I am being SPAMMED and GoDaddy aren't helping

Hi guys,
My server is being spammed right now as I speak. I have a daily email limit of 10,000 on my virtual dedicated server and that limit has been reached for the past two days. I have this high email as I have mailing lists (all legit and opt-in etc.) that I send out monthly newsletters too. I haven't sent out a newsletter in the last one month so there is no reason to reach this limit.

I am trying to identify the source and stop it right now. GoDaddy aren't helping as they reckon I should be able to solve this myself. I use Simple Control Panel to manage my server. Any suggestions on how to find this?

I have come up with a couple of possibilities:
1. Someone is sending emails through my server somehow ... not sure how.
2. Someone is spamming a web form on one of my websites. I have half a dozen websites on my server so it could be any one of them ... not sure which one.

Please help!
dfsweb

 

I am SOOO sick of Godaddy. My blog takes more than 30 seconds sometimes for a database action such as spam deletion. I am ready to move all of my stuff away from them and I would suggest you do the same.

 

You have been Injected through a form on a site

Step One:
Shut down your mail server

Step TWO:
Remove all your website forms for now

Step Three:
Have someone Install Captca on all your forms

I had this happen once,

Once I secured all my forms, I was set..

Also -

Go into your mail que and delete all the out going mail

Hope this helps

 

Do you have a contact form on your website or on any website you are hosting with GoDaddy? A sloppy or open source contact script is the #1 way to get hosed by spam from your own server.

 

Is it cPanel?

 

Didn't I just say that....

Oh and to your response to your other post

Godaddy isn't the issue..

Its loose forms...


To the OP:
Just follow the above steps, I have provided and you will be fine

 

Yup, I have heaps of forms on all of my websites. Isn't there some way I can identify which form is being opened hundreds of times by looking at some logs or something ... instead of deleting all the forms?

How do I shut down the mail server? I restarted my server but that's not the same I assume?

Also, how do I clear the mail queue?

Sorry, I am not very technically inclined when it comes to server management ... still fairly new to it.
Regards,
dfsweb

 

Again is it cPanel?

 

Yes - You can look at logs to find out where the spam is coming from

depending on what conrol panel you have is how you shut down the mail server

In Plesk its >server>service management>then you will see the services listed, you just hit the stop button

Not sure in cpanel

 

I am using Simple control panel ... not sure if that's the same as cPanel.

 

do you login in to a link like:

http://somelink:2086

or

http://somelink/whm

?

 

I log in to: http://ip address:9999

I looked at my server stats and there was a big spike for one of my websites and the only form on that website is a contact us form. I have disabled this now. I think this might have been the source.

Regards,
dfsweb

 

Okay so you are using webadmin.

Do you have root access?

 

yes, I have root access and I can login using putty if I want to. But, don't know what to do from there.
dfsweb

 

Webmin is very limited in what you can do.

Personally I would suggest adding to your exim.conf to show more detailed logs and the watching the log so you can see what is causing it.

If it is a form you can implement mod_security to correct it.

All of those require you to access SSH.

To edit your exim.conf file you will first need to find it.

1. Login to SSH
2. Type in locate exim.conf
3. If you get an error saying you need to run updatedb do it and wait for it to finish
4. If you do not get an error then edit the file by typing in pico and the location from the output of the locate above.
5. Add the following to the top...

log_selector = +arguments +subject +all

6. Press Ctrl + O and then Ctrl + Z
7. Restart exim by typing in...

/etc/init.d/exim restart

8. Watch the log by typing the following...

tail -f /var/log/exim.mainlog

 

If a form is supposed to send me a message then the "to" field is hard coded in the script that sends out the e-mail. That makes it impossible to send e-mails to anyone else using the form. It can only go to me.

You shouldn't have a form that allows the "to" field to be set by a user.

You may also have port 25 open to the world and they're just using your mail server directly rather than going through any forms.

If you receive e-mail through port 25 (meaning you can close the port) then you need to harden your mail server so that it doesn't relay e-mails and it only delivers mail to local users.

 

check exim logs , mail que logs . /var/log/exim_mainlog and exim panic logs , you should be able to find the script which is sending all the mails and get it fixed.

 

theres the problem with using godaddy as a hosting provider.

 

I had the same problem. Godaddy's simple panel has also spamassasin program; turn in on if it's off. This solved spam problem on my server straight away. After turning SA on I manually cleaned the accumulated spam in the mailque (as also sundaybrew sugested) and after midnight after relay reset mail started to arrive to me and I had never the same problem since.

 

Have a sysadmin take a look at the form and close the security hole if possible.

Use a secure formmail script such as NMS Formmail
http://nms-cgi.sourceforge.net/scripts.shtml

Matt's Script Archive (most popular formmail script) even recommends it
http://www.scriptarchive.com/nms.html