My server is sending spam. What do I do?


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Email » Spam

My server is sending spam. What do I do?Last Modified: Oct 18, 2016, 3:12 pm
If your server is sending spam, most likely you've already ended up on an RBL blacklist.
The first thing you need to do is to find out who is spamming and stop them.

There are several ways they could be sending spam:
- they've figured out an email password and are sending remotely
- they are sending from a script on the server (insecure script)
- they've created a cronjob to send emails in the background

1) Make sure that you have a send limit enabled

echo 200 > /etc/virtual/limit

This will put a daily cap on the number of emails a DA user can send.  This is the sum of all their email account's' sends totaled together.
http://help.directadmin.com/item.php?id=81

This also requires that you've got the latest version of the /etc/exim.pl (which is VERSION=10 on Oct, 2012)

2) Check /etc/virtual/usage to see which User has a higher-than-average bytes log.  If any User stands out, then they're likely it.

3) If you have the latest exim.pl, and DA 1.41.1 or newer, you should be able to log into DA as that User, and go to:
User Level -> E-Mail Accounts -> E-Mail Usage

which will give you a better breakdown of who is sending what, and to where.

4) Go to:
Admin Level -> Mail Queue Admin

If spam is being sent, there are usually going to be messages stuck in the Queue.
Click one of these messages (the ID) and check the contents (to ensure it's spam), and the headers of the messages to try and get info about who sent it (IP), where it's going, and if there are any  X-PHP-Originating-Script headers, telling you wish script did the sending.

5) Check to see if there are any repeated smpt-auth values:

cd /var/log/exim
grep 'A=login:' mainlog* | less

although, step 3 above should tell you what login was used, if one was used.

6) Check your exim logs for anything out of the ordinary:
http://help.directadmin.com/item.php?id=151

7) Although not related to the prevention of sending spam, if you use DKIM with your email sends, it will both lower your spam score on remote boxes as it will confirm that your emails are indeed from your server, and not spoofed from elsewhere.
http://www.directadmin.com/features.php?id=1189

8) Newer setups should have php-mail.log files, to log all php sends using the mail() function.   Check the log:

/home/username/.php/php-mail.log


9) If there is no trace of spam, yet you're still being blocked, there is a chance they're sending spam directly to remote servers.
Ensure your port 25 outbound is blocked for all Users, except "mail" and "root".

 
Related Helpfiles
How to limit the number of emails sent by each user (prevent spammer)
I need exim to send all outbound email through a remote mail server
I need to count how many smtp-auth sends were done by a particular login or IP
E-Mail Rate Limiting with exim and the exim.pl
SPAM fighting tools in DirectAdmin
Block outbound port 25 to prevent direct-out spammers
Fully block a DirectAdmin User account from sending any messages

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST