URGENT: domain account has used 35 gigs in bandwidth this month

Zazoos1

Well-Known Member
Jan 1, 2004
49
0
156
Hello,

I have one client domain who I noticed today has used 35 gigs in bandwidth this month. They normally don't exceed 5 for the month and the last three days reports about 6 gigs each day. I traced it to his POP usage. But the problem is, he only has two POP accounts, he doesn't seem to be sending these emails and they are not clogging up the mail queue. The mail log shows instead that he is being hammered with spam every single second, sometimes three and four times per second and this appears to have been going on for days.

Here is a small portion of the exim_mainlog (which is 76 megs total):

2007-04-12 16:42:52 H=(mail.apiinc.net) [65.105.174.67] F=<> temporarily rejected RCPT <[email protected]>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
2007-04-12 16:42:52 H=209-112-135-46-dsl-rb1.nwc.acsalaska.net (l71-server.Local71.local) [209.112.135.46] F=<> temporarily rejected RCPT <[email protected]>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
2007-04-12 16:42:54 H=air276.startdedicated.com [69.64.34.77] F=<> temporarily rejected RCPT <[email protected]>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
2007-04-12 16:42:55 H=(smg-exchange.sigmadallas) [69.15.192.187] F=<> temporarily rejected RCPT <[email protected]>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"

I replaced my actual clients domain to domain.com, but you can see none of the send to addresses are even valid and his default address is set to 'fail'. They all come from different mail servers and different IP addresses. Could these attempt be what is eating the bandwidth? What can I do to stop them?

Any help or advise is appreciated.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
The setting for his default account is ":fail" change it to ":fail:" and see if that helps.
 

Zazoos1

Well-Known Member
Jan 1, 2004
49
0
156
Hi, casey.

Ah, I appreciate the advice! Thanks for the keen eye!

Now the logs look like this for each email attempt:
2007-04-13 08:19:37 H=n26c.bullet.scd.yahoo.com [66.218.67.218] F=<> rejected RCPT <[email protected]omain.com>: no such address here

Does that mean it will stop eating all the bandwidth for this account and my sever in general now?

Your expertise is appreciated!
 

Zazoos1

Well-Known Member
Jan 1, 2004
49
0
156
Though changing the default setting seems to have helped, this account is still eating over three gigs each day in POP transfer. Any other ideas, please?
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
If you're getting hammered by Spam try the "nolisting" technique. This will kill off about 2/3 of incoming spam on average. For you, things might differ as all this spam is probably coming from one source. Make sure you create two extra MX's, not just one, so you end up having three with both the highest and the lowest rejecting email. There are two good articles out there - the joreybump one and the SpamAssassin one - the spamassassin one is more recent and gives a better technique as I described above.

The other thing you should do is install some dictionary attack prevention if you haven't already; there's a good chance you have a dictionary attack running against the domain seeking to find valid email addresses.

Finally, install the CSF firewall (click for link) which will detect, limit and/or stop many common attacks of this sort.
 
Last edited:

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
hi,
check if the default ID is having lots of mails, stored which is accessed by your client anyhow.
Ask your clients to change the pop account passwords and especially the cpanel pass, cause it can be used to relay mails even if they are infected with any virus worm on the office machine.

see ya,
mohit
 

bmcpanel

Well-Known Member
Jun 1, 2002
544
0
316
If you haven't done so already, you might want to consider installing the following exim tweak...

http://www.webhostgear.com/338.html

you can add your own spam keywords. We have about 20 common spam keywords that we block, in addition to the ones the script already comes with and we stop about 700-800 spam emails per day per server during a normal email load.