Skip to main content

Forwarding spam?

Comments

10 comments

  • Jcats
    There's a bunch of threads on here that will help you, example: Spam emails being sent from cPanel account
    0
  • DennisMidjord
    Hi Jcats, Thanks! I've already looked through a bunch of threads and I've dealth with tons of spam before. This time, I've spent weeks trying to find the issue, and I haven't gotten one step closer. This log is associated with the spam email: 2017-07-25 21:15:28 no host name found for IP address 103.79.141.91 2017-07-25 21:15:33 1da5Ir-0000Yx-FL H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 Warning: Message has been scanned: no virus or other harmful content was found 2017-07-25 21:15:33 1da5Ir-0000Yx-FL <= bounce-mc.us1_92282.339701-info=[removed]@mail51.atl31.mcdlv.net H=mail51.atl31.mcdlv.net [205.201.134.51]:3935 P=esmtp S=35958 id=53a1e972a043d1264ed08$ 2017-07-25 21:15:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Ir-0000Yx-FL 2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection identification D=[removed] O=info@[removed] E=willum@[removed] M=1da5Ir-0000Yx-FL U=hikeshop ID=1037 B=redirect_resolver 2017-07-25 21:15:33 1da5Ir-0000Yx-FL SMTP connection outbound 1501010133 1da5Ir-0000Yx-FL [removed] 2017-07-25 21:15:33 1da5Ir-0000Yx-FL => info <[removed]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[removed]> uR8qMNWYd1n0CQAAHE1msQ Saved" 2017-07-25 21:15:33 SMTP connection from mail51.atl31.mcdlv.net [205.201.134.51]:3935 closed by QUIT 2017-07-25 21:15:36 1da5Ir-0000Yx-FL ** [removed][removed]R=remoteserver_route T=mailchannels_smtp H=smtp.mailchannels.net [54.70.85.142] X=TLSv1.2:DHE-RSA$ 2017-07-25 21:15:36 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1da5Ir-0000Yx-FL 2017-07-25 21:15:36 1da5Iu-0000tm-JG <= <> R=1da5Ir-0000Yx-FL U=mailnull P=local S=37922 T="Mail delivery failed: returning message to sender" for bounce-mc.us1_92282.339701-[removed] 2017-07-25 21:15:36 1da5Ir-0000Yx-FL Completed 2017-07-25 21:15:36 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1da5Iu-0000tm-JG
    I don't see anyone log in to the SMTP server. All I see is dovecot_virtual_delivery. I literally have no idea how I can get futher in troubleshooting this issue.
    0
  • Jcats
    Hmm do you have WHM > Tweak Settings > Mail authentication via domain owner password > Yes ?
    0
  • DennisMidjord
    No, that is not enabled.
    0
  • cPanelMichael
    Hello, Is shell access enabled for the account associated with that domain name? Also, are any cron jobs or scripts uploaded to the account capable of sending email? Thank you.
    0
  • DennisMidjord
    Hi, No, shell access is not enabled. For a small amount of the accounts it is, but the majority have shell access disabled. I'm guessing that a lot of the accounts have scripts uploaded that could send mail, but when looking at the exim log, it doesn't seem like the mails are sent via a script.
    0
  • DennisMidjord
    Also (and this might be stupid): right now, a lot of our customers are on vacation. It's not unlikely that a lot of our clients have set a forwarder in their email client that forwards all emails to another person. Could that be the reason? The holidays started a few weeks back, and we started receiving these alerts in mid May. Could that be the reason? Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?
    0
  • cPanelMichael
    Let's say a spam mail is sent to our client, and the client is forwarding that email to another address - that could cause it, right?

    Yes, that could in-fact lead to your server forwarding the SPAM message to a remote server. You can enable one of the following options under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor" to help prevent this from happening: Do not forward mail to external recipients if it matches the Apache SpamAssassin" internal spam_score setting Do not forward mail to external recipients based on the defined Apache SpamAssassin" score Thank you.
    0
  • DennisMidjord
    That doesn't fix the issue either. Spam is still forwarded.
    0
  • cPanelMichael
    That doesn't fix the issue either. Spam is still forwarded.

    Those options are only going to work if SpamAssassin detects the incoming email as SPAM. Feel free to open a support ticket using the link in my signature if you want us to take a closer look. Thank you.
    0

Please sign in to leave a comment.