__cpanel__service__auth__icontact sending spam
I found these, my usual methods of finding the user account where the spam was originated failed, I found this on the auth id line of the headers:
--auth_id __cpanel__service__auth__icontact__xxxxx
(xxxxx is a random string)
Here is the full mainlog grep of an example email:
[root@hostname: /var/log]# grep 1t6ADu-00000003XJc-4ASv exim_mainlog
2024-10-30 09:03:00.821 [843052] 1t6ADu-00000003XJc-4ASv <= examle.sender@somedomain-not-onserver.com H=(localhost.localdomain) [127.0.0.1]:58092 I=[127.0.0.1]:25 Ci=843052 P=esmtpa L.- A=dovecot_plain:__cpanel__service__auth__icontact__rynqgktxhrl7zu46 S=48225 M8S=0 RT=0.005s T="Invite: MX Carrier Training | BlueYonder " from <examle.sender@somedomain-not-onserver.com> for example-recipient@domain-also-not-on-server.com
2024-10-30 09:03:00.837 [843054] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1t6ADu-00000003XJc-4ASv
2024-10-30 09:03:00.872 [843054] 1t6ADu-00000003XJc-4ASv Sender identification U=__cpanel__service__auth__icontact__rynqgktxhrl7zu46 D=-system- S=__cpanel__service__auth__icontact__rynqgktxhrl7zu46
2024-10-30 09:03:02.347 [843054] 1t6ADu-00000003XJc-4ASv => example-recipient@domain-also-not-on-server.com F=<examle.sender@somedomain-not-onserver.com> P=<examle.sender@somedomain-not-onserver.com> R=lookuphost T=remote_smtp S=49494 H=transpojit-com.mail.protection.outlook.com [52.101.41.24]:25 I=[my.server.ip]:39241 X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes DN="/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com" L C="250 2.6.0 <f1afa296-3c14-4305-a868-7c258fc79602@SJ1PEPF00002319.namprd03.prod.outlook.com> [InternalId=66915590473532, Hostname=SJ2PR12MB7845.namprd12.prod.outlook.com] 58697 bytes in 0.228, 250.589 KB/sec Queued mail for delivery" QT=1.528s DT=1.431s
2024-10-30 09:03:02.348 [843054] 1t6ADu-00000003XJc-4ASv Completed QT=1.534s
-
Hey there! I can't say I've seen anything quite like that before. For security reasons, it would be best to submit a ticket so the machine can be investigated.
0 -
Turns out it's a bug:
For people reading this after a google search: Check a mail specimen, if your case is the same as my case it surely has an .ics file attached to it, and one of the listed invited participants on this .ics is a legit user on the server. Turns out that some bug in the roundcube calendar sends notifications the wrong way with the event organizer as the sender instead of the actual user of the email account that received the invitation. If the event organizer is not on your server, well, you'll have these entries on the logs where both the sender and the recipient are not on the server and, somehow, (not sure exactly how) cpanel's icontact service sent the mail.
cPRex:
I did, yesterday, the ticket id is #95392082 and they told me that this was already known and that the developer team already has a case for it: case ID CPANEL-45748, not sure how to check that case tho since a search doesn't return any results. Thanks!0 -
Luis Falcon - thanks for sharing! There isn't a way for you to check that case but I can see it's on the developer's radar and I'll be sure to post an update here if I hear anything on my end!
0 -
Resolved?
0 -
I don't see that there has been a fix just yet as it is still on the team's backlog.
0 -
I don't have any updates to share on this one just yet. I've reached out to the team to let them know there are still users experiencing this issue.
0 -
UPDATE - this is resolved in version 130. I'm not sure if it's going to get backported to any earlier versions at this point.
0 -
Good to know, but currently the Stable version is at 124, Current at 126 and Edge at 128. This is a major issue. It should find its way to all current releases.
0 -
Hi,
Agreed. This bug just bit me with a client inbound migration to a server including his calendars, which were then refreshed with new invites sent to meetings dated from years ago, and subsequent blocking by some recipients email providers for 'spammy' activity. PITA.
The current cycle means potentially months before it is in Stable.
Tony Howden
0 -
Same issue here:
Event:success
Sender User:__cpanel__service__auth__icontact__cmhw68ighlodlwz0
Sender Domain:-system-
From Address: xxxxx (not even hosted with us)
Sender:__cpanel__service__auth__icontact__cmhw68ighlodlwz0
Sent Time:May 2, 2025, 2:10:14 PM
Sender Host:localhost.localdomain
Sender IP:127.0.0.1
Authentication:dovecot_plain0 -
Update - I spoke with the team today and they are going to see about backporting this to version 126. I can't guarantee that will happen, but at least it's on their radar now.
