How do I stop SPAM being sent from my server?

[nigelbb]

I am using WHM/cPAnel to manage a Xen Virtual server with a bunch of domains each with websites & have just been informed by my hosting company that the server is being used to send SPAM. I need to know how to stop it. I don't want to run email on the server at all as those domains that do require email addresses have the MX records pointing elsewhere to the mail servers. When I look in Home » Email » Mail Delivery Reports I can see that two domains are sending thousands of mails from email addresses that don't exist to a whole bunch of email addresses. To stop this as an emergency measure I set Max hourly emails per domain to just 1 so at least the email isn't being sent but I need some help to know how to prevent this happening. Is a script being run on my server to send out all these emails? How can I tell? Is something from outside my server accessing SMTP?

I tried to Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) but get an error so then I installed CSF & tried SMTP_BLOCK but again I get an error. iptables seems to be installed OK

Can I disable email totally? If I do will I still be able to have emails sent from a contact form on a website?

 

[quietFinn]

If you know the domain where the spam is sent from, you just suspend that account.
Problem solved

 

[nigelbb]

Cannot enable SMTP Restrictions

I am running a Xen virtual server managed by WHM/cPanel & it has apparently been sending thousands of SPAM emails from two particular domains (there are about 20 domains hosted on the server each running a webserver). So I am trying to tighten up security so tried enabling Home »Security Center »SMTP Restrictions but just get the unhelpful error message "An error occurred attempting to update this setting." If I try using the Tweak Settings interface to do the same thing I get this message:-

Updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) from Off to On.
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) was updated.
Processing post action for Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):
There was an error updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):

How can I find out what is actually failing?

 

[nigelbb]

If you know the domain where the spam is sent from, you just suspend that account.
Problem solved

OK. That's great as far as it goes. My server is now not sending SPAM but how do I find out how the SPAM was being sent from those domains so that I can prevent it so that I can un-suspend the accounts?

 

[quietFinn]

OK. That's great as far as it goes. My server is now not sending SPAM but how do I find out how the SPAM was being sent from those domains so that I can prevent it so that I can un-suspend the accounts?

I suggest you install ConfigServer Firewall:
ConfigServer Security & Firewall

at least it will alert you instantly when someone is sending spam, and often it is able to tell what script is sending.

Also you should learn how to check server's logs, in this case at least:
/var/log/exim_mainlog
/var/log/maillog

 

[nigelbb]

I already installed ConfigServer Firewall & as I mentioned in my original post I cannot get SMTP_BLOCK enabled.

It's not because a user is logging in & sending mails as I changed the password on the accounts for those domains & that did not stop the SPAM. The two domains responsible for sending SPAM are running Joomla websites. I suspect that some security hole in Joomla has enabled a script to be uploaded that is sending the SPAM.

BTW Thanks for your help

 

[georgeb]

I already installed ConfigServer Firewall & as I mentioned in my original post I cannot get SMTP_BLOCK enabled.

It's not because a user is logging in & sending mails as I changed the password on the accounts for those domains & that did not stop the SPAM. The two domains responsible for sending SPAM are running Joomla websites. I suspect that some security hole in Joomla has enabled a script to be uploaded that is sending the SPAM.

BTW Thanks for your help

I'll install the CXS from Configserver too, or I scan whatever is uploaded via FTP or WEB for known exploits, or for regular expressions (regex). Add headers to your emails to track UID / GID or X-PHP-Script and X-Souce-Dir headers.

Can be user a forwader to send spam etc. There are many ways.


Regards,
George B.

 

[ruzbehraja]

Dont forget to clear up your mail queue.
Before clearing up, you may want to check the headers of the mail sent.

If it was sent via authentication then you should see a header with "auth_id" in the mail giving you the info of the email account used.

If its done through the nobody user, then you need to prevent nobody user from sending mail by enabling the tweak in WHM > Tweak Settings.

I guess your CSF SMTP Block failed because your WHM SMTP tweak is enabled. You will need to have either one. I would recommend the CSF one.


You should read this too:
How to: Prevent Email Abuse

 

[nigelbb]

I chased down the problem which was with a vulnerability in an old version of a Joomla extension that enabled spam to be sent. It took me many hours to run it down but on the bright side I now have csf installed which should warn me about similar future problems. Two accounts were sending approximately 80K spam messages per day between them!

I still have a problem with enabling WHM SMTP Tweak so will start a new thread on this issue.

 

[tagteamcomputin]

I have a similar problem. How were you able to track down which Joomla component was causing the problem?
Thanks

 

[nigelbb]

I have a similar problem. How were you able to track down which Joomla component was causing the problem?
Thanks

I did some research on all the components that were installed & discovered that there was a known vulnerability in old versions of JCE (Joomla Content Editor).

 

[Infopro]

This site is helpful for that sort of thing:
The Joomla! ® Vulnerable Extensions List

 

[24x7server]

Also I will suggest you enabled "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

And also check your exim log_selector and update the following options.

---------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
---------------

 

[Veeble-Adam]

Please refer this thread to get some additional tips for configuring exim to improve detection of spammers and to prevent spoofing:

http://forums.cpanel.net/f5/setup-l...-hour-per-domain-users-201222.html#post843452

 

[prashantp786j]

Following steps can be helpful to monitor the spamming on the server.
1) monitor the exim logs for home and tmp directory.
2) check the mail queue with exim –bpr and pickout which email account has send number of emails to different accounts.
3) also monitor the POST request for the suspicious accounts found in the exim logs or mail queue.

 

[basshook]

Also I will suggest you enabled "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

And also check your exim log_selector and update the following options.

---------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
---------------

I notice that the default in WHM 11.38.2 (build 2) is -retry_defer and you recommend +retry_defer. What is the difference and which should I implement? Also do all your options still carry merit with this version? Thanks in advance.

 

[24x7server]

Hello,

With the plus or minus characters you can incease OR reduce your exim logging. And here are the More details of all exim_logs items Log files

 

[basshook]

Thanks for your reply and the link. I'm still not sure I understand the difference between the plus or minus sign for the retry_defer option, so I left the cpanel default in using the minus sign for -retry_defer instead of using the +retry_defer recommended in the post. I did however use all the other options mentioned in the post and will monitor my logs to see if I can see a difference from before.

 

[kamall]

Here is the command line which clients is sending spams by root ssh

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n