Email attack on a client..need help

[damainman]

Okay a friend of mine just created an account on my server, and just registered a domain name.. the problem is the second his domain name resolved onto my server he's been receiving 5-10 virus infected emails per day being sent to fake email address on his account. He hasn't even put any content onto his site, and he hasn't even created any email accounts.

I have a RHE cpanel server with mailscanner+clamav on it, and so far mailscanner+clamav has been doing a good job on stopping the emails.. but the thing is the emails are being sent from different email address, and different ips.. so i can't even track down whats going on.

I set his default email account to :fail:, but besides that i'm not sure what else to do. I was thinking maybe if i had the server reject all emails sent to his domain for like two weeks or something, it might minimize the problem alittle.. but i'm really not sure what to do?

Any advice information will be greatly appreciated...Thank you.

[mr.wonderful]

I dont think clamv is a very efficient virus detector. We use F-secure and Sophos. Why dont you set the option in MailScanner to not warn you and not warn the client. Also set Mailscanner to not quaranteen the msgs. Then he and you wont be bothered by virus warnings etc. Never set it to :fail: unless you have made the speicial modification to exim that actually prevents mail from arriving via :fail:. You can find this modification on RS if you search the forums. If anything set it to :blackhole: if nothing else. Good luck!

[damainman]

Originally posted by mr.wonderful
I dont think clamv is a very efficient virus detector. We use F-secure and Sophos. Why dont you set the option in MailScanner to not warn you and not warn the client. Also set Mailscanner to not quaranteen the msgs. Then he and you wont be bothered by virus warnings etc. Never set it to :fail: unless you have made the speicial modification to exim that actually prevents mail from arriving via :fail:. You can find this modification on RS if you search the forums. If anything set it to :blackhole: if nothing else. Good luck!

Thanks for your reply. So if i set it to :fail: via cpanel, that setting doesn't work unless i actually edit exim?

Also what do you mean by RS?

Thank you in advance.

[chirpy]

Slightly off-topic...

I dont think clamv is a very efficient virus detector

It can be. If you are using MailScanner, installing the Mail::ClamAV perl module and then changing the virus scanner in MailScanner from clamav to clamavmodule vastly improves its performance.

[raventec]

RS=RackShack I think. Now called EV1servers

[damainman]

so no need to edit exim?

[casey]

Originally posted by chirpy
Slightly off-topic...



It can be. If you are using MailScanner, installing the Mail::ClamAV perl module and then changing the virus scanner in MailScanner from clamav to clamavmodule vastly improves its performance.

Is this in later versions? I installed it but mail was not delivered with the scanner set to clamavmodule...

[casey]

Originally posted by casey
Is this in later versions? I installed it but mail was not delivered with the scanner set to clamavmodule...

Nevermind. 4.25 or later, huh? I've got 4.22 so I'll have to upgrade. That should improve the load.

[casey]

I also had to install the following perl modules:
Net::CIDR
Inline

Then I had to change the following line in MailScanner.conf:

Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd

to:

Monitors for ClamAV Updates = /usr/share/clamav/*.cvd