I have been informed by my dedicated provider that someone is using my server ip for spamming purposes.

This is my first server so i am still new to it all. How do i go about stopping this activity? Can i find out who it is? Is it likely to be a customer of mine?

In Plesk (uses qmail) i have the mail settings set for pop and smtp authorization. I have just noticed that my /var directory is at 100% (about 5Gb), this was just in the single figures before!

Please help!

Try: /var/log/maillog

That should tell you what the address is sending the spam (or sent it), then just kill their account -- or follow whatever procedure is listed in your AUP.

I found two unknown users gaining access every couple of minutes using my server ip (which has the complaints against it). Could this be it?

Most likely. Is your system closed to prevent relaying?

I use Plesk and i have it set for pop & smtp authorization. I get the feeling the smtp authorization isn't working as i dont have this setup in my email client but can still send mail!

remember, once you have fixed the system then you would be best to do a scan on :

http://www.mailabuse.com/

just to make sure nobody has added your IP to any of the mailabuse systems, ive had this happen to me once before.

PS: this place also has some helpful resources on securing your SMTP server against abuse.

Hi!
Go through your logs fully.
Search for any unwanted spam scripts.
See the mailq and see where the traffic is directed.
Close SMTP for outside users. Deny all others except your clients.

I guess this should solve the problem..

Have a great day :)

regards
amar

Thanks for the replies.

I managed to find a sysadmin quickly and he has stopped it for me :)

Managed to find the offending ip and block it, doesn't seem to be one of my customers so someone is accessing the server from outside. Not sure how, but my server is now being monitored so we'll know if they try again.

Deleted nearly 5gigs of email queue!! Back down to 5% usage now :D

That's good news...but you better check out some of the SPAM sites to make sure your site has not been blackholed.

I checked the one posted by xtstrike, and i wasn't on there (phew)