Block account from sending

I

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,080
One of the domains on the server is sending boatloads of spam at the moment. The account doing the sending is the main e-mail account, and DA won't let me suspend that one. It seems like when I change the password, it doesn't help. Any way to block it for now without blocking virtual users?
 
Does it continue to send email after you create a file /etc/virtual/limit_username (where username is the username of the offending account) with the content of just:
Code: 
1
This should stop the account from sending more than one email daily.

Then of course find out why the account is sending email; check the logs to see if the email is coming from a file on the server, or an authenticated login.

If necessary suspend the user (hopefully your TOS allows you to do this for spam-sending; mine does).

Jeff
 
nobaloney said:
Does it continue to send email after you create a file /etc/virtual/limit_username (where username is the username of the offending account) with the content of just:
Code: 
1
This should stop the account from sending more than one email daily. Then of course find out why the account is sending email; check the logs to see if the email is coming from a file on the server, or an authenticated login. If necessary suspend the user (hopefully your TOS allows you to do this for spam-sending; mine does).Jeff
Click to expand...
I didn't know you could limit a virtual e-mail account like that, but in this case, it is not a virtual account that is doing the spamming, it is the user e-mail account.

I did narrow it down. I changed the login user's password, which I believe a bot guessed because it was an easy one to guess. However, that didn't fix the problem. The customer has a WordPress install. I did a check for modified files and I found two in a directory flagged 777, and renamed them. Then the spam stopped. I then passworded public_html and left it for the developer to fix.

I don't know how to determine from the log if it is coming from a file on the server or authenticated login. That would be good to know because I need to develop a checklist and procedures to where I can detect and fix something like this quickly. It takes me half-a-day now, because it doesn't happen enough, so I end up re-inventing the wheel each time.
 
I deleted the first of your two replies; they appeared to be almost exact duplicates. Yes, the limit should work on all who send email which is part of that user. This valuable feature has been part of DirectAdmin for some time.

I believe the exim mainlog includes some version of the word authenticated perhaps capitalized (I'm not sure) when a user is using an authenticated login. But once you start using the limit file your message sysem will tell you a lot about the email and the major sender, whenever the limit is exceeded. We use a limit of 200 for all our users (we set /etc/virtual/limit to 200) by default. We raise it for users who need to send more.

Don't feel bad about it taking as much as a half-day; sometimes it takes me that long as well. But with experience you get better.

Jeff
 
nobaloney said:
I deleted the first of your two replies; they appeared to be almost exact duplicates.
Click to expand...
Ah HA! That's what happened. When I posted, it came back with an error message that I didn't have rights or something. Then I backed up went through the login screen, went forward again, and the message was still there, so I posted it. I didn't see the second copy at the time. Thanks.

nobaloney said:
Yes, the limit should work on all who send email which is part of that user. This valuable feature has been part of DirectAdmin for some time.
Click to expand...
Perfect!

nobaloney said:
I believe the exim mainlog includes some version of the word authenticated perhaps capitalized (I'm not sure) when a user is using an authenticated login. But once you start using the limit file your message system will tell you a lot about the email and the major sender, whenever the limit is exceeded. We use a limit of 200 for all our users (we set /etc/virtual/limit to 200) by default. We raise it for users who need to send more.
Click to expand...
Perfect!

nobaloney said:
Don't feel bad about it taking as much as a half-day; sometimes it takes me that long as well. But with experience you get better.
Click to expand...
The problem is it happens just seldom enough to where I don't remember, so this time I'm going to put together a procedure. That way it will never happen again. LOL!

Thanks Tons! for all of your very valuable help.
 
Good idea. I've created an entire (virtual) notebook of whitepapers which I've created when working on projects for myself and for clients. Kind of like the checklist a pilot uses before taking off... step by step of exactly what I need to do for each implementation.

And no, it's not for sale :D.

Jeff
 
nobaloney said:
Good idea. I've created an entire (virtual) notebook.
Click to expand...
That's what I've compiled over the years as well. Every time I don't, it comes back to haunt me...like this time. I use TreePad to keep track of it all.
 
Last edited:
Thanks for the PM. You might want to post the link here, since there's free versions avilable for both Windows and Linux.

Jeff
 
You must log in or register to reply here.
Back
Top