How do I stop SPAM being sent from my server?

nigelbb

Member
Feb 25, 2013
9
0
1
cPanel Access Level
Root Administrator
I am using WHM/cPAnel to manage a Xen Virtual server with a bunch of domains each with websites & have just been informed by my hosting company that the server is being used to send SPAM. I need to know how to stop it. I don't want to run email on the server at all as those domains that do require email addresses have the MX records pointing elsewhere to the mail servers. When I look in Home » Email » Mail Delivery Reports I can see that two domains are sending thousands of mails from email addresses that don't exist to a whole bunch of email addresses. To stop this as an emergency measure I set Max hourly emails per domain to just 1 so at least the email isn't being sent but I need some help to know how to prevent this happening. Is a script being run on my server to send out all these emails? How can I tell? Is something from outside my server accessing SMTP?

I tried to Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) but get an error so then I installed CSF & tried SMTP_BLOCK but again I get an error. iptables seems to be installed OK

Can I disable email totally? If I do will I still be able to have emails sent from a contact form on a website?
 

nigelbb

Member
Feb 25, 2013
9
0
1
cPanel Access Level
Root Administrator
Cannot enable SMTP Restrictions

I am running a Xen virtual server managed by WHM/cPanel & it has apparently been sending thousands of SPAM emails from two particular domains (there are about 20 domains hosted on the server each running a webserver). So I am trying to tighten up security so tried enabling Home »Security Center »SMTP Restrictions but just get the unhelpful error message "An error occurred attempting to update this setting." If I try using the Tweak Settings interface to do the same thing I get this message:-

Updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) from Off to On.
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) was updated.
Processing post action for Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):
There was an error updating Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak):

How can I find out what is actually failing?
 

nigelbb

Member
Feb 25, 2013
9
0
1
cPanel Access Level
Root Administrator
If you know the domain where the spam is sent from, you just suspend that account.
Problem solved :)
OK. That's great as far as it goes. My server is now not sending SPAM but how do I find out how the SPAM was being sent from those domains so that I can prevent it so that I can un-suspend the accounts?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,044
21
168
Finland
cPanel Access Level
Root Administrator
OK. That's great as far as it goes. My server is now not sending SPAM but how do I find out how the SPAM was being sent from those domains so that I can prevent it so that I can un-suspend the accounts?
I suggest you install ConfigServer Firewall:
ConfigServer Security & Firewall

at least it will alert you instantly when someone is sending spam, and often it is able to tell what script is sending.

Also you should learn how to check server's logs, in this case at least:
/var/log/exim_mainlog
/var/log/maillog
 

nigelbb

Member
Feb 25, 2013
9
0
1
cPanel Access Level
Root Administrator
I already installed ConfigServer Firewall & as I mentioned in my original post I cannot get SMTP_BLOCK enabled.

It's not because a user is logging in & sending mails as I changed the password on the accounts for those domains & that did not stop the SPAM. The two domains responsible for sending SPAM are running Joomla websites. I suspect that some security hole in Joomla has enabled a script to be uploaded that is sending the SPAM.

BTW Thanks for your help
 

georgeb

Well-Known Member
May 23, 2010
49
1
58
Montreal, QC, Canada
cPanel Access Level
Root Administrator
I already installed ConfigServer Firewall & as I mentioned in my original post I cannot get SMTP_BLOCK enabled.

It's not because a user is logging in & sending mails as I changed the password on the accounts for those domains & that did not stop the SPAM. The two domains responsible for sending SPAM are running Joomla websites. I suspect that some security hole in Joomla has enabled a script to be uploaded that is sending the SPAM.

BTW Thanks for your help
I'll install the CXS from Configserver too, or I scan whatever is uploaded via FTP or WEB for known exploits, or for regular expressions (regex). Add headers to your emails to track UID / GID or X-PHP-Script and X-Souce-Dir headers.

Can be user a forwader to send spam etc. There are many ways.


Regards,
George B.
 

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
Dont forget to clear up your mail queue.
Before clearing up, you may want to check the headers of the mail sent.

If it was sent via authentication then you should see a header with "auth_id" in the mail giving you the info of the email account used.

If its done through the nobody user, then you need to prevent nobody user from sending mail by enabling the tweak in WHM > Tweak Settings.

I guess your CSF SMTP Block failed because your WHM SMTP tweak is enabled. You will need to have either one. I would recommend the CSF one.


You should read this too:
How to: Prevent Email Abuse
 

nigelbb

Member
Feb 25, 2013
9
0
1
cPanel Access Level
Root Administrator
I chased down the problem which was with a vulnerability in an old version of a Joomla extension that enabled spam to be sent. It took me many hours to run it down but on the bright side I now have csf installed which should warn me about similar future problems. Two accounts were sending approximately 80K spam messages per day between them!

I still have a problem with enabling WHM SMTP Tweak so will start a new thread on this issue.
 

24x7server

Well-Known Member
Apr 17, 2013
1,893
91
78
India
cPanel Access Level
Root Administrator
Also I will suggest you enabled "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

And also check your exim log_selector and update the following options.

---------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
---------------
 

prashantp786j

Active Member
Jan 16, 2009
28
0
51
Following steps can be helpful to monitor the spamming on the server.
1) monitor the exim logs for home and tmp directory.
2) check the mail queue with exim –bpr and pickout which email account has send number of emails to different accounts.
3) also monitor the POST request for the suspicious accounts found in the exim logs or mail queue.
 

basshook

Active Member
Jul 27, 2006
25
0
151
Also I will suggest you enabled "Track email origin via X-Source email headers" in WHM >> Tweak Settings under the mail tab. This could help investigate finding the malicious script.

And also check your exim log_selector and update the following options.

---------------
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
---------------
I notice that the default in WHM 11.38.2 (build 2) is -retry_defer and you recommend +retry_defer. What is the difference and which should I implement? Also do all your options still carry merit with this version? Thanks in advance.
 

basshook

Active Member
Jul 27, 2006
25
0
151
Thanks for your reply and the link. I'm still not sure I understand the difference between the plus or minus sign for the retry_defer option, so I left the cpanel default in using the minus sign for -retry_defer instead of using the +retry_defer recommended in the post. I did however use all the other options mentioned in the post and will monitor my logs to see if I can see a difference from before.
 

kamall

Well-Known Member
Mar 17, 2012
46
0
56
Bethune France
cPanel Access Level
Root Administrator
Twitter
Here is the command line which clients is sending spams by root ssh

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n