Spam sent through ::1

Mortekai

January 11, 2017 06:20

I have a problem with spam going out through the IP ::1 that I seem unable to stop. If I restart Exim it seem to stop for about 24 hours, but then it resume again... The emails sent out are all info@ for all customer accounts in cPanel. Anyone else had this issue and can advice on how to solve it? Here is an example header:


Received: from [::1] (port=56621 helo=********.com)
   by ************ with esmtp (Exim 4.87)
   (envelope-from )
   id 1cRHfS-002ZnK-Op
   for *****@msn.com; Wed, 11 Jan 2017 13:06:15 +0100
Date: Wed, 11 Jan 2017 12:06:14 +0000 (UTC)
From: info@******.com
To: *****@msn.com
Message-ID: <191071212.39277147.1484136374237@******.com>
Subject: Fw:  Hey.
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_Part_39277146_630495959.1484136374237"

Comments

4 comments

cPanelMichael

January 12, 2017 14:30
Hello, I recommend enabling the following option in "WHM >> Exim Configuration Manager" Experimental: Rewrite From: header to match actual sender This will help you to determine the source of the sender for these types of messages. More information about this option is available at: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Thank you.
0
Mortekai

January 12, 2017 21:06
Thank you Michael, I have activated that and will see if that add some more information :)
0
Mortekai

January 13, 2017 19:28
I got this output:
etc/exim_outgoing.conf -Mc 1cS73K-002NtY-Px 2017-01-13 19:58:32 1cS73K-002NtY-Px SMTP connection identification H= A=::1 P=57453 M=1cS73K-002NtY-Px U=masked client id ID=554 S=masked client id B=authenticated_local_user 2017-01-13 19:58:32 1cS73K-002NtY-Px SMTP connection identification H= A=::1 P=57453 M=1cS73K-002NtY-Px U=masked client id ID=554 S=masked client id B=authenticated_local_user 2017-01-13 19:58:32 1cS73K-002NtY-Px From: header (rewritten was: [info@domain.com], actual sender is not the same system user) original=[info@domain.com] actual_sender=[masked client id@hostname.tld]
So somehow the client id seem to be able to send out emails from within the server and spoofing other clients info mail?
0
cPanelMichael

January 23, 2017 16:51
So somehow the client id seem to be able to send out emails from within the server and spoofing other clients info mail?

You'd should reach out to the contact of the account that sent the email and consider changing the password to that account. Also, ensure there are no scripts uploaded to that account with the ability to send email. Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?