This user is spamming !!! I need to block it !!

[atul]

Hello ALL,
Today I found that the user kleen on my server is spamming ..
here are some of the entries from exim_mainlog file..
There are thiusands of such entries ..

2004-08-01 04:34:27 1BrDff-0004cY-Ep => kleen <ingram@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:39 1BrDgo-0004d2-7K => kleen <ford@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:40 1BrDgq-0004d9-1w => kleen <williamson@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:43 1BrDgs-0004d4-5u => kleen <knight@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:43 1BrDgs-0004d2-Nb => kleen <jordan@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:46 1BrDgv-0004dT-JZ => kleen <guzman@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:47 1BrDgw-0004d9-I1 => kleen <bishop@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:50 1BrDgz-0004d4-IR => kleen <matthews@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:50 1BrDh0-0004d9-4q => kleen <stanley@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:53 1BrDh1-0004dg-Q3 => kleen <strickland@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:53 1BrDgz-0004d2-Iy => kleen <mcdonald@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:54 1BrDh2-0004dU-QV => kleen <fleming@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:54 1BrDh3-0004d2-Jc => kleen <hunter@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:54 1BrDh4-0004d4-0D => kleen <lane@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:55 1BrDh4-0004dT-74 => kleen <leonard@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:58 1BrDh7-0004d2-8X => kleen <mason@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:58 1BrDh7-0004d9-DW => kleen <reid@kleen.com> R=localuser T=local_delivery
2004-08-01 04:35:58 1BrDh7-0004d4-Ry => kleen <armstrong@kleen.com> R=localuser T=local_delivery
2004-08-01 04:36:02 1BrDhB-0004dg-1Y => kleen <goodman@kleen.com> R=localuser T=local_delivery
2004-08-01 04:36:02 1BrDhA-0004dT-SS => kleen <baldwin@kleen.com> R=localuser T=local_delivery

I have checked that demo mode is disable for this user ...
How do I disable it? We have RHE3 server with whm 9.4..
Thank you

[lostinspace]

If it's a user on your machine how bout you KILL HIS ACCOUNT?

[atul]

Hello,
Yes the user have account on my server !! He has the domain hosated !!!
But I don't think it is good solution personally !!!
What else can be done?

[dave9000]

how about Violation of our Terms Of Service , your account is now cancelled

This method works pretty good

other than that you can go into tweak settings and set the max mails sent per hr to a low number provided he doesn't bypass that with his own smtp server

[dgbaker]

Not a good solution??? The guy is a spammer! He deserves to have his account terminated.

If all hosting companies took a zero tolerance policy then we would have less spammers out there. But I guess to some money is more important.

Remember spammers also hurt you as it is your IP's that end up getting blacklisted, your reputation that gets tarnished, and your other legit customers getting hurt as well.

You need to make a choice. Money and keep the spammer or Fight the good fight and get rid of the spammer.

[peddler]

Hello,
Yes the user have account on my server !! He has the domain hosated !!!
But I don't think it is good solution personally !!!
What else can be done?

You're joking, right? Just delete the account and feel real good about doing it!!!!

[lostinspace]

Hello,
Yes the user have account on my server !! He has the domain hosated !!!
But I don't think it is good solution personally !!!
What else can be done?

Good luck when trying to get your server un-blacklisted

[dave9000]

Originally Posted by atul
Hello,
Yes the user have account on my server !! He has the domain hosated !!!
But I don't think it is good solution personally !!!
What else can be done?

Some folks have to learn the hard way

And I agree he will play hell getting his server off the blacklists

We got hit by the formmail spam hole a coupla yrs ago and it took a while to get un-blacklisted

[lostinspace]

I'm not sure I understand the post really.

He/she doesn't want to kill the account so he/she is willing to spend hours researching how to stop the persons outgoing bulk e-mail??

Weird.

[myrem]

I'm confused... is the account user 'kleen' and the domain kleen.com?
So you mean the guy is spamming his own domain name? That's what it looks like to me....

[rpmws]

I'm confused... is the account user 'kleen' and the domain kleen.com?
So you mean the guy is spamming his own domain name? That's what it looks like to me....

It's returned mail from a dictonary spammer. They are using radnom@kleen.com for "from" addresses. This kleen guy is a victim. I see these all the time. What spammer in theiir right mind would spam their own domain?

There is also a possibility that it's a forwarder list. I have a few companies that set up forwarders like this.

office@domain.com >>> user1@domain.com
office@domain.com >>> user2@domain.com
office@domain.com >>> user3@domain.com
office@domain.com >>> user3@domain.com
and so on ... This way they can all communicate with each other by sending and replying to "office"

[knipper]

I agree with myrem...

To me this appears to be spam being delivered TO kleen.com, not coming from kleen.com and/or bounces due to spam being sent with his domain name.

I have a personal domain that is/was targetted like this. It must have ended up on MANY spammer lists, as it is non-stop daily from hundreds of different IP's. This domain had a "catch all" for years... then one day spam got out of control.

I had to implement some exim rules, and some dictionary attack rules as well. You can literally watch the messages in my exim_rejectlog for the domain scroll by... at certain times of the day.