Hi,

Last night and today our server was used for a major mass spam.

It crashed out most services and our server load was up to near 20 at one point, memory use was up to 95%. This is on a PIII 1000 with 512mb RAM.

It took us all day to sort out the problem, mails were bouncing around all over the place, its been a long stressful day but things seem back to normal. Luckily for the other accounts we were only down around 15 - 20 mins all day, although were probably very slow!

The domain involved was topdealuk.co.uk - i have spoken to the client and he says it wasnt hime, although to be quite honest i dont believe a word he says, he was quite obviously hiding something. Obviously i deleted his account immediately.

There is also some connection somewhere with thew domain talkingpages.co.uk, although i havent had time to look into this.

My question is this, what shall i do about this? I have a lot of mails from unhappy people. I have mailed them and apologised.

Is there any actions i can take? Do i refund the payment this guy made? Is there anything i can do to prevent this type of thing happening again?

Any advice would be appreciated, i am off to bed now.

Thanks.

Originally posted by SuperDon
[B]Hi,

Last night and today our server was used for a major mass spam.

My question is this, what shall i do about this? I have a lot of mails from unhappy people. I have mailed them and apologised.
[B]

I would suggest starting with a thorough check of your server. Try using this service:

http://www.ordb.org/

From the webpage you can submit your own server for testing.

If your server does _not_ come up as an open relay, you can be reasonable sure, that the spam mails originated from one of your customers (then check the logs for the ip-addresses, etc.).

If your server does come up as an open-relay, then immediately fix your configuration so that it's not open anymore (or you could be the subject for another spam attack again). After fixing your server, submit the server for a test again to be sure it's working.

HI,

Okay, I submitted my server for the test. If the results come back that it is open, how exactly do i make this config?

If your server does come back as open for relay, then fixing it would be based upon what mail server software you are using, most of the major providers have made options available via updates, patches that can block open relay, several also allow you to set it to check against the ORBs list of black listed open relay servers, if its on the list and trying to send, it gets blocked. It could also be a simple configuration issue on your server, IE... you have the correctly updated ability to block, but just havn't closed the relay ability. Good luck, I went through this about 5 months ago with several Chinese servers sending via my servers. cost me about 200GB in one month..

Originally posted by SuperDon

Okay, I submitted my server for the test. If the results come back that it is open, how exactly do i make this config?

Exactly how depends on your mailserver software.

Check the manual for keywords like "open relay", "POP before SMTP", "ASMTP", etc.

Also check the FAQ at:

http://www.ordb.org/

There it's mentioned how to configure a few of the most popular mailserver systems.