What is the best way to monitor for compromised accounts/emails that are sending spam emails form the server -WHM

[Jeromero]

Hi all,
I just had another email from my WHM/server sending the spam messages and after I managed to sanitize that I actually realized that I need a stable solution for this.
I was lucky that I have set up "Maximum percentage of failed or deferred messages a domain may send per hour " to 30 and that saved me from trouble of delisting the IP from spamlists.
Now what would be a better solution to monitor all the domains and emails on the server so I will know before the IP gets blacklisted?
Is OSM (Outgoing spam monitor - Outgoing Spam Monitor (osm)) plugin solution for this or there is somthing else I can do to avoid these problems?

 

[keat63]

I run our own corporate server, so I don't really have an issue with unknown senders sending many emails.
However, I do have something configured that emails me when an email address has sent more than 250 emails.

In Tweak Settings / Mail
Number of emails a domain may send per day before the system sends a notification.
and
Number of unique recipients per hour to trigger potential spammer notification.

This should assist me in identifying if a user account or pc had been compromised.

 

[ZenHostingTravis]

I was lucky that I have set up "Maximum percentage of failed or deferred messages a domain may send per hour " to 30 and that saved me from trouble of delisting the IP from spamlists.

We've never used the software you mentioned but we have used CXS, as probably most hosts have.

We set our email limits conservatively. Why was spam being related? Was a website hacked?

If it was, a solution like Imunify is a good option IMHO.

You can monitor IP reputation using mxtoolbox.com.

They have a free and paid service.

There are also plugins you can purchase and install which monitor your IP reputation.

 

[cPAdminsMichael]

Just continueing on the others' posts.. I think setting right limits in tweak settings is the way forward.
Also would be good to know if spam is because of:

a) hacked website, sending scripts
b) bad coded website, sending spam through contact forms, etc.
c) Hacked mail account
d) Hacked client

All these may require different actions.

For blacklist monitoring, there are many tools out there. I'm in favor of Hetrix Tools (Free Blacklist Monitoring | Blacklist Check - HetrixTools)

 

[keat63]

CSF firewall will check your server against around 30 rbl's and can be scheduled daily

 

[sparek-3]

Short of standing over the shoulder of all of your clients and smacking them across the back of their heads everytime they use a stupid password, reuse a password, install or visit a website that might install malware or keyloggers on their system... you really can't do much proactively. You can set monitors in place to notify you when potential spam activity is happening on your server, but it's only going to catch it after the fact.

 

[ffeingol]

OSM is a decent solution (but you still need to monitor it). One of the default things you can do is to simply have it 'hold' the email for the offending account/mailbox and it will sit in Exim's queue. It uses existing cPanel functionality to do the outbound hold. You can then review if it's spam, remove it from the queue (CMQ works well for that) and then release the hold.

We had to do tweaking when we first put it in. We have customers with legit newsletters etc. so we added exceptions in (pretty easy to do). Now it pretty much catches everything. Compromised mailboxes (because "people" use easy passwords) as well as web site compromises and contact form spam.

 

[Jeromero]

@keat63 Thank you for the info.
It seems that can help a lot.
Just for the clarification, to which email those notifications come to?
Do I get control over what is the notification email?

 

[cPanelLauren]

Notification emails for CSF will go to the administrative email set in cPanel. So whichever email you have set to forward root's email too I believe