0 -
I got here by Googling "__cpanel__service__auth__icontact" because I had no idea how or why our server was sending emails on behalf of a domain we hosted.
Please insist with the team about this. Today it was our turn, along with a major company in my country and region. Our servers appear to be sending hundreds of emails as if they were from this company due to this problem with the .ics file. It's something worth giving priority to and urgency!
I find it incomprehensible that something delicate like this was detected and reported six months ago, and to this day we still have no solution.
"but at least it's on their radar now." , @cPPex These are the things that should always be on the radar, these are the priorities for server administrators and not add-ons like "social bee" (which by the way they install and activate by force, having to give us the work to deactivate them later if we don't want them).
0 -
Google's AI has said this and we're going to test it:
To disable the __cpanel__service__auth__icontact service in cPanel, you can use the Feature Manager in WHM. Specifically, you can disable the iContact feature within a feature list. Alternatively, if you're seeing spam related to iContact, you might need to update your cPanel version, as this issue has been resolved in later versions of cPanel.
Here's a more detailed breakdown:
1. Disabling iContact in Feature Manager:Log in to WHM: Access your WHM (WebHost Manager) interface as the root user.
Navigate to Feature Manager: Find and click on the "Feature Manager" option.
Edit a Feature List: Select the feature list you want to edit and click "Edit".
Disable iContact: Locate the iContact feature in the list and uncheck the corresponding box to disable it.
Save Changes: Scroll to the bottom of the page and click the "Save" button to apply your changes.2. Addressing Spam Issues (if applicable):
Check cPanel Version:
If you're experiencing spam related to __cpanel__service__auth__icontact, ensure you have a recent version of cPanel. The issue of spam being sent from iContact was resolved in later versions of cPanel.
Update cPanel:
If your cPanel version is outdated, upgrade to the latest stable version to potentially resolve the spam issue.Important Notes:
Disabling cPanel features can impact the functionality of your server. Carefully consider the implications before disabling any feature.
If you're unsure about the impact of disabling a feature, it's recommended to consult with your cPanel support or a qualified system administrator.This command does the trick, and I've applied it to all servers. I hope this helps while we wait for a permanent solution. What do you think? cPRex
whmapi1 update_featurelist featurelist=disabled caldavcarddav=0
0 -
David Cordovez - the "it's on their radar now" comment was specific to getting this backported to version 126. The issue is fixed in version 130 but it required some changes that we aren't sure if we can reliably place into version 126, but I let the team know there was indeed demand to get this into a public version of cPanel as soon as possible.
0 -
cPRex I appreciate your support, know you're always available to help. My comment simply reflects my frustration at realizing that my servers and clients are affected by a security issue reported six months ago, and that the developers aren't giving it the necessary priority by implementing the fix in a version that isn't even released yet and could take several more months to become stable.
For now, I'd appreciate it if you could confirm if this issue is related to using webmail and if disabling the calendar and contacts feature should actually resolve the problem.
0 -
Oh I get it for sure, no explanation necessary :D
Yes, if you disable Webmail the Calendar tools would also be disabled so there is no way for this issue to happen.
0 -
Thanks, but I'm referring to just disabling the calendar and contacts feature, not the entire webmail. Would that help? (That's what Google's AI suggested, which, by the way, surprised me with its very specific and well-crafted answer.)
whmapi1 update_featurelist featurelist=disabled caldavcarddav=0
0 -
It would certainly keep new ones from being created, but I don't know if that's enough to keep it from happening in existing calendars or not. It doesn't hurt to try it!
0 -
This is how I managed to stop this kind of server abuse: I have MailScanner installed on the server. It has a config file named filename.rules.conf. I created a rule to block any attatchment of .ics files.
Since I did this, MailScanner has been capturing and blocking all mail sent with user __cpanel__service__auth__icontact__xxxxxx because every message carries the calendar invitation.
0 -
hi , dear cPRex
I am also experiencing the same problem.
My server is whm almalinux8.
Version is: 128.0.5.Question: When will version 130 be released? I mean the actual release date for version 130.
You mentioned above that this issue has been fixed in version 130.
🙏0 -
mahdi Alyousfi - there isn't a release date for that version just yet, although it would likely be in the next 3-4 months. I have requested that the fix be backported to other versions of cPanel, but no work has started on that just yet. It's possible that since it wasn't fixed until version 130 that it's too large of a fix to get backported into previous versions, but that is just guessing on my part.
If I hear an update on this I'll be sure to post.
0 -
ok cPRex
thanks 🙏
0 -
Sure thing!
0
Please sign in to leave a comment.
Comments
23 comments