Spam Affect cpanel client, How to convince the customer?
i found one cpanel account is sending large number of emails, so i wrote to the client telling his email password seems compromised and to change it imediatly. Further i asked to run full viruses and spyware scan on his computer.
Then he reply me telling , i was using gmail, yahoo mail etc for years and they never asked me to change the password telling my password is compromised. Further he is telling that the problem is with our server security.
You mentioned a large number of emails, do you know it's spam or are you just assuming?
You said "seems" I'd likely give the same response as your customer honestly.
If you had actual evidence that their account is sending spam and they refuse to believe that evidence. Offer to help investigate the issue. If they still refuse, don't renew their service the next month and have them find someone else. You can usually see how a client is going to be in the first 2-3 replies and whether or not they have any intent on resolving the issue at hand.
yes it is confirmed that those were sent by chines ips. and when looking at the messages i can confirm 100% they are spam.
I just have one doubt, when a gmail account of a google user is compromised and if the spammer is sending large number of email using that account, why google does not inform the user to change passwords? How they handle this situation?
If it's an ongoing issue with spam from hacked e-mail account you should change the password immediately to avoid having the IP in blacklists. Then notify the customer for the issue, tell him the new password and ask him to scan his computer for malware before he use the e-mail account again.
This is SMTP authentication spam - assuming 22.214.171.124 is not your client's IP address.
Users get malware (virus, trojan, keylogger, whatever you want to call it) on their computer or a network sniffer on their network that steals their email account username and password.
This information is sent on to spammers, who then connect to your server from foreign IP address (foreign meaning not your client's Internet connection or an Internet connection your client uses) and they are able to authenticate and send out spam through your server.
You should probably change the password on the account immediately. But just telling the user to change the password or giving the user the new password is not going to stop this at all.
People just don't seem to understand how malware works. If malware is running on your computer, then when you change the password, when you update your email program with the new password, guess what happens? The malware picks up the new password and this cycle goes over again.
The malware has to be removed. Or the underlying cause of the problem has to be resolved to avoid this from happening again. Otherwise it's just going to keep happening.
I can't tell you what the underlying problem is. I'm guessing its malware (virus, trojan, keylogger, spyware, etc.) installed on the client's computer or a client the computer has used, but I can't be certain of that. I can't tell you which computer, device, or system the client has used is the culprit. The only thing I can tell you, and be definite about, is that if 126.96.36.199 is a foreign IP in no way associated with your client or anybody your client is associated with, then the client's email account information has been compromised. The how, the why, and the where is just something that neither I, the WHT community, or even you as the client's web host provider, can tell the client.
For your protection, the customers and that of other users consider disallowing smtp auth at least temporarily for minimally that user. You should stop the possibility of continuation on your end. Give immediate, clear and informative info, proof and recommendations to the client. Recommendations that if followed would allow for the resumption of a certain cautious level of service, until you are relatively certain that it is corrected.
You aren't google your pockets aren't as deep and you get to set your own policy. Besides, your customer can contact you if they want support, something goole likely doesn't do for him. Apple and oranges.
Be firm, polite informative and protective. Be quick about it!
THanks guys for the review of my issue and for the valuable comments and advise.
really appreciated. i have no changed his cpanel and mail passwords and explained to him the issues.
mean time i have some updates on this issue. My upstream provider has investigated this issue and wrote to me with some logs which shows this is a brute force attack and we had implimented 0 password strength policy. SO they asked me to increase the password strength up to 60 in the whm.
Now things seems alright for me.
Maybe you already are but thought I would mention, Are you running mad_security with good rules? Many times good rules can prevent much headway on brute force attacks (unless they are really slow). Minimally you can tinker with the settings of WHM->cPHulk Brute Force Protection. But many rely on: mod_security, configSerer's Security&Firewall, and ModSecurity Control (are all free). Pretty much standard fare.
If the spam emails were sent from spammers IP and not from your customers IP address then you can show them the logs and tell them that your email account password was compromised and thus the spam emails were sent out from spammer IP address. Also, search from the logs and provide the logs to your customer about how their email password was compromised.
██ BestServerSupport | Outsourced Hosting Support and Server Management Service Provider
██ WHM/CPanel | HyperV Virtualization | Plesk | WebsitePanel | Windows VPS | OnAPP Cloud | Virtuzoo
██ Helpdesk Support | Cloud Administration | Dedicated Support | VPS Support