__cpanel__service__auth__icontact sending spam
I found these, my usual methods of finding the user account where the spam was originated failed, I found this on the auth id line of the headers:
--auth_id __cpanel__service__auth__icontact__xxxxx
(xxxxx is a random string)
Here is the full mainlog grep of an example email:
[root@hostname: /var/log]# grep 1t6ADu-00000003XJc-4ASv exim_mainlog
2024-10-30 09:03:00.821 [843052] 1t6ADu-00000003XJc-4ASv <= examle.sender@somedomain-not-onserver.com H=(localhost.localdomain) [127.0.0.1]:58092 I=[127.0.0.1]:25 Ci=843052 P=esmtpa L.- A=dovecot_plain:__cpanel__service__auth__icontact__rynqgktxhrl7zu46 S=48225 M8S=0 RT=0.005s T="Invite: MX Carrier Training | BlueYonder " from <examle.sender@somedomain-not-onserver.com> for example-recipient@domain-also-not-on-server.com
2024-10-30 09:03:00.837 [843054] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1t6ADu-00000003XJc-4ASv
2024-10-30 09:03:00.872 [843054] 1t6ADu-00000003XJc-4ASv Sender identification U=__cpanel__service__auth__icontact__rynqgktxhrl7zu46 D=-system- S=__cpanel__service__auth__icontact__rynqgktxhrl7zu46
2024-10-30 09:03:02.347 [843054] 1t6ADu-00000003XJc-4ASv => example-recipient@domain-also-not-on-server.com F=<examle.sender@somedomain-not-onserver.com> P=<examle.sender@somedomain-not-onserver.com> R=lookuphost T=remote_smtp S=49494 H=transpojit-com.mail.protection.outlook.com [52.101.41.24]:25 I=[my.server.ip]:39241 X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes DN="/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com" L C="250 2.6.0 <f1afa296-3c14-4305-a868-7c258fc79602@SJ1PEPF00002319.namprd03.prod.outlook.com> [InternalId=66915590473532, Hostname=SJ2PR12MB7845.namprd12.prod.outlook.com] 58697 bytes in 0.228, 250.589 KB/sec Queued mail for delivery" QT=1.528s DT=1.431s
2024-10-30 09:03:02.348 [843054] 1t6ADu-00000003XJc-4ASv Completed QT=1.534s
-
Hey there! I can't say I've seen anything quite like that before. For security reasons, it would be best to submit a ticket so the machine can be investigated.
0 -
Turns out it's a bug:
For people reading this after a google search: Check a mail specimen, if your case is the same as my case it surely has an .ics file attached to it, and one of the listed invited participants on this .ics is a legit user on the server. Turns out that some bug in the roundcube calendar sends notifications the wrong way with the event organizer as the sender instead of the actual user of the email account that received the invitation. If the event organizer is not on your server, well, you'll have these entries on the logs where both the sender and the recipient are not on the server and, somehow, (not sure exactly how) cpanel's icontact service sent the mail.
cPRex:
I did, yesterday, the ticket id is #95392082 and they told me that this was already known and that the developer team already has a case for it: case ID CPANEL-45748, not sure how to check that case tho since a search doesn't return any results. Thanks!0 -
Luis Falcon - thanks for sharing! There isn't a way for you to check that case but I can see it's on the developer's radar and I'll be sure to post an update here if I hear anything on my end!
0 -
Resolved?
0 -
I don't see that there has been a fix just yet as it is still on the team's backlog.
0
Please sign in to leave a comment.
Comments
5 comments