Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are using a VPS server for both hosting websites and mails.
We started facing email issues. Upon going through logs I found that the emails are going from "domain username@vps.ourdomain" to info@domain , sales@domain etc.
I checked this with our hosting provider they informed to ignore it as its just a notification from VPS.
After that I did check some message contents which are turned out be spam.
So my question is the behavior of server is normal?? Is this a problem can anyone help me resolving this?
Distribution: Ubuntu based stuff for the most part
Posts: 1,177
Rep:
If you are seeing spam, then run ClamAV if it is installed, if not then install it and run a scan. Seems like you might have an infection, or your mail relay is open and forwarding spam.
we have more than 300 sites hosted on this server. I did ask our hosting provider to that they informed like this "We can run a full scan, however note that it will cause a heavy load on your server, and can cause a possible crash of the VPS during its running,".
Its a managed VPS so we dont have the root access as well. Is there any other way to find out whats happening???
Distribution: Ubuntu based stuff for the most part
Posts: 1,177
Rep:
Since it is managed and your access is limited, then you need to get the host to do some digging. When I did VPS support the main cause for server infection was WordPress plugins that got hacked. Have them run the scan, if it is infected you need to know fast.
Take a look at the domain were the spam is coming from for any new user accounts or pages that were added. Look at any plugins and see if there are updates for them. Many third party plugins for WordPress are not very secure.
If you are seeing spam, then run ClamAV if it is installed, if not then install it and run a scan. Seems like you might have an infection, or your mail relay is open and forwarding spam.
I have enclosed few screenshots can u have a look at that?
If those emails are the spam you have identified, your VPS is sending spam, probably in addition to receiving it.
You need to have your web administrator review the site security and configuration. It may be that one or more of those 300 web sites is sending spam due to being comprmised or configured to do so by a user, or your mail server is misconfigured as an open relay, or both. That may not be the responsibility of the VPS provider or something included in the terms of your managed hosting.
If those emails are the spam you have identified, your VPS is sending spam, probably in addition to receiving it.
You need to have your web administrator review the site security and configuration. It may be that one or more of those 300 web sites is sending spam due to being comprmised or configured to do so by a user, or your mail server is misconfigured as an open relay, or both. That may not be the responsibility of the VPS provider or something included in the terms of your managed hosting.
I checked with some tools to check if our server is an open relay, but all the results came as not an open relay.
I E-mailed our hosting provider about scanning the server and awaiting reply.
That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.
Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.
Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.
ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).
That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.
Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.
Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.
Yes 300 sites are different and belongs respective owners.Our hosting providers are the admins of our VPS (TPP Wholesale). Server configuration and all done by them. And we don't encourage clients to have a WP site instead we build on other platforms like HTML, CSS, bootstrap etc. And for e-comm site we prefer Magento 2.0.
Distribution: Ubuntu based stuff for the most part
Posts: 1,177
Rep:
From the screenshot it looks like you need to train your spam engine a bit as it seems to be giving a false positive. It looks like a site is sending email to their gmail address.
I think you need to worry more about the privacy violation you did by disclosing a customers name and email.
That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.
Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.
Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.
ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).
Yup, somehow we are working on this with our provider have to check what they have got till now.
From the screenshot it looks like you need to train your spam engine a bit as it seems to be giving a false positive. It looks like a site is sending email to their gmail address.
I think you need to worry more about the privacy violation you did by disclosing a customers name and email.
Will definitely implement this and as far as email is concerned that's our developer email and before sending that screenshot I checked with him and shared here. without those emails its difficult to check whats going on.
And also I have one doubt. Some emails shows its sender address and IP as localhost (127.0.0.1) at this point emails will go through the server but doesnt show up in the inbox. Any reason for this?
That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.
Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.
Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.
ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).
Check these screen shots. Its sending to somewhere else.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.