How to stop SPAMMER SENDING 5000+mail/Hr. ?

dolay

Member
Apr 28, 2004
12
0
151
there were an account idan.echsun.net amd this user start to spam mails from [email protected] email .

We have deleted user idan.echsun.net also master domain ecshun.net aslo rm -f '/home/idan/' but still spamming 5000 e-mails per hour by this user since 2 days.

We have exim+clamav+mailscanner installer updated/installed too however it never effect to stop that spam...

Please help us and the world stop this evil. I think there millions of spam mails send to the world :(

when i "locate idan" to delete related files from the server i see :


/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.5764.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.13517.1
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.22633.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.30663.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.31139.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.32365.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1600.0
/usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1897.0
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-1.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-2.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-3.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-4.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-5.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-6.pck
/usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-7.pck

which are comeback when we delete to.

Also when we try to empty /etc/relayhosts-relayhostsusers file to disable relay for everyone hosted on this server , those files comeback and filled its inside automatically.

Can anyone gues whats happening on this server and how can we stop this.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,760
314
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
No easy answers on this one. Would be happy to take a look for you though. PM me if you are interested.

MSN: support [at] got-support.com
ICQ: 1240904
 

areha

Well-Known Member
Oct 30, 2002
52
0
156
I have also the problem with extreme amounts of spam after someone had gotten access to a trial webmail-account on my server. I closed the account few hours after it was created.

The days after I got 150.000 emails a day on a server normally getting maybe 100 a day, and the server went down (at least exim) because the mail was just gotten stuck in the mail-queue. Now after 10 days, I still get large amounts of spam with autogenerated name-content before my domain name in the emailaddress, like [email protected], but due to various spamfilters this email is dropped after recieved. This demands however 50-90% of the resources on the server to run spamd and exim, I can see it in Top all the time. The email from header is often false, so bounce messages is stuck in the queue. There is no longer any spam going out from the server, just in.

Just for fun I disabled spamd and exim, and suddenly I had 99-100% free capasity.. However, spamd was autostarted after a while even when unselected, so didn´t stay offline to long thow..

Since I use the catch-all account for gossamer mail, I can not disable catch-all account either, that was the only solution cPanel support could give me.

I am most concerned about the resources the spamd and exim uses to handle all this mail, and secondly, the bandwith all this email causes each day. To drop the email before it comes, using dns verify migth be something to consider..
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,760
314
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
If you cannot disable the catch-all then you are going to be out of luck I am afraid.

You COULD check to see what IP he is connecting as. If he is not spoofing it, you could install a firewall and block his IP. If he is spoofing it, well, then I'm afraid there won't be a lot you can do.

Best bet is to set up whatever forwarders you need to and then disable the catchall.
 

areha

Well-Known Member
Oct 30, 2002
52
0
156
Actually, you gave me an idea :) I can just setup forwarding for those catch-all users, and deliver to the webmail client. Will demand some custom setup for each account, but better that give out pop3 addresses.