Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Someone is spamming through my site on my server and noone knows how to fix it

[lexington]

I pay Acunett to watch and maintain my server and all they can tell me is to make sure that my email scripts on my site are secure. I myself and a few people who are good with php say that my scripts are pretty secure in preventing spam from people sent, however spam is being sent that looks like it is coming from my site's email instead of the spammer's. Can anyone please help me since I need to continue using my site to send out activation emails which are automated, but prevent spam from being sent. Thanks

[aplawson]

You can't stop people from pretending to be you, but if you're really locked down, perhaps you can check the IPs being used. That will tell you a great deal about whether or not your box is being used, or if it's just a random victim.

[lexington]

Yeah I can check the ips which are usually proxies. Is someone actually on my site sending these emails, or is it some hacker script to detect all email scripts on the internet and send them out in a mass quantity or something?

[aplawson]

They can do it different ways. I would think spamming from the box is easier, but there has been some to use SMTP relays remotely. PHP is getting better/patched up all the time so it's probably more likely you either have an insecure SCRIPT on your box somewhere or a user who isn't playing by the rules.

[wake]

Why don't you edit your php email scripts and make it log all emails and go through it, that way you can know for sure. Or take the php scripts offline.

Also if you check the spam messages being sent, it'll tell you which server is sending the message out. If you see your IP you can safely say it is you. If it's some foreign address someone is just faking your domain.

[AWalrus]

You might want to look into adding an SPF record to your domain. Check out http://spf.pobox.com/ for more info.

[wheimeng]

Indeed, get SPF record to your domain IF it is not sent via your server.

[sea otter]

Quote:

Originally posted by lexington
I pay Acunett to watch and maintain my server and all they can tell me is to make sure that my email scripts on my site are secure.

So...you're paying Acunett to keep your server secure, and now you have to come to the forums to solve a security problem???

Unless I'm missing something, it seems to me like you need a new server management company.

[BigBison]

Yes, you are missing something, if the spam isn't actually originating on the OP's server.

Although I'm surprised AcuNett didn't set up the SPF record, this isn't a security issue. Fighting back against spammers spoofing the "from" address is a domain-name configuration issue that until a year or two ago, we couldn't do anything about. Now there's SPF, but not everyone is using it (yet, hopefully). My osteoporosis.org domain has been horribly compromised by the calcium-supplement (and other) spammers, despite having an SPF record for over a year now. The volume of spoofed spam is 80-90% less than it was, but still significant. Until more SMTP servers check SPF records, some domains will continue to have "joe-job" issues.

That is, if we're indeed talking about a joe-job here.

[sea otter]

Ahhh, got it. My bad

[lexington]

Yes they did setup an SPF record and tried to help me, they are good guys I have been with them for a long time. However as far as finding out which script may be causing the problem, they say that they are not really developers and dont know how troubleshoot something like that.

[BigBison]

Well, lexington, what we need to see is the full headers of the spam e-mail from the recipient. That gives you the IP address of the server the e-mail originates from. If it's your server, then this is an issue with a script. If it isn't your server, then this is a joe-job.