CPanel: Email Queue clogged... brute force spam

2025-04-14

alright... first of all hi everyone... it's been forever since i posted here the last time - in fact, so long that i forgot my username. anyways. here is my problem:

i have a cpanel reseller account and lately some email and spam issues arose. the accounts are all being used by myself, so i am sure that no one is messing and spamming from accounts under my reseller (whm) account.

i used to have my accounts set up with catch all addresses (7 accounts total), but on 3-4 of those i started receiving more and more spam and especially mailer daemon emails of mails i never have sent.

say my catchall address is default@domain.com - then i eventually got 100s of mailer daemon emails every day, which showed that (spam) emails had bounced, and the original sender addresses were somename@domain.com - such as
frank@domain.com, dana@domain.com,... you get the idea.

alright - my provider contacted me that - despite this being really annoying for myself - this issue started to put a strain on the server and clogged up the mail queue.
so i blackholed/failed all unknown forwarders from then on (about 2 months ago) and my mailbox stayed nice and clean. i thought the problem was resolved, until this week when my accounts were suspended for spamming. so i contacted the provider:
he told me that there was brute force spamming coming from my accounts - well - i never installed anything like this... obviously.

it has just gotten out of hand to the point where Exim is the ALWAYS the top process with cpu usage at 99.9% 99% of the time

not sure if he meant that literally or not, it sure sounds bad...

the thing is, that now the mail queue is getting clogged with bouncing mailer daemons - the random sender@domain.com spam is still being sent, but the mailed daemons get stuck there now, as i don't accept them any more. so i talked to my provider if he could point me to something like a script or so on my accounts that was causing this. all he got me was a log of - like he worded it:

it is a script to locate a spammer useing formmailers to spam us - forms, php scripts ect... send mail from the user NOBODY

the outputs he sent me look something like that:

Code:

root@server2 [/var]# tail /var/log/formmail.log
 -  - domain1 x 32047 32048    /home/domain1 /bin/false
 -  - domain1 x 32047 32048    /home/domain1 /bin/false
 -  - domain2 x 32038 32039    /home/domain2 /bin/false
 -  - domain2 x 32038 32039    /home/domain2 /bin/false
 -  - domain1 x 32047 32048    /home/domain1 /bin/false
 -  - domain1 x 32047 32048    /home/domain1 /bin/false
 -  - domain3 x 32036 32037    /home/domain3 /bin/false
 -  - domain3 x 32036 32037    /home/domain3 /bin/false
 -  - domain1 x 32047 32048    /home/domain1 /bin/false
 -  - domain1 x 32047 32048    /home/domain1 /bin/false

and this:

Code:

- Log events from /var/log/exim_mainlog:
2005-05-14 02:52:43 H=(xxx.xxx.xxx.xxx) [xxx.xxx.xxx.xxx]
    sender verify fail for : unrouteable mail domain "targetdomain.com"
2005-05-14 02:52:43 H=(xxx.xxx.xxx.xxx) [xxx.xxx.xxx.xxx]
    F= rejected RCPT : Sender verify failed
2005-05-14 02:52:46 H=(xxx.xxx.xxx.xxx) [xxx.xxx.xxx.xxx]
    F= rejected RCPT : Sender verify failed
2005-05-14 02:52:50 H=(xxx.xxx.xxx.xxx) [xxx.xxx.xxx.xxx]
    F= rejected RCPT : Sender verify failed
2005-05-14 02:52:54 H=(xxx.xxx.xxx.xxx) [xxx.xxx.xxx.xxx]
    F= rejected RCPT

and that:

Code:

Sat May 14 06:30:02 PDT 2005 - / - domain4 x 32040 32041
    /home/domain4 /usr/local/cpanel/bin/noshell
Sat May 14 06:30:02 PDT 2005 - / - domain4 x 32040 32041
    /home/domain4 /usr/local/cpanel/bin/noshell
Sat May 14 06:30:05 PDT 2005 - / - domain1 x 32037 32038
    /home/domain1 /usr/local/cpanel/bin/noshell
Sat May 14 06:30:47 PDT 2005 - /home/domain1/public_html/shoutbox - nobody x 99 99
   Nobody / /sbin/nologin

i am not exactly sure what tools he is using and/or where these outputs are from, but maybe someone here can make some sense of it.

except the last line in the last snippet, i cant really tell where emails originated from, or whether they actually came from my accounts at all.

all in all i dont even know if the problem actually is coming from my accounts, or if someone is just using a brute force tool to constantly send spam with bogus email aliases of my accounts - which i wouldnt be able to do anything about - would i?

i dont know enough about how all this stuff works exactly and what kind of settings i could have changed to help solve this issue before i get booted all the way.

are there known problems/solutions associated with situations like this? what is there that i can do? righ now i am pulling backups and will try to set up one of the accounts completely from scratch, uploading a file at a time to see if no one dropped anything thats not supposed to be there...however, i doubt that this even has to be the issue...
are there any scripts that are known to cause such behavior (older phpbb versions maybe?)

any help or clues are greatly appreciated!
thanks a lot in advance!
rock on - sid