Disable outgoing mail on account

[sclifford]

I have a major problem with one particular account on my server being used to send spam. The domain itself uses an MX forward to an exchange server at the client's office, so they are not using our server for e-mail. However, the default account (and ftp user) domain@servername.com that still exists on the server is being used to send spam to AOL, causing them to block mail from our whole server.

I have not yet figured out how to trace where this account is being accessed from. All the outgoing junk appears to be coming directly from that account as far as I can tell. I have changed the password to the account a few times already, which seemed to stop it for a short period, but it always resumes. Currently nobody has the password to that account except me, and I have scanned every computer I've got six ways to Sunday to make sure I'm not the zombie, but still it resumed spamming last night. I don't want to shut down the domain because I have no reason to believe that the client is involved at this point, but I need to find a way to shut this down so that the account can't be used to send mail. If I could find the IP where the access is coming from I'd happily block it, hunt them down and attack them with blunt objects, but I'm afraid I don't know how to get that info. Any suggestions?

[sclifford]

Found an extra copy of a really old version of formmail.cgi hidden in the client's site. A new version that I knew about was in cgi-bin, but this one was buried. That may be what the problem was. Guess I'll find out one way or another.

[chirpy]

That is more than likely the cause (the old formmail script). It would explain why they didn't need a password to exploit the account for spamming. If you search the domains apache logs in /etc/httpd/domlogs/ for that formmail script, you might be able to identify who has been running it. Blocking that type of activity is very difficult indeed, as effectivey the account is authorized to use your server as an SMTP client.

One thing you could have, and still should do, is to set a low value for WHM > Tweak Settings > The maximum each domain can send out per hour, e.g. 250, to prevent spam flooding. Makes them go elsewhere and can help stop your server getting blacklisted, by limiting the damage caused.

[sclifford]

Thanks Chirpy, I'll check the Apache logs ASAP. I did find that WHM setting yesterday and set it to 100, which I don't think any of my users normally exceeds.

I've been replacing old versions of formmail.cgi with one from here:
http://nms-cgi.sourceforge.net/scripts.shtml

Any problems I should be alert for with this one?

[chirpy]

That's an excellent replacement script. I've usually found with the WHM setting, that setting it low is a good idea and then just wait until someone screams and increase if necessary