Send outgoing spam from my user

Hi
anybody can help me for this?
i have 2 account for this problem
i have csf and configured

The user account has just finished sending 5 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/user.bytes file, it was found that the highest sender was [email protected], at 39 emails.

The top authenticated user was user, at 39 emails.
This accounts for 780% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.

The top sending host was 74.208.68.233, at 39 emails (780%).

The most common path that the messages were sent from is /, at 39 emails (780%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

Thank You

Hello,

How can we help you? What exact help do you want?

If you worry about possible spammer on your server then check this: http://help.directadmin.com/item.php?id=455

peyman03 said:

Hi
anybody can help me for this?
i have 2 account for this problem
i have csf and configured

Click to expand...

Why do you consider a total of 39 emails to be spam?

You've got a daily limit of 5 emails daily for this user The reason the user was able to send 39 emails is because the account sent email to more than one recipient per email.

It could be spam, but you've given us no information to show that it is.

Jeff

in /etc/virtual/usage/user.bytes file is:

2514=type=email&[email protected]&method=outgoing&id=1YLxdF-0006HN-N2&authenticated_id=user&sender_host_address=46.29.255.158&log_time=1423762382&message_size=2514&local_part=mrharrywhiteloancompany2000&domain=yahoo.com.ph&path=/

and the script on this user has wordpress

how can stop this spammer?
i want to fix problem and how can help me?

thank you

how can help me for fix this problem?
and what is your information you need for fix?

i will to blacklist,

thank you

Update the customer's WP site and install WP Security to improove WP site security.

Regards

i already update and install wp secutiry but not resolved this

Well you should check logs, outgoning email header coming from that user and investigate a bit about which plugin/part of th WP site is sending those emails.

Regards

peyman03 said:

2514=type=email&[email protected]&method=outgoing&id=1YLxdF-0006HN-N2&authenticated_id=user&sender_host_address=46.29.255.158&log_time=1423762382&message_size=2514&local_part=mrharrywhiteloancompany2000&domain=yahoo.com.ph&path=/

Click to expand...

You should check exim logs to see what was the email's subject. It seems that a user's password was compromised. You need to change its password.

1YNUpY-0003dZ-E4-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mail server after end of data:
host mx-eu.mail.am0.yahoodns.net [188.125.69.79]:
554 delivery error: dd This user doesn't have a yahoo.co.uk account ([email protected]) [-5] - mta1012.mail.ir2.yahoo.com

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [185.25.48.49] (helo=WIN-PDF4R1PBDSD)
by server.rivioo.com with esmtpa (Exim 4.76)
(envelope-from <[email protected]>)
id 1YNUpX-0003dR-4W
for [email protected]; Tue, 17 Feb 2015 00:11:55 +0100
From: "Amazon.com" <[email protected]>
To: [email protected]
Subject: =?ISO-8859-1?Q?Important=3A_Account_Verification_?=
=?ISO-8859-1?Q?Procedure?=
Date: Mon, 16 Feb 2015 15:47:59 -0500
MIME-Version: 1.0 (produced by Zalupka)
X-mailer: Zalupka - Pascal TCP/IP library by Lukas Gebauer
Content-type: Multipart/alternate;
boundary="6EF72428_4520444B_Zalupka_boundary"
Content-Description: Multipart message

--6EF72428_4520444B_Zalupka_boundary
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text

