Outgoing Email Spam Issue
Hi guys,
I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:
- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers
The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.
At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]
The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.
If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.
If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.
If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.
At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!
Thank you so much!
[Removed]
-
Hi, There could be possibility that someone from your machine is sending mail through a script that is authenticating a mail account. Please have a look again at the /var/log/exim_mainlog file and search in public_html in it and see if you see any area from where the mails are going out from your server.. 0 -
Hey, thanks so much for the reply! /var/log/exim_mainlog contains no information about the email at all - like I said in the OP if I try to search for the domain it returns no results. 0 -
Even check if email account or accounts are not compromised, try changing the password for the accounts that are sending emails. 0 -
Hello @liamwestcoast, Here are some commands you can use to help determine where the SPAM is coming from: 1. This command will search for messages sent via a script, and sort from highest to lowest: grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr
2. This command will search for messages sent via SMTP and sort from highest to lowest:grep -ho "A=\(.*\)\(@\|+\)\(.*\) S=" /var/log/exim_mainlog-* | sed 's/ S\=//g; s/A\=\(.*\)\://g; /\(.*\)P=\(.*\)/d' | sort | uniq -c | sort -nr
3. This command will help to search for messages sent with SMTP from localhost (without authentication):grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr
Thank you.0 -
Thanks a bunch for the reply, I really appreciate your help. I've ran these three commands and unfortunately the results don't seem very helpful. The second command you suggested (to search for messages sent from SMTP) does not return any results. [root@hostname ~]# grep -hoP "(?<=cwd=)/[^ ]+" /var/log/exim_mainlog | sort | uniq -c | sort -nr 880 /etc/csf 676 /var/spool/exim 9 /root 3 /usr/local/cpanel/whostmgr/docroot
[root@hostname ~]# grep authenticated_local_user /var/log/exim_mainlog|grep -oP '(?<=U=)[^ ]+'|sort|uniq -c|sort -nr 140 root0 -
Hello, Could you provide some more information about one of the offending messages? The initial message was removed because it included real domain names and IP addresses. You can paste the output in CODE tags, and ensure to remove real domain names and any actual URLs. Thank you. 0 -
Received: from x (unknown [MYSERVERSIP])
Does this line give you any indication about the account used to send the email? Thank you.0 -
Hi, This line contains a domain. The domain is different for each abuse report, so there's dozens of domains that they're sending from total. I've searched all mail logs on the WHM web interface, as well as searched the exim mainlog for any mention of the malicious domains, but there are zero occurrences at all! 0 -
Hello, Investigating the source of SPAM is generally outside our scope of support, but feel free to open a support ticket using the link in my signature if you'd like us to take a quick look to see if there's any obvious signs of where the source of the SPAM is coming from. Thank you. 0 -
Thank you, I'll open a ticket later and update this thread in the future if I/we find a solution! 0
Please sign in to leave a comment.
Comments
10 comments