HELP I'm drowning in spam! (what a crappy week part 13291!)

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 1, 2020.

  1. craig baker

    craig baker Member HowtoForge Supporter

    new issue on another server of mine, it started sending out spam yesterday at about 830am. gobs of it. I see its coming from several email address.
    now when I uncheck SMTP on those addresses, the spam stops. when I check SMTP on one of them spam starts up!
    I dont see (centos 7) andy obvious offending process - but something is just itching to send out spam as soon as the SMTP block is lifted!
    anyway of finding what process is generating the spam? rkhunter and ispprotect find nothing!
    I host 2 websites on that server, and the malware scans on them dont turn up anything suspicious but there have to be clues somewhere, and I feel dam clueLESS atm. what a week!!!!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Change the passwords of the affected accounts.
  3. craig baker

    craig baker Member HowtoForge Supporter

    already planning to do that but I'm very interested to find out WTF IS GOING ON! then maybe I can prevent it in future!
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Someone got the passwords of these accounts e.g. because the users were using the same password somewhere else, e.g. on a website or online service or in an open wi-fi without SSL enabled for their mail connection. Thats's quite common that users re-use passwords for multiple services. The solution is to change the password of that account and remind the customer to not use the same password for multiple services and to enable SSL/TLS in their mail client.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Check your mail log to see where the mail is coming from, external or localhost (abused website, etc.). If it's local, check that you have mail.add_x_header = On in php.ini and examine one of the messages in queue, and see if it has an X-PHP-Originating-Script header (sometimes useful, sometimes not).

Share This Page