The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop SPAMMER SENDING 5000+mail/Hr. ?

Discussion in 'E-mail Discussions' started by dolay, Aug 4, 2004.

  1. dolay

    dolay Member

    Joined:
    Apr 28, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    there were an account idan.echsun.net amd this user start to spam mails from Adv@idan.echsun.net email .

    We have deleted user idan.echsun.net also master domain ecshun.net aslo rm -f '/home/idan/' but still spamming 5000 e-mails per hour by this user since 2 days.

    We have exim+clamav+mailscanner installer updated/installed too however it never effect to stop that spam...

    Please help us and the world stop this evil. I think there millions of spam mails send to the world :(

    when i "locate idan" to delete related files from the server i see :


    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.5764.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.13517.1
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.22633.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.30663.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.31139.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.32365.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1600.0
    /usr/local/cpanel/3rdparty/mailman/locks/adv_idan.echsun.net.lock.dedicated.newista.net.1897.0
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-1.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-2.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-3.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-4.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-5.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-6.pck
    /usr/local/cpanel/3rdparty/mailman/data/heldmsg-adv_idan.echsun.net-7.pck

    which are comeback when we delete to.

    Also when we try to empty /etc/relayhosts-relayhostsusers file to disable relay for everyone hosted on this server , those files comeback and filled its inside automatically.

    Can anyone gues whats happening on this server and how can we stop this.
     
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    No easy answers on this one. Would be happy to take a look for you though. PM me if you are interested.

    MSN: support [at] got-support.com
    ICQ: 1240904
     
  3. areha

    areha Well-Known Member

    Joined:
    Oct 30, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I have also the problem with extreme amounts of spam after someone had gotten access to a trial webmail-account on my server. I closed the account few hours after it was created.

    The days after I got 150.000 emails a day on a server normally getting maybe 100 a day, and the server went down (at least exim) because the mail was just gotten stuck in the mail-queue. Now after 10 days, I still get large amounts of spam with autogenerated name-content before my domain name in the emailaddress, like KKFKJHICB@domain.com, but due to various spamfilters this email is dropped after recieved. This demands however 50-90% of the resources on the server to run spamd and exim, I can see it in Top all the time. The email from header is often false, so bounce messages is stuck in the queue. There is no longer any spam going out from the server, just in.

    Just for fun I disabled spamd and exim, and suddenly I had 99-100% free capasity.. However, spamd was autostarted after a while even when unselected, so didn´t stay offline to long thow..

    Since I use the catch-all account for gossamer mail, I can not disable catch-all account either, that was the only solution cPanel support could give me.

    I am most concerned about the resources the spamd and exim uses to handle all this mail, and secondly, the bandwith all this email causes each day. To drop the email before it comes, using dns verify migth be something to consider..
     
  4. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    If you cannot disable the catch-all then you are going to be out of luck I am afraid.

    You COULD check to see what IP he is connecting as. If he is not spoofing it, you could install a firewall and block his IP. If he is spoofing it, well, then I'm afraid there won't be a lot you can do.

    Best bet is to set up whatever forwarders you need to and then disable the catchall.
     
  5. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    wrong thread
     
    #5 GOT, Aug 5, 2004
    Last edited: Aug 5, 2004
  6. areha

    areha Well-Known Member

    Joined:
    Oct 30, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Actually, you gave me an idea :) I can just setup forwarding for those catch-all users, and deliver to the webmail client. Will demand some custom setup for each account, but better that give out pop3 addresses.
     
Loading...

Share This Page