My server is being used to send spam

helptek

Registered
Apr 6, 2008
4
0
51
Hello,

I host about 500 accounts in my server (WHM 11.23.2 cPanel 11.23.3-S25959). This server's IP is being constantly marked as "spammer" in lots of spam lists.

I enabled the option "Prevent the user "nobody" from sending out mail to remote addresses", I have clamAV and SMTP Tweak active, and I even changed the exim outgoing IP to a different one from the server's main IP.

Even so, the server's main IP is being quoted as spammer, primarily from hotmail.

I receive reports from spamlists with some copies of emails/spam sent from my server.
I can not track any of the Exim IDs in the exim_mainlog, and many emails are being sent with this kind of ID:

[email protected]"myserverhostname.com"

Most of the emails are being sent to hotmail, from requesters that do not exist on my server.

What can I do to track down these spammers? I believe they are exploring php scripts and almost all spam emails are not being sent from Exim. How can I find those scripts?

Any way to block this through firewall, IP tables or something else?

Any help would be very much appreciated.

Best regards,
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Run suphp.

Install and run CSF and ensure you have port 25 outgoing blocked, or if you don't want to install CSF enable the cpanel "SMTP tweak".

Set the cpanel limit on outgoing emails to 150.

Lots of other things you can do but there are some basics that will help.
 

ebizindia

Well-Known Member
Oct 13, 2005
105
4
168
Kolkata, India
cPanel Access Level
Root Administrator
hacked with automailer

One of the domains hosted on your server may have been hacked and the spammer may have installed an automailer script. I saw one such script in a client domain recently.

Search for bad.txt, good.txt etc files from the shell prompt and if found, go to the directory. You can easily identify the mailer.

Just one possible problem.
 

mccwho

Member
Nov 23, 2006
6
0
151
I found it running as godi.cgi

Suspended the user until they ran a virus scan on their local PC to find any key-loggers, then I reset all of the users passwords.
Seems to have stopped it for now.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
I found it running as godi.cgi

Suspended the user until they ran a virus scan on their local PC to find any key-loggers, then I reset all of the users passwords.
Seems to have stopped it for now.
then I reset all of the users passwords ?

at one go or one bye one ???