Server sending spam mails , what should I do ?

[y0us3f]

Hello guys

my server started sending spam mails , and my provider wrote this :

Spam source

====================================================================
Timestamp (UTC) IP address From Subject
2013-09-30 11:06:19 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 11:06:19 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 11:00:20 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 10:44:42 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 10:44:37 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 10:44:26 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 10:38:18 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 09:14:38 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 08:22:21 74.******* [email protected] From Mr Frank Morgan,,
2013-09-30 08:04:50 74.******* [email protected] From Mr Frank Morgan,,
2013-09-27 09:53:34 74.******* [email protected] My Dear

What should I do ? how do I check what's compromised and and fix it ?

they said "I would suggest shutting
down smtp and check any control panels you use for bugs while you harden
the server and scan it. Or, we could reload the server for you to rule out
infection.... etc"

thanks

 

[nobaloney]

First you check your outgoing mail log at /var/log/exim/mainlog . You need to look for the otgoing address.

Hopefully that's not all your provider has sent you, but even so if you such for outgoing addresses you should be able to see the emails. Once you see the emails you figure out how they got on the server, and close your hole.

This forum isn't the place to learn how to find and close holes that spammers use, but generally the spammer is one of the above:

A user who has gotten an account from you: if this is the case suspend his account.

An authenticated email user who has gotten a password for an email user and is using that account to send email: suspend the email user if our version of DirectAdmin allows it, or suspend all outgoing email for the domain by creating or editing the file at /etc/virtual/limit_USERNAME and setting it to 1 (you can't set it to 0 because 0 means unlimited).

A compromised php file on the account's website; if you can identify it, chmod it to 000, otherwise either set the email limit as above, suspend the account, or chmod /home/USERNAME/domains/EXAMPLE.COM/public_html to 000.

Contactthe user and arrange with him/her to fix the problem.

Jeff

 

[y0us3f]

actually it is all what the provider sent me I found the issue !

I've checked the email usage and found out that I've made a test email before and forgot about it , they were using it for authentication for the spam

thanks a lot ! for your reply and help

just checked the log , it's still clean after deleting that email account