spam send out from my server keeps on going urgently !

Hey,
spam send out from my server keeps on going
i'm using exim.conf 4.5.7
running on centos 6 with directadmin
fail2ban and csf

i even used the isp of my vps hes service for smtp
i just set some spf records to there and they handle it
but the problem is started on my server

i now blocked most country's in csf for smtp usage but its not a solution
i changed my password allready 5 times even a very hard password and i think they just keep on going trough there

some logs from exim mainlog:

2018-03-10 10:04:29 1euaQX-0001WG-Cu <= [email protected] H=(mail.opelmanta.be) [178.246.104.77] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4005 id=578398276309$hp0tojkg$1tkl2dlk$@Carmine-PC T="" from <[email protected]> for [email protected]
2018-03-10 10:04:30 1euaQX-0001WG-Cu => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=4925 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zyyx96LY9z1gwjc"

2018-03-10 10:03:39 1euaPj-0001WG-Dw <= [email protected] H=(mail.opelmanta.be) [178.246.104.77] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=3921 id=084366706732$vl0t3a7w$y0a6a583$@Oletha-PC T="" from <[email protected]> for [email protected]
2018-03-10 10:03:40 1euaPj-0001WG-Dw => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=4840 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zyywC74kYz1gwjc"

etc and it goes on

the transip things is the spf service of the isp mail.opelmanta.be should be the incoming server and smtp.opelmanta.be should be the outgoing its not an open relay normaly

i don't know what to do next

this is my csf config:
http://www.opelmanta.be/csfconfig
and
http://www.opelmanta.be/eximconfig

even if i did the dkim thing and all the protection on my own smtp i had even more spam
i use port 587 for outgoing mails

i thought port 25 should be more locked with my csf config
i still can do
[root@gsi public_html]# telnet directadmin.com 25
Trying 216.144.255.179...
Connected to directadmin.com.
Escape character is '^]'.
220 jbmc-software.com ESMTP Exim 4.90_1 Sat, 10 Mar 2018 04:14:03 -0700

if anyone has an idea for me please support me i'm looking for solutions for more than 3 weeks now
thanks alex

https://www.directadmin.com/features.php?id=1427
this is the only thing i did not do
but why they get authed with a hard pass something like this KJlé7ç!àç&731
(its not my pass)

i did the iptables thing to
so now it blocks port 25
[root@gsi ~]# su - alex
[alex@gsi ~]$ telnet directadmin.com 25
Trying 216.144.255.179...
telnet: connect to address 216.144.255.179: Connection refused

more things i could do?

and with this port 25 closed it still goes on:
2018-03-10 12:38:37 1eucpg-0004Zf-A2 <= [email protected] H=(mail.opelmanta.be) [47.29.39.56] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4176 id=985399608616$ol1n6hqz$p856he4j$@Wheeler-PC T="" from <[email protected]> for [email protected]

2018-03-10 12:38:40 1eucpg-0004Zf-A2 => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=5098 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz2M24YcNz20Xb"
2018-03-10 12:38:52 1eucpw-0004Zf-44 <= [email protected] H=(mail.opelmanta.be) [47.29.39.56] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=3989 id=848310856525$2bv5l7d5$xnc9fvv4$@Afina-PC T="" from <[email protected]> for [email protected]
2018-03-10 12:38:56 1eucpw-0004Zf-44 => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=4909 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz2MK6hMvz2ZNjY"

2018-03-10 12:45:17 plain authenticator failed for (mail.opelmanta.be) [49.35.1.92]: 535 Incorrect authentication data ([email protected])
2018-03-10 12:45:45 1eucwK-0005if-7Y <= [email protected] H=(mail.opelmanta.be) [49.35.1.92] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=3781 id=444995134867$ker7s283$hkq63gdl$@Ummi-PC T="" from <[email protected]> for [email protected]
2018-03-10 12:45:48 1eucwK-0005if-7Y => [email protected] <[email protected]> F=<[email protected]> R=transip_email T=auth_relay S=4697 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz2WH3CDDz2BcpW"
2018-03-10 12:46:01 plain authenticator failed for (mail.opelmanta.be) [157.50.202.9]: 535 Incorrect authentication data ([email protected])
2018-03-10 12:46:09 1eucwy-0005jF-9E <= [email protected] H=(mail.opelmanta.be) [157.50.202.9] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4103 id=830023231712$rex5z0ln$3rm4e854$@Napoleon-PC T="" from <[email protected]> for [email protected]
2018-03-10 12:46:15 1eucwy-0005jF-9E => [email protected] <[email protected]> F=<[email protected]> R=transip_email T=auth_relay S=5025 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz2Wl0VrSz2SSW9"

Disable the email account then ask the client to change password...... Maybe their system is infected, therefore it's that that's getting in.

its my personal mailadres [email protected] so not from a client
my pc isn't infected i scanned him with a lot things
my password used is hard now:
but why they get authed with a hard pass something like this KJlé7ç!àç&731
(its not my pass)
i'm more things in a bug somewhere in exim or something i don't know
if you see in earlier post
2018-03-10 12:45:17 plain authenticator failed for (mail.opelmanta.be) [49.35.1.92]: 535 Incorrect authentication data ([email protected])
than after that they get the real pass? and spam on ?
looks like fake pass bypass somewhere

I see you're also hosting a WP and forum site named opelmanta.be on your server. The copyright notice on the WP frontpage is from 2013. Could it be that your WP or forum site were never updated and are now vulnerable for these kind of attacks?

thats true its manual set to that date it does not change with the wordpress settings or themes or updates
everything there is up to date and no malious scripts or plugins

its running wordfence to an plugin for more security
thanks for the thinking it could be that it wasn't up to date but it is

Still, did you install ModSecurity and the plugin CWAF 2.21 and enabled all WP rules? And did you also updated phpBB?

did not had that modsecurity and cwaf thing i'm installing it now:
[root@gsi custombuild]# ./build set modsecurity yes
Changed modsecurity option from no to yes
[root@gsi custombuild]# ./build set modsecurity_ruleset comodo
Changed modsecurity_ruleset option from comodo to comodo

any other ideas phpbb etc all up to date

i did this:
cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity

is that enough for modsecurity install?
nothing in httpd?

ok modsecurity and cwaf is running now with everything on

Current rules version 1.158 (Latest version)
CWAF plugin version 2.21 (Latest version)
Web Platform Apache
Apache version 2.4.29
Mod_security compatible yes
Mod_security loaded yes
Mod_security conf /etc/httpd/conf/extra/httpd-modsecurity.conf
Found websites 25

keep on going on in the meanwhile:

2018-03-10 14:36:20 1euefZ-0004oY-3Y => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=4970 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz4yn602nz2Bcwq"
2018-03-10 14:36:51 1eueg7-0004oY-1W <= [email protected] H=(mail.opelmanta.be) [106.79.153.73] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=3925 id=679553927518$yec38dgg$aaz9bo3o$@Lexi-PC T="" from <[email protected]> for [email protected]
2018-03-10 14:36:52 1eueg7-0004oY-1W => [email protected] F=<[email protected]> R=transip_email T=auth_relay S=4843 H=vps.transip.email [149.210.149.126] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes A=auth_login C="250 2.0.0 Ok: queued as 3zz4zR5NgSz2BdJP"
2018-03-10 14:37:10 1euegP-0004oY-Ab <= [email protected] H=(mail.opelmanta.be) [106.79.153.73] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4233 id=519026125481$vno86aur$vylq22js$@Stockton-PC T="" from <[email protected]> for [email protected]
2018-03-10 14:37:16 1euegU-0004oY-BZ <= [email protected] H=(mail.opelmanta.be) [106.79.153.73] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4163 id=578626850704$8jzdj6yu$chlimukq$@Tisha-PC T="" from <[email protected]> for [email protected]
2018-03-10 14:37:42 1euegv-0004oY-Fh <= [email protected] H=(mail.opelmanta.be) [106.79.153.73] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=4016 id=629980995321$ul44kehw$6tvztrzc$@Renata-PC T="" from <[email protected]> for [email protected]
2018-03-10 14:37:56 1eueh9-0004oY-UB <= [email protected] H=(mail.opelmanta.be) [106.79.153.73] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:alex S=3789 id=585711576078$sedywsuj$1ksfgpv3$@Syed-PC T="" from <[email protected]> for [email protected]

btw i keep on blocking them in the ips manual i hope they stop some how but its not a good solution for my problem they are alot ips in the world

T=auth_relay

I do not see that at all in my logs

Try changing password for argument sake

Do you have any contact forms (or any other form) without Captcha or Akismet? Try disabling mail() in php disable_functions to check if it's still going on.

Captcha on all forums and akismet on all wordpress things php disable_functions should have problems with my 2 online shops

Maybe try the following things;

- Is your Exim & Dovecot up2date? Latest exim = 4.90.1 and Dovecot 2.3.0.1
- Do you have Easy Spam Fighter & BlockCracking enabled?
- Check /home/xxxxxxx/.php mail logs for your DA user to see if there are any compromised scripts
- Check SMTP_BLOCK & SMTP_ALLOWLOCAL options in csf.conf

dovecot 2.3.0.1 (ffd8a29)
Exim 4.90_1
with easy spam fighter and blockcracking enabled
php-mail.log in the user dirs doesn't say anything wrong
csf:
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"

the attack is very slow at the moment because of all the country bans
will see if it continues if a few days nothing happens i will try to put the country bans off and save the line so i can put it fast back

If some are stuck in the queue, you can see if it's from a php script or not by looking for the x_mail_header (if enabled)