Hi everyone --
Please be gentle as I am NOT a professional (maybe not even amateur) web server administrator. I simply host a website and email services as a volunteer for a local community garden.
I started getting forwarded messages from my hosting provider that the domain is being reported as a spammer. I have done everything on my server I feel safe enough (as someone who could easily completely screw up a server) to do -- i.e., just using WHM control panel interface and following _some_ of the recommendations that came up when I ran the Security Advisor tool.
It's clear that spammers are sending, or trying to send, email as the domain user svgarden. (server host name is vm1.bubbleup.us) How can they do this? At my hosting provider's recommendation I already changed the user's pw over a week ago and it is not even written anywhere on a piece of paper and my connections are always via secure ports. So I don't think the domain user's password is the issue.
What I need to know if anyone can help with answers to these 3 Q's. I have already spent significant time trying to solve this on my own (by reading Cpanel docs that are usually way over my head, and googling around for answers) but I don't think I have:
1. Is my server still being used for spam? I do not know how to decipher the exim log (pasted in below)?
2. If answer to #1 is "yes", what else do I need to do on my server to stop this from happening? (I have also pasted in below my notes re what I have changed so far on my server)
3. I enabled the ClamAV connector and ran a virus scan for the domain that is experiencing this problem, but where can I see the results? I have looked all over the WHM and cpanel screens and can't see whether the scan was clean or whether any infected files were found.
My hosting provider recommended I use a third-party service to look into the situation, but the cost is $350 which I cannot pay, I already pay for the VPS for the garden's website & email and for other small community groups.
I would so appreciate any help!! Thanks in advance!
kazar
===========SAMPLE RECENT ENTRIES FROM EXIM_MAINLOG=============
======(ENTRIES ARE *AFTER* THE CHANGES I MADE ON SERVER THAT ARE NOTED BELOW)===
=========ARE SPAMMERS STILL SENDING MAIL THROUGH MY SERVER?=======
- Removed -
==========================================
My notes of what changes I made on my server before the above Exim log items were written
Do I need to do anything else?
==========================================
In Tweak Settings
Prevented "nobody" from sending mail
Enabled SMTP restrictions
Jailed all user shells
Tweak Settings / Mail -- changed initial default/catch-all forwarder destination to Fail
NOTE: Mail authentication via domain owner password was already OFF so how is someone sending as svgarden@vm1
Track email origin via X-Source email headers - turned ON
Max hourly emails per domain: 50
Maximum percentage of failed or deferred messages a domain may send per hour - set to 5%
In Exim Configuration Manager - Basic Editor
ACL Options
Reject remote mail sent to the server's hostname - turned ON
[?]Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target.
Mail
Log sender rates in the exim mainlog. - turned ON
Set SMTP Sender: headers - turned ON
[?](-f flag passed to sendmail) This will create "On behalf of" notices in Microsoft® Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message.
Security
Scan outgoing messages for malware - turned ON
Apache Spam-Assassin options
Apache SpamAssassin™: Forced Global ON - turned on
Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting - turned ON
Please be gentle as I am NOT a professional (maybe not even amateur) web server administrator. I simply host a website and email services as a volunteer for a local community garden.
I started getting forwarded messages from my hosting provider that the domain is being reported as a spammer. I have done everything on my server I feel safe enough (as someone who could easily completely screw up a server) to do -- i.e., just using WHM control panel interface and following _some_ of the recommendations that came up when I ran the Security Advisor tool.
It's clear that spammers are sending, or trying to send, email as the domain user svgarden. (server host name is vm1.bubbleup.us) How can they do this? At my hosting provider's recommendation I already changed the user's pw over a week ago and it is not even written anywhere on a piece of paper and my connections are always via secure ports. So I don't think the domain user's password is the issue.
What I need to know if anyone can help with answers to these 3 Q's. I have already spent significant time trying to solve this on my own (by reading Cpanel docs that are usually way over my head, and googling around for answers) but I don't think I have:
1. Is my server still being used for spam? I do not know how to decipher the exim log (pasted in below)?
2. If answer to #1 is "yes", what else do I need to do on my server to stop this from happening? (I have also pasted in below my notes re what I have changed so far on my server)
3. I enabled the ClamAV connector and ran a virus scan for the domain that is experiencing this problem, but where can I see the results? I have looked all over the WHM and cpanel screens and can't see whether the scan was clean or whether any infected files were found.
My hosting provider recommended I use a third-party service to look into the situation, but the cost is $350 which I cannot pay, I already pay for the VPS for the garden's website & email and for other small community groups.
I would so appreciate any help!! Thanks in advance!
kazar
===========SAMPLE RECENT ENTRIES FROM EXIM_MAINLOG=============
======(ENTRIES ARE *AFTER* THE CHANGES I MADE ON SERVER THAT ARE NOTED BELOW)===
=========ARE SPAMMERS STILL SENDING MAIL THROUGH MY SERVER?=======
- Removed -
==========================================
My notes of what changes I made on my server before the above Exim log items were written
Do I need to do anything else?
==========================================
In Tweak Settings
Prevented "nobody" from sending mail
Enabled SMTP restrictions
Jailed all user shells
Tweak Settings / Mail -- changed initial default/catch-all forwarder destination to Fail
NOTE: Mail authentication via domain owner password was already OFF so how is someone sending as svgarden@vm1
Track email origin via X-Source email headers - turned ON
Max hourly emails per domain: 50
Maximum percentage of failed or deferred messages a domain may send per hour - set to 5%
In Exim Configuration Manager - Basic Editor
ACL Options
Reject remote mail sent to the server's hostname - turned ON
[?]Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target.
Log sender rates in the exim mainlog. - turned ON
Set SMTP Sender: headers - turned ON
[?](-f flag passed to sendmail) This will create "On behalf of" notices in Microsoft® Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message.
Security
Scan outgoing messages for malware - turned ON
Apache Spam-Assassin options
Apache SpamAssassin™: Forced Global ON - turned on
Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting - turned ON
Last edited by a moderator: