Spam emails being sent from my dedicated server

[CharlesGLondon]

Hello All,

I've a dedicated server with many accounts on it. I'm receiving spam emails from this server. Emails are sent from the dedicated server's main IP address using an account hosted on this server. Email is sent to my personal email which is a separate domain hosted elsewhere. There are around 10-20 emails being sent per day.

I've been checked the exim configuration as mentioned on
https://documentation.cpanel.net/di...8861.661779271.1673713363-58368877.1673713363
I already have most of the settings on.

I've read post
https://forums.cpanel.net/threads/need-to-catch-the-spamming-source.604567/
I couldn't find anything suspicious.

I can't figure out if there is any malicious script on my dedicated server sending these emails or it is relayed using my dedicated server's smtp? How do I find out?

Any tips on how do I find out the culprit and fix it?

======= Email header. I've modified some of the details for privacy.===============

CrytoUncef <[email protected]>
Ieguldiet $1 šodien, lai rīt veiktu $1000.
To: My Name <[email protected]>
Envelope-To: <[email protected]>
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - dedicatedserver.ip-111-111-111.eu
X-Antiabuse: Original Domain - mypersonaldomain.com
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - hotmail.com
X-Source-Args:
Return-Path: <[email protected]>
Ui-Inboundreport: junk:10;M01:P0:RItwhPGlRLY=;397......
.....
Mime-Version: 1.0
Authentication-Results: kundenserver.de; dkim=pass [email protected]
X-Source-Dir:
Content-Transfer-Encoding: quoted-printable
<[email protected]>
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sendingdomain.com; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:To:From:Subject:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RjSCyL9BMDveAcwCExzGtVjZlFMOy0LjmD+n1hmVAwU=; b=iEzWTENLUffBNI69v11zCdP4Af Y07b0tzY+ZY0afZL9uUXK3ZTUxGeTOHeTUAiurE3+ku+aAPt+Nyg3vrJyVeT/tbBvNxwa8NYjSvIi KsPTJMQHE15763kcX4vLNU/W7N6BT9zaDa8Yu1pDDYe4enzScNhGYCgK7khqcgAJfNj8mM7HgG6Nc mfRs7dXZPLgfTMSs+v9BTmKX/vlnwgpngGvnehxznw0C/DqlG410rjZ7yH8Hma3H4eJQDTWBeC95d M1qkZoD5YyY0zCGc+Ryzh4H2jK7F1UdGtaqILHfPNWF36aTgvS5nbRrD1gnwdIHqJo2gghHKbSWm+ FibYaJjA==;
X-Authenticated-Sender: dedicatedserver.ip-111-111-111.eu: indreclv
X-Get-Message-Sender-Via: dedicatedserver.ip-111-111-111.eu: acl_c_authenticated_local_user: indreclv
X-Spam-Flag: YES
Content-Type: text/plain; charset=utf-8
X-Source:
Received: from dedicatedserver.ip-111-111-111.eu ([123.123.123.123]) by mx.kundenserver.de (mxeue012 [212.227.15.41]) with ESMTPS (Nemesis) id 1Mox02-1oxNSl2ZkU-00qUo3 for <[email protected]>; Sat, 14 Jan 2023 16:22:45 +0100
Received: from [::1] (port=46354 helo=sendingdomain.com) by dedicatedserver.ip-111-111-111.eu with esmtp (Exim 4.95) (envelope-from <[email protected]>) id 1pGiMo-0000QE-4A for [email protected]; Sat, 14 Jan 2023 16:22:45 +0100

 

[cPRex]

Hey there! My first thought, is that our updated docs are all at docs.cpanel.net - the old "documentation.cpanel.net" site is left up for some API calls and legacy applications, but likely shouldn't be referenced for day-to-day use.

I like this command - it searches the Exim logs and finds all messages sent from directories. Just be sure to ignore odd directories like /, /etc/csf (if you have that tool installed), and /var/spool/exim:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

If the spam is being sent from a user's directory, that should help you track it down, so I'd start there and see what you find!

You could also search your Exim log (/var/log/exim_mainlog) directly for the "1Mox02-1oxNSl2ZkU-00qUo3" ID and see if that gives you more details about where it originated from.

 

[CharlesGLondon]

Hello,

Thanks for the reply. I ran the code and it doesn't seem to show many emails. Sorry for some reason I can't paste command here so attaching it. exim_log search gives no result.

 

[cPRex]

We may not be looking for "many" emails if you're only seeing 10-20 per day. This would only show the messages sent since the last time the Exim log was rotated - you could find how far back the log goes by running this command:

head -n 1 /var/log/exim_mainlog

as that would show the first entry in the log.

I would check out some of those /web directories to see if that could be the issue.

 

[CharlesGLondon]

Didn't help much.
What should I check for in these /home directories?

 

[cPRex]

So that is letting you know that you're only getting the last day of logs.

I can't say what specifically could be in the home directories as it could be anything - it only takes one malicious file or misconfigured web form to cause spam to be sent.