The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outgoing Spam Email Question

Discussion in 'E-mail Discussions' started by TheKog, Nov 23, 2005.

  1. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    We recently changed IP addresses on our server and since the change have had ISPs such as AOL identify us as a spam source. We took appropriate measures to setup feedback loops and get things starightened out but now I think I am only seeing the tip of the iceberg.

    On our feedback loop I now see the msgs AOL users identify as spam and they are the usual garbage. While the msgs appear to be coming from us there are also IPs to obvious spammers out of Amsterdam etc.

    The problem we are having is figuring out how to identify how our server is being used to send these spams. Is someone inserting our IP in their SPAM mail and not using our mailer at all? Or is there a vulnerability in some PHP script on one of the virtual host accounts somewhere on our server and our server IS being used to transmit this garbage?

    Any advice is welcomed.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I hate to just generalize but you should put in mod_security if you havent already. This might not be your problem at the moment but alot of us are finding that this mod is now something we cannot operate without. If you are getting this from vulnerable scripts its a nightmare to track them down and even if you do some "web designer" will install another one elsewhere in a few days. mod_security will put a layer of protection to really cut down on alot of apache problems like spamming, guest book insertions, rogue/rude search engines, etc..

    If the problem is so called "joe job" spams then its some other server spamming with your email as the return address which requires a whole different approach but I still recommend doing the mod_security thing ASAP if you havent already.
     
  3. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Thank you I will investigate mod_security. I have one other question that might help. Assume our servers is "serverx.com".

    At the moment with the default cpanel/whm it appears anyone on the whole web can put in smtp.serverx.com or smtp.anyvirtualhostonserverx.com as their sending smtp and it works. Will mod_security eliminate that? We want to force users to use their own ISPs mailer and reserve ours only for activity from our server.

    The more we look at it the more we think this is this issue rather than a script with a big hole.
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Are you saying you think you are an "open relay" or allowing anyone to send mail ?. Go to www.dnsreport.com and run their tests do both of them and check the results to see what is really going on with your machines. This will give you a good idea where you stand for smtp problems. If you are an open relay you need to close that off immediatly, even before the mod_security thing.
     
  5. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I do not think we are an open relay according to the tests I've run, but nevertheless anyone can set their SMTP to www.anyvirtualhostonourserver.com and it will send their email.

    How do folks such as bellsouth.net set things so that you must be logged on to their network to send using their server?
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You may want to investigate your forwarders on your server. If you have users who are forwarded e-mail to their AOL account and then once that forwarded mail gets to their AOL account, if they click the "Report Spam" button, then AOL will view the message as spam being sent from your server. This is really just a downside to allowing AOL forwarders on your server. I am not aware of anything that can be done to stop this, other than asking your users not to use the Report Spam button in AOL.
     
  7. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    We are eliminating folks from forwarding and using this server for just a few sites of our own.

    We still have problem that anyone can use our SMTP for sending though and need to know how to shut that down.
     
  8. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Assume you have enabled "verify the existence of email senders" in WHM?
     
  9. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    yep - whats weird is we have 2 servers configured similarly but one has much more recent WHM, cpanel, exim, etc. one server allows the sending thru the smtp.nameyourvirtualserver.com and one does not. We will update the downlevel one tonite and see if it changes anything.

    Also we are banning all forwarding -- it just makes you look like a bad relayer and AOL is obviously just the tip of the iceberg.
     
  10. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    As per your quote - that DOES make you an open relay. The default setup is to have all email senders be authenticated. If yours do not, that is your problem. You would ned to correct your exim configuraion.
     
  11. bleachga

    bleachga Member

    Joined:
    Nov 14, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    How does one do that? Is there a web page that explains how to change the exim config to not allow open relays?
     
  12. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Just start with the default exim install.

    And yes, there are notes, but if you keep the default, you will be fine.
     
Loading...

Share This Page