=EF=BB=BF
<html>
=09<head>
=09=09<style type=3D"text/css">
=09=09#wrapper {
=09=09 max-width: 600px; top: 0; bottom: 0; left: 0; right: 0; margin: auto;
=09=09}
=09=09#head {
=09=09 max-width: 600px; top: 0; bottom: 0; left: 0; right: 0; margin: auto;=
padding: 10px 0px 0px 0px;
=09=09}
=09=09.lg {
=09=09 float: left; width: 107px; height: 31px;
=09=09}
=09=09a {
=09=09 float: right; text-decoration: none; color: #069; font: 12px/16px=
Arial,sans-serif;
=09=09}
=09=09.gc {
=09=09 float: right; color: #CCC;
=09=09}
=09=09.ln {
=09=09 margin-top: 35px; border-bottom: 1px solid rgb(204,204,204);
=09=09}
=09=09.adt {
=09=09 float: right
=09=09}
=09=09.av {
=09=09 font-family: Arial,sans-serif; font-size: 21px; color: #000;
=09=09}
=09=09.ai {
=09=09 font-family: Arial,sans-serif; font-size: 13px; color: #000;
=09=09}
=09=09.or {
=09=09 padding-top: 70px; font-family: Arial,sans-serif; font-size: 18px;=
color: #C60;
=09=09}
=09=09.mt {
=09=09 text-align: justify; padding-top: 15px; font: 12px/16px=
Arial,sans-serif;
=09=09}
=09=09.cp {
=09=09 border-top: 3px solid #2D3741
=09=09}
=09=09.ucp {
=09=09 background-color: #EFEFEF; height: 40px; float: left; padding-top:=
20px;
=09=09}
=09=09.acp {
=09=09 background-color: #EFEFEF; height: 60px;
=09=09}
=09=09.tm {
=09=09 padding-top: 70px; font: 12px/16px Arial,sans-serif;
=09=09}
=09=09.ft {
=09=09 font: 10px Arial,sans-serif; color: #666; padding-top: 30px;=
padding-bottom: 30px; line-height: 16px; text-align: justify;
=09=09}
=09=09</style>
=09</head>
=09<body>
=09=09<div id=3D"wrapper">
=09=09=09<div id=3D"head">
=09=09=09=09<div class=3D"lg"><img src=
=3D"http://i.imgur.com/384XF1Q.png"/></div>
=09=09=09=09<div class=3D"text">
=09=09=09=09=09<a href=3D"http://ymesako.com/gt/gateways.php?handle=
=3D_signin&lang=3Den_US&layer=3D378&nkw=3Da0443c8c8c33e9173c18faaa2c&_trksid=
=3Dp93244768.m5ca592b318d2662bc3cc1f&clkid=3D5ca592b3636e6d2bc3cc1f&_qi=
=3DRTM650&verify=3D207477696389&_chain=3D536dde2ee949839eb97&m=
=3DGIEvoRWUDKchq3udJxqJoJ56pKcPE1AxGJSJAIcXLwIAZx1xJxq5rz53rTcnFzA6DxqGMSc6GKc=
nFxkeoacRAScXLzkAq3ueoaqKrxWUH2EPFx1xJxqJAH16LzkPE0Suoaq4oT56GJAiE0S4">A&#=
109;azon.com</a>
=09=09=09=09=09<span class=3D"gc"> | </span>
=09=09=09=09=09<a href=3D"http://ymesako.com/gt/gateways.php?handle=
=3D_signin&lang=3Den_US&layer=3D378&nkw=3Da0443c8c8c33e9173c18faaa2c&_trksid=
=3Dp93244768.m5ca592b318d2662bc3cc1f&clkid=3D5ca592b3636e6d2bc3cc1f&_qi=
=3DRTM650&verify=3D207477696389&_chain=3D536dde2ee949839eb97&m=
=3DGIEvoRWUDKchq3udJxqJoJ56pKcPE1AxGJSJAIcXLwIAZx1xJxq5rz53rTcnFzA6DxqGMSc6GKc=
nFxkeoacRAScXLzkAq3ueoaqKrxWUH2EPFx1xJxqJAH16LzkPE0Suoaq4oT56GJAiE0S4">Your=
Account</a>
=09=09=09=09=09<span class=3D"gc"> | </span>
=09=09=09=09=09<a href=3D"http://ymesako.com/gt/gateways.php?handle=
=3D_signin&lang=3Den_US&layer=3D378&nkw=3Da0443c8c8c33e9173c18faaa2c&_trksid=
=3Dp93244768.m5ca592b318d2662bc3cc1f&clkid=3D5ca592b3636e6d2bc3cc1f&_qi=
=3DRTM650&verify=3D207477696389&_chain=3D536dde2ee949839eb97&m=
=3DGIEvoRWUDKchq3udJxqJoJ56pKcPE1AxGJSJAIcXLwIAZx1xJxq5rz53rTcnFzA6DxqGMSc6GKc=
nFxkeoacRAScXLzkAq3ueoaqKrxWUH2EPFx1xJxqJAH16LzkPE0Suoaq4oT56GJAiE0S4">Your=
Orders</a>
=09=09=09=09</div>
=09=09=09=09<div class=3D"ln"></div>
=09=09=09=09<div class=3D"adt">
=09=09=09=09=09<span class=3D"av">Account Verification</span><br/>
=09=09=09=09=09<span class=3D"ai">Account  #104-72284905-1298955</span>
=09=09=09=09</div>
=09=09=09</div>
=09=09=09<div id=3D"main">
=09=09=09=09<div class=3D"or">Dear Amazon=
User,</div>
=09=09=09=09<div class=3D"mt">
=09=09=09=09=09Please take the time to read this message -- it contains=
important information about your=
Amazon.com account.<br/><br/>
=09=09=09=09=09Your Amazon account is subjected=
to verification procedure to maintain the highest levels of security, trust,=
and protection.<br/><br/>
=09=09=09=09=09In the near future we will be introducing additional account=
security measures, so we will need you to confirm your account information=
to ensure a smooth experience once these are in order. Failure to do so may=
result in the inability to use your account.<br/><br/>
=09=09=09=09=09We need you to take steps by providing an extra layer of=
security to protect your Amazon account. After=
adding extra layer of security, your account access will be fully restored=
and will be available to use at your convenience.<br/><br/>
=09=09=09=09=09To confirm you account information use the following link on=
our secure server:<br/><br/>
=09=09=09=09</div>
=09=09=09=09<div class=3D"cp">
=09=09=09=09=09<div class=3D"acp">
=09=09=09=09=09=09<div class=3D"ucp">
=09=09=09=09=09=09=09<a href=3D"http://ymesako.com/gt/gateways.php?handle=
=3D_signin&lang=3Den_US&layer=3D378&nkw=3Da0443c8c8c33e9173c18faaa2c&_trksid=
=3Dp93244768.m5ca592b318d2662bc3cc1f&clkid=3D5ca592b3636e6d2bc3cc1f&_qi=
=3DRTM650&verify=3D207477696389&_chain=3D536dde2ee949839eb97&m=
=3DGIEvoRWUDKchq3udJxqJoJ56pKcPE1AxGJSJAIcXLwIAZx1xJxq5rz53rTcnFzA6DxqGMSc6GKc=
nFxkeoacRAScXLzkAq3ueoaqKrxWUH2EPFx1xJxqJAH16LzkPE0Suoaq4oT56GJAiE0S4">
=09=09=09=09=09=09=09=09<img src=3D"http://i.imgur.com/rHWC0mw.png"/>
=09=09=09=09=09=09=09</a>
=09=09=09=09=09=09</div>
=09=09=09=09=09</div>
=09=09=09=09</div>
=09=09=09=09<div class=3D"tm">
=09=09=09=09=09Thank you for shopping with us,<br/>
=09=09=09=09=09<font size=
=3D"4">Amazon.com</font>
=09=09=09=09</div>
=09=09=09</div>
=09=09=09<div id=3D"footer">
=09=09=09=09<div class=3D"ft">
=09=09=09=09=09Unless otherwise noted, items sold by=
Amazon.com LLC are subject to=
sales tax in select states in accordance with the applicable laws of that=
state. If your order contains one or more items from a seller other than=
Amazon.com LLC, it may be=
subject to state and local sales tax, depending upon the seller's business=
policies and the location of their operations. Learn more about tax and=
seller information.<br/><br/>
=09=09=09=09=09This email was sent from a notification-only address that=
cannot accept incoming email. Please do not reply to this message.
=09=09=09=09</div>
=09=09=09</div>
=09=09</div>
=09</body>
</html>
--6EF72428_4520444B_Zalupka_boundary--

Try to find answer for your question here: http://help.directadmin.com/item.php?id=455

You can also try to install Maldet and see if that finds malware on your server that sends this.

https://www.plugins-da.net/info/linux-malware-detect-on-directadmin?offset=10

ALL do it any this : http://help.directadmin.com/item.php?id=455

ALL install this and scan , but not found malware,

is any waye for this?

Thanks

The extract

authenticated_id=user

Click to expand...

and

X-mailer: Zalupka - Pascal TCP/IP library by Lukas Gebauer

Click to expand...

from your post denotes that somebody has a password of the account and probably uses a remote software to send spam through your server. So you should change the account password. Did you change it as I suggested?