that date and time: cat /home/example/access-logs/*|grep "03/Jan/2017:17:20" grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n|grep example
is not helpful this time My aim is to stop these connections, find bad script or hole that is abused to initiate these connections.
-
Hello, someone is sending spam out of one of the cPanel accounts and the sender e-mail is set to e-mail address of a domain that is hosted on different cpanel account (same server). I would like to prevent mail server to process e-mails where the claimed sender e-mail address has domain not hosted on the cpanel account from which mail is sent. How to achieve this? Thank You 0 -
i wanted to ask if following log entry in exim_mainlog is the reswult of someone accessed a .php file H=localhost
Hello, This means the email originates on the cPanel server, however it doesn't have to be from a PHP script. Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Thank you.0 -
Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication.
Even if that user does not know the cpanel password? Because i resetted that cpanel password several times and used quite long, random characters (alphanumeric) password, and this SPAM issue happen. So i assume it is because of a PHP script? But as i mentioned in my initial post, i do not see any accesses around that time in access logs..To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's EXPERIMENTAL: Rewrite From: header to match actual sender [?] If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
0 -
Hello, Feel free to open a support ticket using the link in my signature if you'd like us to access the affected system to take a closer look. You can post the ticket number here and we will update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
4 comments