Spams generated from X-Mailer: PHPMailer.

pendias

• June 02, 2017 05:51

Hello guys, I'm facing this issue from the last few days, and donno what to do. There's spamming going on from my server, when checked it shows X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP). You can check the log below.
--------------------------------- 2dGEfbv-0003DVFf-4d mailnull 47 12 1496274065 1 -helo_name XN--90AFEMJVCHBGOMN0I.XN--P1AI -host_address xx.xx.xx.xx.x. -host_name snake.example.net -host_auth dovecot_login -interface_address xx.xx.xx.xx.xxx -received_protocol esmtpsa -body_linecount 27 -max_received_linelength 129 -auth_id asfffrtcm@mydomain.com -tls_cipher TLSv1:DHE-RSA-AES256-SHA:256 -tls_sni xx.xx.xx.xx.xxx -tls_ourcert -----BEGIN CERTIFICATE-----\nMIIF4DCCBMigAwIBAgIQcp36QNPDzY5kMTeFCKl1hjANBgkqhkiG9w0BAQsFADBC\nMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS\nUmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDQyMDAwMDAwMFoXDTE5MDYxOTIzNTk1\nOVowFjEUMBIGA1UEAwwLKi5taWNmby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC4jhcr3f33zeaw/o9MWancjbBhdBkZQ9LlgdncbIO+xExaZyiE\nc1NBk0kcBQ4vGIO9owhQl9m/Xx1yemJctNRX54yJQKI8zv8Y3i2aWtLi58oCn1He\nJ/9w8h20GJra5NPH2jfH7FNV03KS9TitItUfbHF7qia35zDiy8H03ZL7q90GuiLF\nvIHq7XJ2YLtKy0aZ6yHHTFYMjIor67xnfwZwAXXvH958YB7kqrxvD2cAFG6IOLAw\nvUJByQSSdO3EqQdPBvceJGfyDvdKoj8UPFGtNZOmNLCAjGifPbMe3KRCBbQxJVLd\nhA1SAgMgUvKXykqsYXV50OSjMsMSlrAjAgMBAAGjggL8MIIC+DAhBgNVHREE\nGjAYggsqLm1pY2ZvLmNvbYIJbWljZm8uY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw\nIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk\nBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t\nL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s\nZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E\nBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB\nBEswSTAfBggrBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw\nAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF/BgorBgEEAdZ5AgQCBIIB\nbwSCAWsBaQB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABW4vR\nvtUAAAQDAEcwRQIgIlmNWmdNBN356NstWsdIsCFbc+H3wyZPVTY3yciB+JICIQCC\nojtb8z24UsaFd//t/wb1Y6tFfBzVd+RayiurBsdPsgB2AKS5CZC0GFgUh7sTosxn\ncAo8NZgE+RvfuON3zQ7IDdwQAAABW4vRvxEAAAQDAEcwRQIgJPnSwhUuIP/n2czt\n8Jwzo+fjQa6RvTyVRE0bIDhRhoECIQCaY55fghCJfrmMDNlhxYnMLLaLCfxT5Z6W\nHSpntyZUNAB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABW4vR\nwNYAAAQDAEgwRgIhAPrwHQ71JQi2Us/aeAKMDeYG2p13A3eq7X/+zq8Vagt9AiEA\nphX2z+Qj7R3/xHRt21P8PMggWtxzxd0gIIEIeLrnEJwwDQYJKoZIhvcNAQELBQAD\nggEBAF9ua6kOGRdyrWlrEre91npkOA4IdYedCSOnNGLh7wAV9ocQxS09CoXcXyoD\nIMoOiQY2oozsFAn7qJ8kXGoJBh1V/xjvBqWIUJ14ixQvtsfA4YyfP9D1nodm3xjU\nsn++pInHw1II3Yh1xzb2061KmzF6sRF\n/0+Ow7nCN7YfaQw97i4cGioKhu8HEDCx/zO7vFTZBJExUYTcTcr9BY8eqtmyNla1\nDiC6OfKJ3kmDvuvhkJ9rlqS2/gnnL3yyPW6hfzfctVkLDS4ZliFijZEwoqcrogWJ\nzHHAxiMT9BjYcfyc3Iv5MCYb6Dc=\n-----END CERTIFICATE-----\n NN >asfffrtcm@mydomain.com:crunchs@domain.pl 1 crunchs@sxzfnmax.pl 307P Received: from snake.example.net ([xx.xx.xx.xx.xxx]:45044 helo=XN--90AFEMJVCHBGOMN0I.XN--P1AI) by server.myserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1dGDEf-00085T-4d for crunchs@domain.pl; Wed, 31 May 2017 19:41:05 -0400 037 Date: Thu, 1 Jun 2017 02:41:05 +0300 025T To: crunchs@domain.pl 047F From: Kiara 051R Reply-To: Kiara 039 Subject: xxxxxxxxxxxxxxxxxxxx 078I Message-ID: <77922e782d28426747060512612339cf@XN--90AFEMJVCHBGOMN0I.XN--P1AI> 068 X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP) 018 MIME-Version: 1.0 085 Content-Type: multipart/alternative; boundary="b1_77922e782d28426747060512612339cf" 032 Content-Transfer-Encoding: 8bit ----------------- [root@server.myserver.com ~]# exim -Mvb 2dGEfbv-0003DVFf-4d 1dGDEf-00085T-4d-D This is a multi-part message in MIME format. --b1_77922e782d28426747060512612339cf Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit --b1_77922e782d28426747060512612339cf Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit - Removed - --b1_77922e782d28426747060512612339cf--
--------------------------------- I deleted few PHPMailer files but nothing has worked. Can someone please help me out with this irritating thing ?

