hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : Emails being sent from my server
Reply

Forum Jump

Emails being sent from my server

Reply Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 09-22-2010, 07:23 AM
angel1 angel1 is offline
New Member
 
Join Date: Sep 2010
Posts: 4

Emails being sent from my server


Hi, I was wondering here if anyone could help me as I am a little stuck. I have found out that my server is being used to send out spam emails and I want to stop this as soon as possible because I depsise recieving spam and I really hate having people use my server to send more. I don't use the server for email at all and I am really stuck on where to start on fixing this problem.

I tried to view the mail statistics on the WHM cpanel but I can not see the option. I do not have an email icon. I have web mail and email accounts but neither give me the option of statistics.

I am currently scanning through the whole ftp to see if there is any files that I do not recognise.

I would be so greatful if anyone could help me even with ideas of where to start because I am feeling a little lost right now.

Many thanks



Sponsored Links
  #2  
Old 09-22-2010, 07:57 AM
httpEasy httpEasy is offline
Value Expert
 
Join Date: May 2009
Location: Midworld
Posts: 1,783
Looking into FTP logs is a good start. How did you find out about the spam mails originally? Could any of your accounts be compromised?

__________________
httpEasy.com - Providing great value since 2002
Shared | Reseller | Dedicated | Backup | SSL | Domains - Now accepting Bitcoin
CPanel | CloudLinux | CloudFlare | Incapsula | Softaculous | Daily Local & Remote
Backups
Monitor your uptime easily!

  #3  
Old 09-22-2010, 08:54 AM
LnxtecH LnxtecH is offline
Web Hosting Evangelist
 
Join Date: Jul 2005
Posts: 480
If you have suphp enabled, then from the exim logs you can see which user is spamming.
You may also take the time stamp of a spam email from the exim logs and search the domalogs for that time and you should be able to find something if it was end out from a webpage.

Sponsored Links
  #4  
Old 09-22-2010, 09:16 AM
angel1 angel1 is offline
New Member
 
Join Date: Sep 2010
Posts: 4
Quote:
Originally Posted by httpEasy View Post
Looking into FTP logs is a good start. How did you find out about the spam mails originally? Could any of your accounts be compromised?
Originally through the host, and I have changed every password to all the domains on there and the main account yet it still is being sent.

  #5  
Old 09-22-2010, 09:21 AM
angel1 angel1 is offline
New Member
 
Join Date: Sep 2010
Posts: 4
Quote:
Originally Posted by LnxtecH View Post
If you have suphp enabled, then from the exim logs you can see which user is spamming.
You may also take the time stamp of a spam email from the exim logs and search the domalogs for that time and you should be able to find something if it was end out from a webpage.
Thanks I will look in to this.

  #6  
Old 09-22-2010, 11:13 AM
24nt7linux 24nt7linux is offline
Junior Guru Wannabe
 
Join Date: Sep 2010
Posts: 40
Enable spf for all your domains and check whether the server is an open relay.

  #7  
Old 09-22-2010, 10:43 PM
SagoJonB SagoJonB is offline
Junior Guru Wannabe
 
Join Date: Jun 2010
Location: Clearwater, FL
Posts: 41
Top items to check:

1) Make sure "SMTP Tweak" is enabled in WHM.
This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.

2) Make sure "Sender Verification" is checked in "Exim Configuration Manager" within WHM. "Sender Verification Callouts" is helpful as well, but is applicable more to receiving spam.

3) From ssh run netstat -naop | less
Look for any suspicious processes with dest port 25 - this should also list PID and full path of process (look for suspicious paths/binary filenames as well)

4) Install and run rkhunter & chkrootkit to look for potentially malicious scripts or replaced binaries (clamav would also be good idea if you haven't already installed the plugin through WHM)

5) Secure /tmp (search WHT there are numerous posts on this)

6) Make sure any web applications such as CMS's/blogs etc (Joomla esp) are updated to their latest versions.

The following two resources are excellent and detail using the exim log and other techniques to track down the account that is sending the spam and other measures on how to stop spam:

http://timelordz.com/wiki/index.php/..._Down_Spammers
http://www.configserver.com/free/spammers.html

The following is especially important to add extended logging to /var/log/exim_mainlog:

In WHM > Exim Configuration Editor > Switch to Advanced Mode > in the first textbox add the following line and then Save:

log_selector = +arguments +subject

Hope some of this helps and good luck!


Last edited by SagoJonB; 09-22-2010 at 10:48 PM.
  #8  
Old 09-23-2010, 05:41 PM
angel1 angel1 is offline
New Member
 
Join Date: Sep 2010
Posts: 4
Thanks for all the help. I am working through some of it now. I'm going to sound so dumb saying this but I'm drawing a blank on actually opening my exim log.

We think that we are being used as a relay and we don't believe it is a problem with a user account.

Thanks again for all the help.

  #9  
Old 09-23-2010, 05:45 PM
SagoJonB SagoJonB is offline
Junior Guru Wannabe
 
Join Date: Jun 2010
Location: Clearwater, FL
Posts: 41
Best thing to do is to ssh in and:
# less /var/log/exim_mainlog

I believe the most recent entries are at the end, so you could read most recent first with:

# tac /var/log/exim_mainlog |less

__________________
Sago Networks-Internet Solutions Company
Servers|Colocation|VPS|Backup|Managed Services
See Our VPS DEALS Toll free 866-366-3640

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
looking for a server for emails KinetiX Web Hosting 9 11-05-2009 10:27 AM
Thousands of emails being sent via sendmail to ne.jp emails. Help me find him... astounding Hosting Security and Technology 6 09-13-2007 09:09 PM
server for emails gate2vn Colocation and Data Centers 10 07-23-2007 01:42 PM
Phising Emails From My Server Mooecow Dedicated Server 11 02-17-2005 01:00 PM
Emails from Server are not Being Sent LancerForums Hosting Security and Technology 3 11-08-2002 03:57 PM

Related posts from TheWhir.com
Title Type Date Posted
Rackspace Integrates Mailgun into Cloud Control Panel Web Hosting News 2013-05-23 14:55:51
Eleven Security Spring Survey: Growing Threat Level of Spam, Malware Web Hosting News 2013-03-26 15:36:50
Security Provider Websense Discovers Fake Symantec Emails Distributing Malware Web Hosting News 2012-08-29 14:44:19
Web Host Hostway Offers Compliant Ready Upgrade for Hosted Exchange Web Hosting News 2012-07-30 14:26:14
eleven Report for June Sees 927.4 Percent Rise in Virus-Infected Emails Web Hosting News 2012-06-07 15:33:50


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?