How to block email send by system

[strider]

I have a server with directadmin's domain: example.com.
the queue mail in directadmin is increasing continuously by email sent from [email protected] (X is a user domain).
I don't know why that's happened. althought I suspend this user, it's still occured.
I try to block that by add the [email protected] to the /etc/virtual/blacklist_sender but it's still not affected.
Could you give me some solution for that, thankx.

 

[Richard G]

You say X is a user domain? Normaly X is a user. I never seen mail send from [email protected].
It's better to investigate why the queue is being increased, this could be caused by a malicious script or something.

 

[strider]

X is a user and it use domain X.com.
the queue is being increased because [email protected] is sending thousands email to thousands email that maybe not exit. It's just like spam mail but inspite of normally sent by an account email, it's send by [email protected] (I understand that it's system email for user X).

 

[Richard G]

Even if it's system email for the user, it strange that it uses the hostname and not the domain name like [email protected].
This gives me the impression that it might be originated by a cronjob or something.
Did you check if the user has cron's running?
crontab -u user -l

Als that the hostname is used instead of the domain name, might cause the mails not being send.
I hope before the @ it's not something like info or webmaster but indeed accountname@.

You could also use the queue manager and look in the mail what it contains and where it's coming from, might be a script.

 

[nobaloney]

Create a file at /etc/limit_usernsme, chmod 644.

In that file put only one line: the number 1

Then your outgoing email from that user should be limited to one per day.

Do not use a zero for no emails; the zero would allow unlimited emails.

Then contact your user; likely the site is sending spam, possibly because it's been compromised.

(Note this will stop any outgoing email through the server on behalf of the user and the domain name, include all virtual email addresses, so it's important the user find and fix the problem soon and let you know so you can turn the email back on.

Jeff

 

[strider]

@Richard G: no, it's not crontab.
@nobaloney: i can limit outgoing mail for 1 domain but if I do that, no email was sent by accounts from that domain & I don't want this.
Here, you can see my queue mail:
1UfY5b-0005cS-Gs 0m 1.7K <[email protected]> no [email protected]

1UfY5b-0005cc-Pd 0m 1.7K <[email protected]> no [email protected]

1UfY5c-0005cq-Dn 0m 1.7K <[email protected]> no [email protected]

1UfY5c-0005d0-NO 0m 1.7K <[email protected]> no [email protected]

1UfY5d-0005dM-8P 0m 1.7K <[email protected]> no [email protected]

1UfY5e-0005eE-Ra 0m 1.7K <[email protected]> no [email protected]

1UfY5f-0005eO-2j 0m 1.7K <[email protected]> no [email protected]

1UfY5f-0005ee-Bz 0m 1.7K <[email protected]> no [email protected]

So that, boathouse is my user like this:

admin root 4930.1 / unlimited 6388.9 / unlimited 0 / unlimited No
boathouse admin 15471.5 / unlimited 9355.9 / unlimited 1 / unlimited No boathouse.com.vn

juice admin 19.2 / unlimited 271.4 / unlimited 1 / unlimited No juice.com.vn

So I can't block email sent from [email protected], how could I???

 

[Richard G]

Did you check the email and content (and headers) to investigate where it's coming from, as I suggested before?

 

[chatwizrd]

Create a file at /etc/limit_usernsme, chmod 644.

In that file put only one line: the number 1

Then your outgoing email from that user should be limited to one per day.

Do not use a zero for no emails; the zero would allow unlimited emails.

Then contact your user; likely the site is sending spam, possibly because it's been compromised.

(Note this will stop any outgoing email through the server on behalf of the user and the domain name, include all virtual email addresses, so it's important the user find and fix the problem soon and let you know so you can turn the email back on.

Jeff

Yeah its possible to do this, but then you get 10000000 emails from the directadmin system that the user is attempting to sending too many emails and its annoying as hell.

 

[strider]

Did you check the email and content (and headers) to investigate where it's coming from, as I suggested before?

Here is the header of 1 email:
1UffDR-0007EY-UC-H
boathouse 503 505
<[email protected]>
1369352797 0
-ident boathouse
-received_protocol local
-body_linecount 47
-max_received_linelength 313
-auth_id boathouse
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

219P Received: from boathouse by server.saigonsoundsystem.com with local (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1UffDR-0007EY-UC
for [email protected]; Fri, 24 May 2013 06:46:38 +0700
054F From: Holiday Today <[email protected]>
037T To: "jaled777" <[email protected]>
052 Subject: US Players Invited - 30Free at ClassyCoin!
085 Content-Type: multipart/mixed; boundary="PHP-mixed-6657c6966df0757f79f019e66ed92f5b"
061I Message-Id: <[email protected]>
050S Sender: <[email protected]>
038 Date: Fri, 24 May 2013 06:46:37 +0700

 

[SeLLeRoNe]

What exim.conf version are you using? (check first lines of the file)
Is this the full header? No X-PHP line in it?
Are you requiring auth to users and forcing them to use SMTP?
Have you disabled 127.0.0.1 in exim.conf for dont let him send mail without SMTP Auth from local websites? (this should be a nice start for stop mail from websites... and better track them).

Regards

 

[Richard G]

If you don't want to restrict users to using smtp, try adding this for tracking in exim.conf under "log_selector ="

+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

And maybe scan your own pc system with for example Malware Bytes.

 

[strider]

What exim.conf version are you using? (check first lines of the file)
Is this the full header? No X-PHP line in it?
Are you requiring auth to users and forcing them to use SMTP?
Have you disabled 127.0.0.1 in exim.conf for dont let him send mail without SMTP Auth from local websites? (this should be a nice start for stop mail from websites... and better track them).

Regards

Exim.conf version is SpamBlocker.exim.conf.2.1.1-release.
that's full header.
how could I disable 127.0.0.1 in exim.conf, please help me do it.

 

[SeLLeRoNe]

You should have in exim.conf a line starting with: hostlist relay_hosts

In this line you should have at the end 127.0.0.1 with a separator from the other field, remove them and restart exim.

Regards

 

[strider]

Here is my lines hostlist in exim.conf:

hostlist auth_relay_hosts = *
hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts
hostlist bad_sender_hosts_ip = net-lsearch;/etc/virtual/bad_sender_hosts
hostlist relay_hosts = 127.0.0.1
hostlist whitelist_hosts = lsearch;/etc/virtual/whitelist_hosts
hostlist whitelist_hosts_ip = net-lsearch;/etc/virtual/whitelist_hosts

is that right?

 

[nobaloney]

If what you want to do is disable the ability to use 127.0.0.1, then you've got it backwards; you should have this line:

hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts

instead of:

hostlist relay_hosts = 127.0.0.1

See Edit#16 (nobaloney.net) in the ReadMe for the latest version of my premium (but stll open-source and free) SpamBlocker 4.2 product.

If the above link fails to work it's because the version number has changed; if so, then start here (nobaloney.net) and click on Click Here to Download to find the latest version.

Jeff