• 

  cPanelMichael

  • June 02, 2017 16:25

  -auth_id asfffrtcm@mydomain.com

  
  Hello, You may also want to try removing this email account, or changing it's password if you have confirmed no additional scripts exist under the account with the ability to send email. Additionally, review the mail queue on the server to verify none of the offending messages are queued for delivery from before the PHP mailing files were removed. Thank you.

  0
• 

  pendias

  • June 05, 2017 23:32

  Hello Michael, The email account asfffrtcm@mydomain.com[/EMAIL] (I've changed the actual name) doesn't exist on the server. It's generating such random non-existing email accounts and spamming with X-Mailer: PHPMailer 5.2.14 (GitHub - PHPMailer/PHPMailer

  0
• 

  24x7server

  • June 06, 2017 04:43

  Hi, First of all if auth_id is generating in the mail header, you can try enabling sender verification on the server, so it will verify first and then deliver whether locally or remotely. auth_id generates when mail server is queried, so try below things first to check what is the cause: 1) Disable mail sending through nobody. 2) Disable PHP mail function. 3) Enable SMTP restriction. Try doing it one by one to see what happens, so you can get to the root cause..

  0
• 

  pendias

  • June 06, 2017 09:50

  Hello, Alright ! I'll work according to your suggestion and will let know the outcome.

  0
• 

  Jcats

  • June 06, 2017 13:22

  This may help as well: Spam emails being sent from cPanel account

  0
• 

  pendias

  • June 08, 2017 12:21

  Hello, From the three advises by '24x7server' memeber, I cannot apply 2. Disable PHP mail function - as I've too many accts using PHP for this purpose, and is required; SMTP restriction & Prevent "nobody" from sending mail are already enabled on the server. Jcats, I've applied the scripts suggested by you but yet to pull out the culprit script or reason exactly how's it happening. Please help me out.

  0
• 

  pendias

  • June 12, 2017 13:04

  Hello, You may also want to try removing this email account, or changing it's password if you have confirmed no additional scripts exist under the account with the ability to send email. Additionally, review the mail queue on the server to verify none of the offending messages are queued for delivery from before the PHP mailing files were removed. Thank you.

  
  Okay, Michael. You were right and I got rid of the spamming. I followed all the things you asked to. Also, I thank Jcats for his help. :)

  0
• 

  cPanelMichael

  • June 14, 2017 14:55

  I'm glad to see you were able to address the issue. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.