How to stop SPAMMER SENDING 5000+mail/Hr. ?

[dolay]

there were an account idan.echsun.net amd this user start to spam mails from [email protected] email .

We have deleted user idan.echsun.net also master domain ecshun.net aslo rm -f '/home/idan/' but still spamming 5000 e-mails per hour by this user since 2 days.

We have exim+clamav+mailscanner installer updated/installed too however it never effect to stop that spam...

Please help us and the world stop this evil. I think there millions of spam mails send to the world

when i "locate idan" to delete related files from the server i see :


/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.5764.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.13517.1
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.22633.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.30663.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.31139.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.32365.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1600.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1897.0
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-1.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-2.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-3.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-4.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-5.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-6.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-7.pck

which are comeback when we delete to.

Also when we try to empty /etc/relayhosts-relayhostsusers file to disable relay for everyone hosted on this server , those files comeback and filled its inside automatically.

Can anyone gues whats happening on this server and how can we stop this.

 

[GOT]

No easy answers on this one. Would be happy to take a look for you though. PM me if you are interested.

MSN: support [at] got-support.com
ICQ: 1240904

 

[areha]

I have also the problem with extreme amounts of spam after someone had gotten access to a trial webmail-account on my server. I closed the account few hours after it was created.

The days after I got 150.000 emails a day on a server normally getting maybe 100 a day, and the server went down (at least exim) because the mail was just gotten stuck in the mail-queue. Now after 10 days, I still get large amounts of spam with autogenerated name-content before my domain name in the emailaddress, like [email protected], but due to various spamfilters this email is dropped after recieved. This demands however 50-90% of the resources on the server to run spamd and exim, I can see it in Top all the time. The email from header is often false, so bounce messages is stuck in the queue. There is no longer any spam going out from the server, just in.

Just for fun I disabled spamd and exim, and suddenly I had 99-100% free capasity.. However, spamd was autostarted after a while even when unselected, so didn´t stay offline to long thow..

Since I use the catch-all account for gossamer mail, I can not disable catch-all account either, that was the only solution cPanel support could give me.

I am most concerned about the resources the spamd and exim uses to handle all this mail, and secondly, the bandwith all this email causes each day. To drop the email before it comes, using dns verify migth be something to consider..

 

[GOT]

If you cannot disable the catch-all then you are going to be out of luck I am afraid.

You COULD check to see what IP he is connecting as. If he is not spoofing it, you could install a firewall and block his IP. If he is spoofing it, well, then I'm afraid there won't be a lot you can do.

Best bet is to set up whatever forwarders you need to and then disable the catchall.

 

[GOT]

wrong thread

 

[areha]

Actually, you gave me an idea I can just setup forwarding for those catch-all users, and deliver to the webmail client. Will demand some custom setup for each account, but better that give out pop3 addresses.