Hi guys,
I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:
- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers
The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.
At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]
The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.
If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.
If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.
If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.
At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!
Thank you so much!
[Removed]
I've recently had a huge issue with a bunch of outgoing email spam. It looks like I have a new noisy neighbor, but I have absolutely unable to identify them. I've been pulling my hair out and have tried everything I can think of but nothing is working. Just to recap, some things I've done are:
- Ran a clamscan
- Bought CXS and ran that
- Enabled SpamAssassin (I don't think this does much more outgoing emails, though)
- Read & followed the official cPanel guide for "Preventing SMTP Abuse"
- Prevent sending mail as "nobody"
- Severely ratelimited the sending mails per hour for all accounts
- Disabled mail() in PHP
- Changed the exim flag to +all for more information in the email headers
The only reason I know the spam is still being sent out is because my datacenter is sending me dozens of new Spamcop reports every day.
At the bottom of this post is a copy of one of the SpamCop reports on one of my server's IP - [Removed]
The relevant lines are:
[Removed]
So this is the domain/email/whatever the spammer is using to send them.
If I search for [Removed] in my Mail Delivery Reports, there are zero results. However they're sending mail, it's not properly showing up in any of the tools WHM provides to view mail.
If I head over to the "View Sent Summary" section to see which clients have the highest send rates, most domains are around 20-30 mails (average) except for the -remote- user who has 5 successfully sent and 483 failed & deferred messages.
If I open /var/log/exim_mainlog and search for " [Removed]", there are 0 results found.
At this point, I'm looking for assistance on either how 1) I can disable mail system-wide except for a whitelist of accounts that I manually approve, or 2) how to identify this darn spammer!
Thank you so much!
[Removed]
Last edited by a moderator: