Hello,
I have had problems with some shared webhosting clients constantly getting their Joomla installs hacked and used for relaying spam emails. Even though I teach the clients how to prevent getting hacked, upgrade to latest versions, use anti-virus on home comp, use hard passwords etc etc, it still happens to a few of them too many times already.
I figured that even if I cant prevent the site owners from getting hacked at all times, I can prevent my servers from spitting out hundreds of thousands of spam emails if it happens.
I can then calmly clean and remove the infected files and contact site owner etc. without having to worry about my server IP getting banned.
I have stopped the outgoing emails using different methods but i find this one is the smartest, at least for me in this case. I publish my solution here so that anybody else having same problem can try this solution and hopefully also save their IP's from getting banned or similar problems.
---
How to..
Lets say that the site that has been infected more then once is the website example.com, just as an example.
The relayed spam emails sent out would typically look like [email protected] In this example I will use [email protected]
Check what emails your client is using for the site. My client in this example only uses [email protected] as only email connected to the domain. So I create a filter that will discard all other sender or reply email addresses. This is how to do it:
You need root access to your server.
Access and edit the file /etc/cpanel_exim_system_filter
Add the following :
I have tested to make sure this works.
(I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)
Emails discarded!
I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out
My 2 cent
I have had problems with some shared webhosting clients constantly getting their Joomla installs hacked and used for relaying spam emails. Even though I teach the clients how to prevent getting hacked, upgrade to latest versions, use anti-virus on home comp, use hard passwords etc etc, it still happens to a few of them too many times already.
I figured that even if I cant prevent the site owners from getting hacked at all times, I can prevent my servers from spitting out hundreds of thousands of spam emails if it happens.
I can then calmly clean and remove the infected files and contact site owner etc. without having to worry about my server IP getting banned.
I have stopped the outgoing emails using different methods but i find this one is the smartest, at least for me in this case. I publish my solution here so that anybody else having same problem can try this solution and hopefully also save their IP's from getting banned or similar problems.
---
How to..
Lets say that the site that has been infected more then once is the website example.com, just as an example.
The relayed spam emails sent out would typically look like [email protected] In this example I will use [email protected]
Check what emails your client is using for the site. My client in this example only uses [email protected] as only email connected to the domain. So I create a filter that will discard all other sender or reply email addresses. This is how to do it:
You need root access to your server.
Access and edit the file /etc/cpanel_exim_system_filter
Add the following :
Code:
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
# Exim filter to throw away all mail from one site, except from info
if $reply_address contains "@example.com" and
$reply_address does not contain "[email protected]"
then
seen finish
endif
if $sender_address contains "@example.com" and
$sender_address does not contain "[email protected]"
then
seen finish
endif
# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter(I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)
Code:
exigrep [email protected] /var/log/exim_mainlog
2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i [email protected]
2015-12-16 19:01:53 1a9HKj-0000yx-GQ <= [email protected] U=example P=local S=886 T="blah blah blah [email protected]
2015-12-16 19:01:53 1a9HKj-0000yx-GQ => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000yx-GQ Completed
2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i [email protected]
2015-12-16 19:01:53 1a9HKj-0000z9-IS <= [email protected] U=example P=local S=874 T="He he Babe * for [email protected]
2015-12-16 19:01:53 1a9HKj-0000z9-IS => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000z9-IS CompletedEmails discarded!
I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out
My 2 cent
Last edited by a moderator:
