The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

URGENT: domain account has used 35 gigs in bandwidth this month

Discussion in 'General Discussion' started by Zazoos1, Apr 12, 2007.

  1. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I have one client domain who I noticed today has used 35 gigs in bandwidth this month. They normally don't exceed 5 for the month and the last three days reports about 6 gigs each day. I traced it to his POP usage. But the problem is, he only has two POP accounts, he doesn't seem to be sending these emails and they are not clogging up the mail queue. The mail log shows instead that he is being hammered with spam every single second, sometimes three and four times per second and this appears to have been going on for days.

    Here is a small portion of the exim_mainlog (which is 76 megs total):

    2007-04-12 16:42:52 H=(mail.apiinc.net) [65.105.174.67] F=<> temporarily rejected RCPT <+._-efxln@domain.com>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
    2007-04-12 16:42:52 H=209-112-135-46-dsl-rb1.nwc.acsalaska.net (l71-server.Local71.local) [209.112.135.46] F=<> temporarily rejected RCPT <diwsk@domain.com>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
    2007-04-12 16:42:54 H=air276.startdedicated.com [69.64.34.77] F=<> temporarily rejected RCPT <noxr@domain.com>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"
    2007-04-12 16:42:55 H=(smg-exchange.sigmadallas) [69.15.192.187] F=<> temporarily rejected RCPT <+._-diwsk@domain.com>: error in redirect data: missing or malformed local part (expected word or "<") in ":fail"

    I replaced my actual clients domain to domain.com, but you can see none of the send to addresses are even valid and his default address is set to 'fail'. They all come from different mail servers and different IP addresses. Could these attempt be what is eating the bandwidth? What can I do to stop them?

    Any help or advise is appreciated.
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    The setting for his default account is ":fail" change it to ":fail:" and see if that helps.
     
  3. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Hi, casey.

    Ah, I appreciate the advice! Thanks for the keen eye!

    Now the logs look like this for each email attempt:
    2007-04-13 08:19:37 H=n26c.bullet.scd.yahoo.com [66.218.67.218] F=<> rejected RCPT <iwsk@domain.com>: no such address here

    Does that mean it will stop eating all the bandwidth for this account and my sever in general now?

    Your expertise is appreciated!
     
  4. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Though changing the default setting seems to have helped, this account is still eating over three gigs each day in POP transfer. Any other ideas, please?
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If you're getting hammered by Spam try the "nolisting" technique. This will kill off about 2/3 of incoming spam on average. For you, things might differ as all this spam is probably coming from one source. Make sure you create two extra MX's, not just one, so you end up having three with both the highest and the lowest rejecting email. There are two good articles out there - the joreybump one and the SpamAssassin one - the spamassassin one is more recent and gives a better technique as I described above.

    The other thing you should do is install some dictionary attack prevention if you haven't already; there's a good chance you have a dictionary attack running against the domain seeking to find valid email addresses.

    Finally, install the CSF firewall (click for link) which will detect, limit and/or stop many common attacks of this sort.
     
    #5 brianoz, Apr 16, 2007
    Last edited: Apr 16, 2007
  6. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    hi,
    check if the default ID is having lots of mails, stored which is accessed by your client anyhow.
    Ask your clients to change the pop account passwords and especially the cpanel pass, cause it can be used to relay mails even if they are infected with any virus worm on the office machine.

    see ya,
    mohit
     
  7. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    If you haven't done so already, you might want to consider installing the following exim tweak...

    http://www.webhostgear.com/338.html

    you can add your own spam keywords. We have about 20 common spam keywords that we block, in addition to the ones the script already comes with and we stop about 700-800 spam emails per day per server during a normal email load.
     
Loading...

Share This Page