How to ensure Exim is only script sending out mail

mikefromnz

• February 18, 2017 14:48

Hi guys, Any suggestions on which logs I can check, or maybe some kind of SSH command that can tell me for sure that Exim is the only one sending out mail on the server? We got listed in Spamhaus CSS list, requested removal and they removed us, within hours they listed us again, even though our mail server had literally sent only a handful of emails. The emails were notification type emails received by our server, not marked as SPAM from well regarded, large websites, these were then forwarded to a Gmail address via our server which also did not mark them as SPAM. No other mails were sent according to the cPanel WHM "Mail Delivery Reports". I have ClamAV, CHKRootkit and others installed and running, no problems found, have already done Exim hardening including not allowing "nobody" to send out mails etc. As far as I can see setting wise, the only way emails can send is if Exim handles them. Getting very hard to solve the issue, as now Spamhaus will not remove us, nor tell us why its listed. So unless someone is fraudulently reporting us, or spoofing our IP, we shouldn't be listed. Bit of backstory: We first got listed because a customer of ours who just signed up, sent about 100 emails to his contacts telling them of his new email address, many bounced due to them being old records. I assume due to our server being relatively new with no reputation, this triggered Spamhaus easier than if we already had a good rep.

• 

  NOC_Serverpoint

  • February 19, 2017 07:07

  Hi, It's seems the mail sending from account using php mail script. I think there is infected file under the account which is sending mails. Please try running the following command: grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n Following command that will show you the script which is using script to send the email. If it is from php then use # egrep -R "X-PHP-Script" /var/spool/exim/input/* Also please check the below article: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

  0
• 

  Jcats

  • February 20, 2017 03:16

  Check out this thread as well, it may be of some use to you. Spam emails being sent from cPanel account

  0
• 

  sktest123

  • February 20, 2017 09:33

  guess SMTP restrictions at whm is a nice option

  0
• 

  cPanelMichael

  • February 20, 2017 18:47

  Hello, In addition to the previous posts, you may also find this document helpful (referenced earlier in this thread) for preventing email abuse in the future:

  0
• 

  mikefromnz

  • February 26, 2017 03:40

  Thanks all, logs all checked out OK and SMTP is forced to send out from Exim no matter what the source via our CFS firewall. Seems it was some SPF record issues that caused the problem with Spamhaus, all sorted now. Cheers for the help

  0
• 

  cPanelMichael

  • February 27, 2017 15:25

  Seems it was some SPF record issues that caused the problem with Spamhaus, all sorted now. Cheers for the help

  
  I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.