Spam sent from standard node via distributed mail account

Operating System & Version
CloudLinux v8.8.0
cPanel & WHM Version
110.0.7
D

did-vmonroig

Well-Known Member
Feb 6, 2012
73
6
58
cPanel Access Level
Root Administrator
Hello.

We've a standard node for web hosting with a linked mail node. From one of the distributed mail accounts some spammer is using standard node SMTP in order to send spam. We've changed passwords and restarted Exim and Dovecot but immediately continues sending.

As their are using standard node SMTP directly I think the problem could be password change is not applied to standard node SMTP, only in the linked mail node. Could it be?

I'm thinking this because /home/%user%/etc/%domain%/shadow are different between servers. Not only the hash, ase there are lines in the file for new accounts created after distribution that are in the linked mail node but not in the standard, and this make me think about an unmantained file open for spammers.

Any thought? It's safe to delete shadow file in the standard node?
 
Last edited:
D

did-vmonroig

Well-Known Member
Feb 6, 2012
73
6
58
cPanel Access Level
Root Administrator
With help from Dovecot Authentication, in standard node I've renamed shadow file and @pwcache folder, issued a /usr/bin/doveadm auth cache flush and problem has stopped, disabling SMTP access for this distributed mail account, and webmail is working properly in linked mail node.

If this is correct, this is a major security flaw and should be corrected ASAP by cPanel.
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! Can you provide me a bit more detail on how that user was connecting to the standard node? While cPanel users would access the parent node, any mail traffic should have been routed to the mail node, so if you have more details on how this is happening it would be great if you could share those.
 
D

did-vmonroig

Well-Known Member
Feb 6, 2012
73
6
58
cPanel Access Level
Root Administrator
Of course. Spammers were connecting direct to SMTP in standard node and sending mail authenticated using an old password, that was in use before distributing this mail account to linked mail server.

I think that resetting password via cPanel only affected linked node server and spammers could still use standard node SMTP server with old password and if this is correct I think it's major fault in you software.

If you need logs I could provide in a ticket or private message.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M SPAM Email getting sent through default email ( I think ) Email 7
M Any rule for SPAM Assassin to filter emails that look as sent by myself Email 2
C Spam emails being sent from my dedicated server Email 5
H Mail delivery failed: returning message to sender user has sent a high volume of mail detected as spam in last 24 hours Email 4
M All emails being sent to the server are being bounced as spam Email 11
Similar threads
SPAM Email getting sent through default email ( I think )
Any rule for SPAM Assassin to filter emails that look as sent by myself
Spam emails being sent from my dedicated server
Mail delivery failed: returning message to sender user has sent a high volume of mail detected as spam in last 24 hours
All emails being sent to the server are being bounced as spam
Top Bottom