Okay so on my VPS someone keeps sending out spam on my server and I get numerous complaints from my host threatening to shut my VPS down. I was told to run iptables -A INPUT -p tcp -i eth0 --dport 25 -j REJECT Code (markup): to stop these spammers and it seems to stop it for a couple of weeks but than I start getting the spam complaints again from my host. So if you know how to block these spammers than please help me. VPS Operating System: CentOS 5.3 Code (markup):
Do you use a control panel with your VPS? It could also be that there is a comprised script on the server that is sending out email using the localhost connection.
Here is one of the emails I am recieving from my host. Return-Path: <no-reply@totalfd.com> Received: from mtain-ma06.r1000.mx.aol.com (mtain-ma06.r1000.mx.aol.com [172.29.96.14]) by air-mb04.mail.aol.com (v127_r1.1) with ESMTP id MAILINMB044-a2c34ba1f59b323; Thu, 18 Mar 2010 05:42:52 -0500 Received: from mta01.eastlink.ca (mta01.eastlink.ca [24.224.136.8]) by mtain-ma06.r1000.mx.aol.com (Internet Inbound) with ESMTP id EAA713800008C; Thu, 18 Mar 2010 05:42:49 -0400 (EDT) Received: from ip03.eastlink.ca ([unknown] [24.222.39.36]) by mta01.eastlink.ca (Sun Java(tm) System Messaging Server 7u3-12.01 64bit (built Oct 15 2009)) with ESMTP id <0KZH00GFP1NHPMA0@mta01.eastlink.ca>; Thu, 18 Mar 2010 06:42:53 -0300 (ADT) Received: from mail1.xcelco.on.ca ([206.132.48.24]) by ip03.eastlink.ca with ESMTP; Thu, 18 Mar 2010 06:51:07 -0300 Received: from www1.xcelco.on.ca (www1.xcelco.on.ca [206.132.48.23]) by mail1.xcelco.on.ca (Postfix) with ESMTP id 10D1581C9A2; Thu, 18 Mar 2010 05:42:21 -0400 (EDT) Received: from 193.200.164.27 ([193.200.164.27]) by webmail.xcelco.on.ca (IMP) redacted@imap.xcelco.on.ca Date: Thu, 18 Mar 2010 05:42:40 -0400 From: Total Foundation <no-reply@totalfd.com> Subject: Confirm Receipt (Contact David Mark:-davidmarktfd01@yahoo.cn) X-Originating-IP: 193.200.164.27 To: Message-id: <1268905360.4ba1f59091a93@webmail.xcelco.on.ca> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtoWAEeSoUvOhDAYhWdsb2JhbACPBIwoFQEBAQoLCgUVIQGGE7FfhHgEjlQC X-IronPort-AV: E=Sophos;i="4.51,265,1267416000"; d="scan'208";a="570328468" User-Agent: Internet Messaging Program (IMP) 3.2.5 x-aol-global-disposition: S x-aol-sid: 3039ac1d600e4ba1f5992319 X-AOL-IP: 24.224.136.8 Content-Transfer-Encoding: quoted-printable X-Mailer: Unknown (No Version) Code (markup):
I get this output This host was recently tested with an anonymous test. The host couldn't be reached for testing. Code (markup):
This code iptables -A INPUT -p tcp -i eth0 --dport 25 -j REJECT Code (markup): You mention it works for a couple of weeks, then the spam starts up again. Have you implemented the code more than once ? Has your server been rebooted between the time you implemented that and when you started getting complaints again ? One possibility is that the server has been rebooted, and purged that iptable entry. If you use this command, do you see anything about port 25 ? sudo iptables --list Code (markup): Another possibility is that someone has privileged access to your VPS and is going in to remove the iptables entry themselves. -- In a nut shell here, the first thing you want to do is find out whether the continued abuse is due to that entry being dropped somehow, or whether they're working around it on another port.
Hmm I do restart my server sometimes so I guess when I restart it that the iptable entry goes away. So I guess after every restart I need to run that command. And when I do sudo iptables --list Code (markup): I get Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:smtp REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Code (markup):
Have you run that command between your last reboot and the time you got that output ? If you haven't, it doesn't look like they're using what that code blocks because there are DROP/REJECT entries for SMTP.
I have ran the command within the time of the last reboot. Ugh, I don't know what to do my host just shut down my VPS...