Auth Relay Spam

petru

• April 18, 2017 08:20

Hi Guys, I've read through various other posts which are similar to this but I can't seem to point the finger on what is causing this. One of my accounts randomly started sending out emails from all over the world. I don't believe the account has been compromised though. Not only because I can't find any suspicius logins in the event log but there is also nothing on the account. just email accounts. No files which could be hosting PHP mailers or anything. I have checked WHM's "Most Relayed Emails" area and found that this account has already sent out 900+ emails in a matter of minutes. But can't seem to stop it without suspending the email account itself. How is this happening?
Mail Control Data: mailnull 47 12 1492519511 0 -helo_name [127.0.0.1] -host_address 190.24.207.54.50212 -host_name static-190-24-207-54.static.etb.net.co -host_auth dovecot_plain -interface_address "ServerIP".587 -received_protocol esmtpa -aclc _outgoing_spam_scan 1 1 -body_linecount 2 -max_received_linelength 67 -auth_id something@someone.com -deliver_firsttime -spam_bar +++ -spam_score 3.5 -spam_score_int 35 XX 12 jg65807@aol.com charvell51@aol.com mmullenlaw42@aol.com penfieldbuilders@aol.com pimmsno1@aol.com jg65807@aol.com mikjul69@aol.com ljr282@aol.com penfieldbuilders@aol.com tlgilmore2@aol.com jtrwsmset@aol.com kspurlin63@aol.com Date: Tue, 18 Apr 2017 14:45:09 +0200 From: something@someone.com To: jg65807@aol.com Subject: The video card also known as the? Cc: charvell51@aol.com, mmullenlaw42@aol.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Message-Id: Mime-Version: 1.0 (1.0) Received: from static-190-24-207-54.static.etb.net.co ([190.24.207.54]:50212 helo=[127.0.0.1]) by theservername.com with esmtpa (Exim 4.88) (envelope-from ) id 1d0SVL-0003jp-SI; Tue, 18 Apr 2017 22:45:16 +1000 X-Mailer: iPad Mail (13E238) X-OutGoing-Spam-Status: No, score=3.5

• 

  cPanelMichael

  • April 18, 2017 14:15

  I have checked WHM's "Most Relayed Emails" area and found that this account has already sent out 900+ emails in a matter of minutes. But can't seem to stop it without suspending the email account itself.

  
  Hello, Have you tried changing the password of the cPanel account, and any email addresses added under the account? If not, try that and let us know if the issue persists. Additionally, browse to "WHM Home " Security Center " SMTP Restrictions" and verify if this option is enabled. As far as the messages, you should also try searching /var/log/exim_mainlog for some of the CC'd email addresses to see how the message is processed. EX:
  exigrep user@remote-domain /var/log/exim_mainlog
  Thank you.

  0
• 

  petru

  • April 18, 2017 15:08

  After changing my password it seemed to have stopped. My Password is quite secure and highly doubt that it could've been bruteforced. Does this mean the password was compromised or did they get in via some other method? Thanks!

  0
• 

  cPanelMichael

  • April 18, 2017 15:18

  After changing my password it seemed to have stopped. My Password is quite secure and highly doubt that it could've been bruteforced. Does this mean the password was compromised or did they get in via some other method?

  
  If changing the password resolved the issue, then it suggests the password may have been compromised (sometimes through exploits on a local workstation used to access the server). I recommend monitoring the situation to see if the activity resumes again, or if changing the password corrected the problem. Thank you.

  0

Please sign in to leave a comment.