Hi All,
After banging my head over a few weeks I decided to see if the community had seen anything like this. We have several CPanel servers and are experiencing the following unusual behaviour with different accounts. Occasionally an account will randomly send out emails like the 2 following examples :
Email addresses have been removed to protect users.
---------------
---------------
Hyperlinks removed as they are probably dangerous.
These emails are generated from a user that is fully authenticated and after checking the log files they just present the username and password and send the emails via multiple ip addresses. We run brute force protection, ASSP Deluxe and other security measures. Now is it more likely to be client side something capturing the password viruses etc or do we have a real issue here. It only effects 2 - 3 accounts every month or so. Also something to be noted, the spammer is being very sneaky when sending out the emails as they will only send about 20 emails per ip and then it finishes, I assume to avoid detection.
I have outbound spam filtering enabled and this does stop it. Having checked all the log files none of the ips that connect have ever been near the server before they send the emails as above. Your thoughts would be greatly appreciated.
thespudman
After banging my head over a few weeks I decided to see if the community had seen anything like this. We have several CPanel servers and are experiencing the following unusual behaviour with different accounts. Occasionally an account will randomly send out emails like the 2 following examples :
Email addresses have been removed to protect users.
---------------
Code:
-interface_address 127.0.0.1.125
-received_protocol esmtpa
-body_linecount 1
-max_received_linelength 781
-auth_id XXXXXXXX
YY XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
YN XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
YY XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
YN XXXXXXXXXXXXX
NN XXXXXXXXXXXXX
To: "mlblum" , "dharwig2000" , "chiari" , "the1amigo" , "mlortez" , "l bellhotmom2" , "happilyamused" , "rector" , "rkatzev" , "poor tom83" , "sednaimports" , "karmazin" , "angelina g hare" , "bbaars" , "Cory" , "Polly Hancock" , "Matt Richardson" , "vilmaz" , "Justin"
Hi! How are you?
Breaking news link to a random dodgy website. it works!
---------------
To: "jock28" , "ivyjock0" , "psifn" , "elongobard" , "latinprmen" , "ukywildcatfan1" , "chilledguy68" , "rsteve81" , "camperdudenh" , "pmichaud1" , "polarisclassic2000" , "toggleming" , "hotbizguy" , "andrewhuebner" , "firetravel69" , "jvieira87" , "nrthshrhottie" , "gmstone01" , "petermurphy1975" , "Musclekunt4u"
Hi!
How are you? link to a random dodgy website. Oprah says it works!
M RHyperlinks removed as they are probably dangerous.
These emails are generated from a user that is fully authenticated and after checking the log files they just present the username and password and send the emails via multiple ip addresses. We run brute force protection, ASSP Deluxe and other security measures. Now is it more likely to be client side something capturing the password viruses etc or do we have a real issue here. It only effects 2 - 3 accounts every month or so. Also something to be noted, the spammer is being very sneaky when sending out the emails as they will only send about 20 emails per ip and then it finishes, I assume to avoid detection.
I have outbound spam filtering enabled and this does stop it. Having checked all the log files none of the ips that connect have ever been near the server before they send the emails as above. Your thoughts would be greatly appreciated.
thespudman