Recently one account on my server was compromised which resulted in up to 20000 spam mails being sent per day. I have removed the vulnerable CMS and taken a number of other steps (including updates and changing the mail account passwords), but the spam still comes through. I've put in a daily limit of 200 mails so it is contained this way, but I want to stop it completely. I can't figure out what's the source of these mails? I was reading http://directadminguru.com/finding-a-spammer/ but it doesn't seems to provide a solution for me (I don't think it's a PHP script that is sending the mails).
Some maillog entries from before the daily limit:
2014-08-21 21:57:24 1XKYU7-000514-Rt <= [email protected] H=178-167-115-120.dynvpn.flex.ru ([192.168.1.4]) [178.167.115.120] P=esmtpa A=login:[email protected] S=630 [email protected] T="" from <[email protected]> for...
2014-08-21 21:58:42 1XKYVN-0005Di-P2 <= <> R=1XFdUb-0002o9-PH U=mail P=local S=3297 T="Mail delivery failed: returning message to sender" from <> for [email protected]
If I count the IP addresses like 178.167.115.120 they are usually used 500 times.
NB exim -bpc gives a count of 3532976!
So what should I do next? And what's the best way to clean the mail queue?
Some maillog entries from before the daily limit:
2014-08-21 21:57:24 1XKYU7-000514-Rt <= [email protected] H=178-167-115-120.dynvpn.flex.ru ([192.168.1.4]) [178.167.115.120] P=esmtpa A=login:[email protected] S=630 [email protected] T="" from <[email protected]> for...
2014-08-21 21:58:42 1XKYVN-0005Di-P2 <= <> R=1XFdUb-0002o9-PH U=mail P=local S=3297 T="Mail delivery failed: returning message to sender" from <> for [email protected]
If I count the IP addresses like 178.167.115.120 they are usually used 500 times.
NB exim -bpc gives a count of 3532976!
So what should I do next? And what's the best way to clean the mail queue?
Currently setting /etc/virtual/limit is the way to go. Auto-chmod 000 when the limit is reached + notifications for admin & customer is also available: 