it seems that a spammer cracked an email account and all my SMTP relays were consumed. My server is a VPS CentOS.
I have taken every prevention method I have found on the CPanel documentation and still it happened, everything here is covered: https://documentation.cpanel.net/display/CKB/How+to+Prevent+Spam+with+Mail+Limiting+Features
All accounts have a password with a score of 60 or more. I also blocked port 25 and required SMTP authentication.
On WHM "Mail Delivery Reports" the sender appears as an email account from an nonexistent domain "notificaciones@banamex.com.mx" with the following event details:
Sender:notificaciones@banamex.com.mx
Sent Time: Oct 13, 2016 10:40:10 AM
Sender Host: 86.106.131.229
Sender IP: 86.106.131.229
Authentication: dovecot_login
Spam Score: 2.8
Recipient: examplemail@hotmail.com
Delivered To:
Delivery User:
Delivery Domain:
Router: send_to_smart_host
Transport: remote_smtp
Using this script on SSH I found out an email account I own francisco.gonzalez@mydomain.com has send more than 9,000 emails:
perl -lsne '/$today.* \[([0-9.]+)\]:.+dovecot_(?:login|plain):([^\s]+).* for (.*)/ and $sender{$2}{r}+=scalar (split / /,$3) and $sender{$2}{i}{$1}=1; END {foreach $sender(keys %sender){printf"Recip=%05d Hosts=%03d Auth=%s\n",$sender{$sender}{r},scalar (keys %{$sender{$sender}{i}}),$sender;}}' -- -today=$(date +%F) /var/log/exim_mainlog | sort
I want to find out how that account was breached in order to prevent further attacks. Any guess? Any help will be really appreciated. Thank you.
