Email Spamming from my server

Vasanthjan

• March 11, 2017 16:51

In my WHM server, there is so many spam emails are outgoing. I can't find the exact reason why it is happening. 1. I have suspended the cPanel account in WHM. 2. Reduce the outgoing email limit into zero in modify an account option. 3. Scanned the account using Virus Scanner it shows zero virus. 4. Scanned the account using the ConfigServer Exploit Scanner also. No Threads are found in the cPanel account. 5. Even the account doesn't have any files in public_html. 6. It has one few email accounts only. But still, the account is sending more spam from my server. Help me out to resolve this issue. Here is sample header of the email to refer. I need the permanent solution for this to stop spam mail from my server. One more help. How to stop the injection of scripts on my server.
1cmhnL-001VSi-IT-H mailnull 47 12 1489241695 0 -helo_name [192.168.x.xxx] -host_address 78.135.xx.xx.54264 -host_auth dovecot_login -interface_address 138.xxx.xxx.xxx.25 -received_protocol esmtpsa -body_linecount 7 -max_received_linelength 76 -auth_id blahblah -host_lookup_failed -tls_cipher TLSv1:DHE-RSA-AES256-SHA:256 -tls_ourcert -----BEGIN CERTIFICATE-----\nMIIFPDCCBCSgAwIBAgIQba5JvSlYq6Qi7STnE5bvtjANBgkqhkiG9w0BAQsFADBy\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT\nBgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp\nZmljYXRpb24gQXV0aG9ya2MDYyNDAwMDAwMFoXDTE3MDYyNDIzNTk1\nOVowXDEhMB8GA1UECxMYRG9tYWluIEMPOd/Hy2envuD15p3cV3BKTrHu9g6uTrm/xECfmciLlQhE6LISmIRN\ntx3TS4AMbNoV80hymhvpe6v0iP0w2zwJZ9u/MQVcXz069Z083UXpwP0QoMgIG5L/\nMwIDAQABo4IB4jCCVR0jBBA9hjto\ndHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0\naG9yaXR5LmNybDB9BggrBgEFBQcBAQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9j\ncnQuY29tb2RvY2EuY29tL2NQYW5lbEluY0NlcnRpZmljYXRpb25BdXRob3JpdHku\nY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wQQYDVR0R\nBDowOIIYbGlvbi5zdXBlcm5pbmphY2xvdWQuY29tghx3d3cubGlvbi5zdXBlcm5p\nbmphY2xvdWQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAFhDD40Z8QyHU7HmR01Nga\nLVL+ujMbSzc4X8LZVKVavNtDbHz9BvNuu+lVw6dzDJb/3C0TTBznRiOqAQIr\n28WuTEpi+6GQ1CjoNC5Nc/Lx2O+sIfv/Anc1sfbLHmkTVtzF0omjAaEujhj+EgLP\naal3NMhg3LgmrvEY6v53rFad1Ag6h2iMRIPiL+PQCxDqThEvOxTPTODydnb9IxRH\nnqPOxVawfrl3j1wtL9ixCSQ2JIs2p4QcJyznGVlHKBsoknPJRT7jO0nGjGZg8gBn\n++/OewZVuqQQIix3aOf3trQ4i+Oh5b4a7SEoO9nRnl9tvYG0mJ75PUZLxr+A4xv8\n-----END CERTIFICATE-----\n XX 20 - Removed Email Addresses - 237P Received: from [78.135.xx.xx] (port=54264 helo=[192.168.x.xxx]) by servername.hostdomain.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from ) id 1cmhnL-001VSi-IT; Sat, 11 Mar 2017 19:44:55 +0530 047 Content-Type: text/plain; charset="iso-8859-1" 018 MIME-Version: 1.0 044 Content-Transfer-Encoding: quoted-printable 039 Content-Description: Mail message body 028 Subject: Congratulation !!! 031T To: Recipients 020F From: info@mail.com 019C Cc: info@yahoo.com 038 Date: Sat, 11 Mar 2017 17:14:44 +0300 031R Reply-To: someusr@gmail.com 065 X-Antivirus: avast! (VPS 170310-1, 03/10/2017), Outbound message

• 

  sktest123

  • March 12, 2017 02:29

  Please check sender verification + sender verification call out settings, request rdns record. since you have suspended cpanel acct, global settings applies, so verify those. You can also use blacklist via Access List Visit www.ixwebhosting.com/support/st_kb/mitigating-spam-on-cpanel-servers/

  0
• 

  SysSachin

  • March 12, 2017 03:00

  Hi, Try to find out mail script path using bellow command. tail -n 2000 /var/log/exim_mainlog | grep /home The above command will show the mails which are sent from using php script.

  0
• 

  cPanelMichael

  • March 12, 2017 18:07

  Hello, You may find the following document helpful: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Additionally, you can browse through the threads listed on the link below to see examples of how other users have addressed similar problems: outgoingspam | cPanel Forums Thanks!

  0

Please sign in to leave a comment.