How to block email spamming coming from my server?

TheOnlyQ · 06-26-2011, 03:40 PM

Hey LQ.

I don't know what to do, I know how to block and delete pretty much every other type of abuse.

I run a server with 500+ shared hosting clients and reseller clients and it was just blocked because of email spam.

I can keep on top of all other abuse (people trying to do dos attacks etc) but the one thing I can't get my head around is email spamming.

Any one have any information on how to stop people spamming emails from my server? This is really urgent.

Thanks.

Tinkster · 06-26-2011, 05:24 PM

I assume that one (or several) of the client installs acts as
an open relay; check out who produces the traffic, and then
look at their e-Mail configuration.

TheOnlyQ · 06-26-2011, 05:43 PM

Quote:

Originally Posted by Tinkster

I assume that one (or several) of the client installs acts as
an open relay; check out who produces the traffic, and then
look at their e-Mail configuration.

This is a cPanel server. Where would I check who is using the most mail traffic?

Tinkster · 06-26-2011, 06:43 PM

Sorry, I can't answer that - I never used cPanel; hope some of our
other members have, and will be able to shed light.

TheOnlyQ · 06-26-2011, 07:19 PM

Quote:

Originally Posted by Tinkster

Sorry, I can't answer that - I never used cPanel; hope some of our
other members have, and will be able to shed light.

Thanks for your help anyway.

Really hope someone can help, I'm getting screwed with this.

TheOnlyQ · 06-28-2011, 01:23 AM

Still looking for someone to help, please if anyone has any information I will appreciate it.

ButterflyMelissa · 06-28-2011, 09:56 AM

Okay...since you asked sooooo nicely

- how about (long shot) mailsnarf? It's part of the dsniff package, a collection of nifty tools for all things network sniffing

Also, try this

Quote:

tcpdump -vvv port 25

to listen to the smpt port, granted, it will give you quite a bit to look at...but you will find out what time the spam is being pushed out...

Luck!

Thor

Noway2 · 06-28-2011, 11:45 AM

You will need to start by examining your log files. Undoubtedly there will be some indication of the spam messages and the user account from which they are originating. I don't mean to sound harsh, but I think you are also learning a really valuable lesson in the down side of the "install this gui application and go" without fully understanding the underlying how and why things work. Something in your system has clearly become compromised and you are responsible for it. The problem is that it is likely one of your customer's (?) hosted sites and / or mail servers. The problem could be a cracked password, SQL inejection, or a PWN of a process. Web stack applications are typically one of the most compromised systems, largely due to poorly written PHP or other script.