Can Reseller stop 1m+ daily email spam

[HappyPappy]

I am a reseller, so please forgive me for posting here if this area should only be for server owners. But I'm now very desperate.

Every morning I have to delete the Mail folder of each hosting account I host to clear out thousands of Mail Delivery System return emails. Each of these emails, inturn, holds hundreds of notices inside, saying that mail has failed.

Clearly there are maybe hundreds of thousands of emails being sent every 24 hours from some accounts inside my reseller account - including the reseller domain as well.

But these returned emails have the sender as my hosting client's account on the server and the recipient is also the hosting client's account on the server.

I have all unrouted mail set to :blackhole: in mostly all my hosting accounts but when its from the account itself, it appears to accept it.

Can I:

1. Somehow stop the ability for the server I'm on from being exploited like this? And if so, will the booking/feedbakc forms on my hosting account's websites still work?
2. How do I get :blackhole: to work to delete ALL unrouted emails?

This is a massive concern as it pushes all my hosting accounts over their limit so they can not receive legitimate emails as well as uses MASSIVE bandwith and space.

One of the many emails being sent is advertising "Cyalus" - a Viagra alternative - so if you are getting these emails, you now know where they come from. If anyone knows how I can get in contact with the thieves that are doing this, please let me know.

I have replaced all cgi mail form scripts on every hosting account I have, hard coding the addresses, I do not believe this is the problem.

I have sent numerous support requests to the operation that hosts my reseller account (who owns/runs the server), they are a very professional and helpful group, but this time I feel this problem may have them stumped as well. Fixing it would save them enormous bandwidth costs.

Any help would be VERY extremely appreciated.

P.S. Please do not take this as a complaint about cPanel. Your cPanel product is absolutely first class and it's a nothing short of a joy to work with (from a resellers point of view anyway) and besides this email problem may have nothing to do with cPanel - I just don't now.

Thanks

[rpmws]

Originally posted by HappyPappy
I am a reseller, so please forgive me for posting here if this area should only be for server owners. But I'm now very desperate.

Every morning I have to delete the Mail folder of each hosting account I host to clear out thousands of Mail Delivery System return emails. Each of these emails, inturn, holds hundreds of notices inside, saying that mail has failed.

Clearly there are maybe hundreds of thousands of emails being sent every 24 hours from some accounts inside my reseller account - including the reseller domain as well.

But these returned emails have the sender as my hosting client's account on the server and the recipient is also the hosting client's account on the server.

I have all unrouted mail set to :blackhole: in mostly all my hosting accounts but when its from the account itself, it appears to accept it.

Can I:

1. Somehow stop the ability for the server I'm on from being exploited like this? And if so, will the booking/feedbakc forms on my hosting account's websites still work?
2. How do I get :blackhole: to work to delete ALL unrouted emails?

This is a massive concern as it pushes all my hosting accounts over their limit so they can not receive legitimate emails as well as uses MASSIVE bandwith and space.

One of the many emails being sent is advertising "Cyalus" - a Viagra alternative - so if you are getting these emails, you now know where they come from. If anyone knows how I can get in contact with the thieves that are doing this, please let me know.

I have replaced all cgi mail form scripts on every hosting account I have, hard coding the addresses, I do not believe this is the problem.

I have sent numerous support requests to the operation that hosts my reseller account (who owns/runs the server), they are a very professional and helpful group, but this time I feel this problem may have them stumped as well. Fixing it would save them enormous bandwidth costs.

Any help would be VERY extremely appreciated.

P.S. Please do not take this as a complaint about cPanel. Your cPanel product is absolutely first class and it's a nothing short of a joy to work with (from a resellers point of view anyway) and besides this email problem may have nothing to do with cPanel - I just don't now.

Thanks

sounds like your customer is a victim of a "Joe Job" . Regardless to save yourself ..get rid of that client.

[HappyPappy]

No. All hosting clients I know. These are emails that are somehow sent using the server. I even have to go into my own account and delete about 100 meg of returned emails every day. The same with my other hosting accounts.

Its insane.

[Website Rob]

Are the Domains being spoofed in eMail headers? If you turn off the 'catch-all' and use fail or blackhole, that should solve your problem. What advice has your Hoster provided?

[PWSowner]

What formmail scripts are you using? It sounds like you're using scripts that are not spam proof and a spammer found them and is having a great time. You say you hard coded the addresses in the scripts, but that doesn't stop a spammer from adding his own list.

Is it an older Matt Wright script? Is it one of your own?

[HappyPappy]

I'm now using the envex form mailer 1.2 from http://envex.com. I have hard coded the recipients address and there is also a needed hard coded Bcc address in there too. This script also has a count function which is well utilised by all hosting clients.

This is the third cgi script I've installed and I've put it on all my hosting accounts just in case form mail was the problem.

Is there a possiblility it is this script? And if so, are there coders out there that provide a service (I will pay) to check over the script and modify it so it is secure?

..and thank you for your replies squirril, website rob and rpmws.

[PWSowner]

I haven't used or looked at that script so I don't know if it has any security issues, or if it is easy for spammers to use. The easiest way to find out what is being done is to have your hosting provider look into it since they will have the ability to look at things you don't have access to.

I don't know if it would be worth the trouble or not, but one thing you could try is to rename the script, and of course all references to it, and see if the activity goes back to normal for a while. The spammer will go back to the related page to get the new script name, but not right away.