RT_ACTION script for LOCALRELAY

[yitwail]

Our server has been plagued with spam sent from malware on a handful of accounts. We bought CXS several days ago, but it hasn't been installed yet and we don't know why. In the meantime, I would like to execute a script to delete outgoing email from these accounts when there's a LOCALRELAY Alert for one of those accounts. So, I want to create a script to use with the RT_ACTION setting in csf.conf.

The csf.conf file contains these directions:

Code: Select all

# If an RT_* event is triggered, then if the following contains the path to
# a script, it will be run in a child process and passed the following:
# information as parameters which also appears in the email alert:
#   IP Address
#   Relay Type (RELAY/AUTHRELAY/POPRELAY/LOCALRELAY/LOCALHOSTRELAY)
#   Block Message (Temporary/Permanent Block)
#   Count of emails relayed
#   Sample of the first 10 emails

If there's anyone who's created a RT_ACTION setting, please share what the script needs to do to test that it's a LOCALRELAY alert and then determine which account triggers it. An example would be great.

Thank you in advance.

[ultraweb]

We are seeing a similar issue with a WordPress website. It has all the plugins updated but it is constantly plagued by hackers. PHP is in suid2 with suexec enabled, nobody allowed to send mail, relaying turned off but localrelay occurs daily.

[ultraweb]

CloudLinux is on the server as well.

[bms8197]

Yeah well we experience the same problem from time to time. I am looking for such a script to. We get email notifications for local relay when a website is crompromised and there are emails sent but I haven't figured out yet a way to automatically block email sending in this situation.

We have last version of cPanel, CSF Firewall, CXS and a limit set for 300 emails / hour / domain.

So if someone made such a script I will be more than grateful if he's sharing with us that script.

[RWH_Tech]

I did this:
https://forums.cpanel.net/threads/how-d ... 731/page-3

Then did a little digging and came up with this. Not the most elegant way to do things, but it works.
#!/bin/sh
source /var/cpanel/users/$1
echo $DNS >> /etc/blockedsenderdomains
echo "$DNS blocked in /etc/blockedsenderdomains" | mail -s "lfd on myhostname : $DNS blocked for suspicious script activity" myemail@address.com

[RWH_Tech]

AAAAND, it doesn't work for scripts, only SMTP. I'm not familiar with exim ACLs, so I haven't yet devised a way to get this done.
I know it has to be in not_smtp and should look something like this (on WHM/Cpanel), but it does not work. Maybe acl_c_vhost_owner isn't being set, or something. Will test more, later and post back when I have an answer.

discard
condition = ${if exists{/etc/blockedsenderdomains}}
condition = ${lookup{$acl_c_vhost_owner}lsearch{/etc/blockedsenderdomains}{1}{0}}
message = "Outbound mail blocked for this account. Contact Support."


For now, I just added
/scripts/suspendacct $1 "Account automatically suspended due suspicious activity."
to the end of the script.