Spam from DirectAdmin server

[nservices]

Hi,
My datacenter provider block 2 of my DirectAdmin servers, he told me that they sending heavy spam
the users are limited to 10 Emails / day
new up-to date custombuild over CentOS 7
so it's look like the emails limit not working well, and it's sending the spam emails even that there is spam limit

any advice?

 

[SeLLeRoNe]

it may be that is not a user email that is sending spam but also a hacked website...

You would need to investigate the server and the logs to understand from where those email getting send

Regards

 

[nservices]

sure, but the account limit didn't work for website / any other phpsendmail functions?
jsut for smtp accounts?

 

[SeLLeRoNe]

As far as i remember yes, is just for SMTP connections.

Regards

 

[nservices]

so how can we handle spam from website hacked scripts?

 

[SeLLeRoNe]

You should use latest exim SB 4.3 in first place.

Also, you would need to investigate your logs.

Regards

 

[nservices]

1. I have last Exim with SB 4.3
2. I need some "global" solution regardless to the blog
as good as I know it's should work for scripts also
example for message in DA Admin:

The dauser account has just finished sending 350 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/dauser.bytes file, it was found that the highest sender was [email protected], at 351 emails.

The top authenticated user was dauser, at 351 emails.
This accounts for 100% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.


The most common path that the messages were sent from is /home/dauser/domains/dauserdomain.com/public_html/components/com_rsform/assets/fonts, at 351 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

The top sending script was /home/dauser/domains/dauserdomain.com/public_html/components/com_rsform/assets/fonts/search.php:2, at 354 emails, (101%).
Because the bulk of the emails have been sent by the script, please check it to confirm it has not been compromised.

in this case it's not email account and DA detect it and it's show like it's stop the spam
the problem is that spam is not stopped but continued...

 

[SeLLeRoNe]

You're right, it does count also the scripts.. so.. actually dont know what to say additionally

Probably someone else will provide other ideas/suggestions

Regards

 

[zEitEr]

Hello,

Use BlockCracking http://forum.directadmin.com/showthread.php?t=51321
It will help to block spam sending scripts.