0

Having a bit of a nightmare with our Linux server.

Somehack is using our server for spaming. I sanitaized all inputs, have captcha image, change passwords, etc. but still.
Somehow they keep on doing it. Getting thousands of email by the hour. We have a 3000 emails limit daily, so this is blocking our SMTP nearly right after I clean the queue. The things is that all those emails that keep coming in, are stored as "unprocessed" somewhere and this increase our disk space to the limit and then I cant even see the websites. Our server is a typical Linux, using Plesk 9.3 as panel. On all those spam email, they display root@ip-188-121-62-27.ip-secureserver.net as the sender, which is a default system address I guess.

I desperately need to stop this and I simply don't know how. Is there a way of blocking that email address from sending emails? Via SSH or in Plesk?

This is the header of 1 of those spam emails:

Received: (qmail 20441 invoked by uid 48); 9 Mar 2012 09:29:55 -0200
Date: 9 Mar 2012 09:29:55 -0200
Message-ID: <20120309112955.20439.qmail@ip-188-121-62-27.ip.secureserver.net>
To: harsadeyes@aol.com
Subject: Viaqra 0,89
From: "Reuben Velasquez" <reuben_velasquez@vigrxplus-ue.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
JamesCW
  • 309
Tino
  • 3

3 Answers3

4

It looks like the root account has been compromised, or has some processes or scripts running that it shouldn't. It's also possible you're running an open relay (which is a really bad idea).

You can easily check if you are running an open relay with mxtoolbox, just enter your domain and test SMTP.

In case the root account has been compromised, the only real solution is to get rid of the server entirely, and reinstall the OS.
Either restore it from a backup that you can trust has not been compromised, or do a clean install from scratch.

Kenny Rasschaert
  • 9,175
0

An SMTP mail server maintains on-disk queues to prevent server problems leading to lost messages. You can see what is in the current queues by running mailq as root.

It would also help to know what mail server you are using; include some logs showing the handling of one of these spam mails so we can see what's what.

adaptr
  • 16,746
0

You say that you've stopped the service but email is still coming in.

If you mean that you are receiving messages which appear to come from your own mail server; then I suggest that the headers are forged, i.e. the message are actually coming from somewhere else but are created in a way to make it look like they come from your server.

You need to look at the full headers of the messages are they arrive to determine the true IP address of the sender. Also you need to look at the logs, including bandwidth logs, of your own server to ensure that it is not active.

John
  • 1