How do I tell if someone's spamming?

O

Ogdentechguy

Verified User
Joined
Aug 3, 2009
Messages
18
How do I tell if one of my users, or someone who has illegally gained access to a valid email account on the server, is using the server to send spam? Our server has been placed on a number of spam lists and I'm positive that it's not a server-level compromise; but many of our users don't have strong passwords for their email accounts, and even a strong password can be phished.

Basically, where do I go in DirectAdmin, or on the server itself since I have local access to it, to determine if spam is going out?
 
Hmm, at first glance it looks like it's Apache that's sending all those mails out. The question is, how do I stop it and force users to route mail through their own user accounts instead of using Apache's account to send the mail? Or run it through a spam filter before it leaves the DA server, at the very least.

If I have to completely cut off the ability for Apache to send mail, I'll do so, but I'm not sure how to do that and I'm not sure it's the best course of action in any case.
 
It appears as if someone is using the PHP mail() function to send out bulk mail. This method of sending mail does not use the conventional authentication method against existing legitimate email accounts.

You may need to add something like this to your php.ini file to prevent users from spamming through the apache user account:

disable_functions = mail
Click to expand...
 
czotos said:
It appears as if someone is using the PHP mail() function to send out bulk mail. This method of sending mail does not use the conventional authentication method against existing legitimate email accounts.

You may need to add something like this to your php.ini file to prevent users from spamming through the apache user account:
Click to expand...
Ok, I added "mail" to that line and the mail function is now disabled. Hopefully that should solve the issue. Is there anything else I need to know?
 
well if your customer use mail() function in cms for confirmation or notification email that will not work anymore so, you should suggest your customer to use smtp authentication for send mail instead of mail function in those cms
 
What SeLLeRoNe said is correct. You need to update your PHP scripts (such as CMS and Mailing List software) to authenticate via SMTP against an actual mailbox on the system...

Also, don't forget to restart your Apache service for the php.ini changes to take effect!
 
Is there any way to override the disable_functions line on a per-user basis so that certain users can use it, but by default it's turned off? We don't have any php coders so we can't modify any scripts ourselves, and also this will give us a tool to try and determine which customer's site is at fault.
 
Ogdentechguy said:
Is there any way to override the disable_functions line on a per-user basis so that certain users can use it, but by default it's turned off? We don't have any php coders so we can't modify any scripts ourselves, and also this will give us a tool to try and determine which customer's site is at fault.
Click to expand...

Yes, you can do that using suhosin.

http://directadmin.com/forum/showpost.php?p=176542&postcount=2
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.func.whitelist
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.func.blacklist
 
You must log in or register to reply here.
Back
Top