Forwarding spam?
Hi,
For a few weeks, we've been having issues with a spam that gets forwarded. We're using MailChannels, and according to them, the problem is that a compromised account is used for sending (forwarding spam). We've tried changing passwords for everything on one of the accounts, but it just keep coming. Here's one of the emails that we've received from MailChannels:
This is an alert about the Sender ID, _forwarded-from|205.201.xxx.51, on your network. The sender_forwarded-from|205.201.xxx.51 is sending SPAM. Some additional information that may assist in trackingdown the problem follows.
Time: 1501010136
Originator: _forwarded-from|205.201.xxx.51
Originator Type: Sender ID
Sender ID: _forwarded-from|205.201.xxx.51
Envelope Sender: bounce-mc.us1_92282.339701-info=[removed]
IP:
Condition: _forwarded-from|205.201.xxx.51 is sending SPAM
The domain [removed] is hosted with us. When we receive one of the alerts, we can see the delivery reports, such as here: ]http://i.imgur.com/1iycFMV.png
However, I just can't seem to figure our HOW this is sent from multiple of our clients' accounts. Some days we receive 50 different emails saying that spam is being sent. Does anyone have a clue?
The domain [removed] is hosted with us. When we receive one of the alerts, we can see the delivery reports, such as here: ]http://i.imgur.com/1iycFMV.png
However, I just can't seem to figure our HOW this is sent from multiple of our clients' accounts. Some days we receive 50 different emails saying that spam is being sent. Does anyone have a clue?
-
There's a bunch of threads on here that will help you, example: Spam emails being sent from cPanel account 0 -
Hi Jcats, Thanks! I've already looked through a bunch of threads and I've dealth with tons of spam before. This time, I've spent weeks trying to find the issue, and I haven't gotten one step closer. This log is associated with the spam email: 2017-07-25 21:15:28 no host name found for IP address 103.79.141.91 2017-07-25 21:15:33 1da5Ir-0000Yx-FL H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 Warning: Message has been scanned: no virus or other harmful content was found 2017-07-25 21:15:33 1da5Ir-0000Yx-FL <= bounce-mc.us1_92282.339701-info=[removed]@mail51.atl31.mcdlv.net H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 P=esmtp S=35958 id=53a1e972a043d1264ed08$ 2017-07-25 21:15:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Ir-0000Yx-FL 2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection identification D=[removed] O=info@[removed] E=willum@[removed] M=1da5Ir-0000Yx-FL U=hikeshop ID=1037 B=redirect_resolver 2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection outbound 1501010133 1da5Ir-0000Yx-FL [removed] 2017-07-25 21:15:33 1da5Ir-0000Yx-FL => info <[removed]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[removed]> uR8qMNWYd1n0CQAAHE1msQ Saved" 2017-07-25 21:15:33 SMTP connection from mail51.atl31.mcdlv.net [205.201.134.51]:3935 closed by QUIT 2017-07-25 21:15:36 1da5Ir-0000Yx-FL ** [removed][removed]R=remoteserver_route T=mailchannels_smtp H=smtp.mailchannels.net [54.70.85.142] X=TLSv1.2:DHE-RSA$ 2017-07-25 21:15:36 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1da5Ir-0000Yx-FL 2017-07-25 21:15:36 1da5Iu-0000tm-JG <= <> R=1da5Ir-0000Yx-FL U=mailnull P=local S=37922 T="Mail delivery failed: returning message to sender" for bounce-mc.us1_92282.339701-[removed] 2017-07-25 21:15:36 1da5Ir-0000Yx-FL Completed 2017-07-25 21:15:36 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Iu-0000tm-JG
I don't see anyone log in to the SMTP server. All I see is dovecot_virtual_delivery. I literally have no idea how I can get futher in troubleshooting this issue.0 -
Hmm do you have WHM > Tweak Settings > Mail authentication via domain owner password > Yes ? 0 -
No, that is not enabled. 0 -
Hello, Is shell access enabled for the account associated with that domain name? Also, are any cron jobs or scripts uploaded to the account capable of sending email? Thank you. 0 -
Hi, No, shell access is not enabled. For a small amount of the accounts it is, but the majority have shell access disabled. I'm guessing that a lot of the accounts have scripts uploaded that could send mail, but when looking at the exim log, it doesn't seem like the mails are sent via a script. 0 -
Also (and this might be stupid): right now, a lot of our customers are on vacation. It's not unlikely that a lot of our clients have set a forwarder in their email client that forwards all emails to another person. Could that be the reason? The holidays started a few weeks back, and we started receiving these alerts in mid May. Could that be the reason? Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right? 0 -
Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
Yes, that could in-fact lead to your server forwarding the SPAM message to a remote server. You can enable one of the following options under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor" to help prevent this from happening: Do not forward mail to external recipients if it matches the Apache SpamAssassin" internal spam_score setting Do not forward mail to external recipients based on the defined Apache SpamAssassin" score Thank you.0 -
That doesn't fix the issue either. Spam is still forwarded. 0 -
That doesn't fix the issue either. Spam is still forwarded.
Those options are only going to work if SpamAssassin detects the incoming email as SPAM. Feel free to open a support ticket using the link in my signature if you want us to take a closer look. Thank you.0
Please sign in to leave a comment.
Comments
10 comments