How to correct and/or prevent a spamming problem?
December 22, 2005 11:34 AM Subscribe
Spamhaus says my server is a spammer. How do I check to see if this is true and if it is, how do I stop it? Baring that, how can I prevent spamming in the future?
We're running a dedicated server, with Apache 2.0.
I am NOT Unix savy. I have this position as webmaster by default, so please don't get too techy with me. Yes, I can learn stuff and if you want to point me to educational sources, that's fine.
Yes, I have root access and we're using plesk 6.0 as a control panel, qmail as the email server. The server is hosted by Aplus.net and is not in our physical care.
The good news is that in the midst of writing this post, Aplus.net informed us that the spamming machine, which wasn't ours, has been stopped, we're not in trouble and that they've sent the delist request to Spamhous.
But it has still exposed a weakness in webmaster-kungfu. What do I need to learn and where?
We're running a dedicated server, with Apache 2.0.
I am NOT Unix savy. I have this position as webmaster by default, so please don't get too techy with me. Yes, I can learn stuff and if you want to point me to educational sources, that's fine.
Yes, I have root access and we're using plesk 6.0 as a control panel, qmail as the email server. The server is hosted by Aplus.net and is not in our physical care.
The good news is that in the midst of writing this post, Aplus.net informed us that the spamming machine, which wasn't ours, has been stopped, we're not in trouble and that they've sent the delist request to Spamhous.
But it has still exposed a weakness in webmaster-kungfu. What do I need to learn and where?
Spamhaus says the same thing about my mailserver, which is hosted by my ISP. What a bummer.
posted by k8t at 11:50 AM on December 22, 2005
posted by k8t at 11:50 AM on December 22, 2005
It's also possible that you are running an insecure version of an application that a spammer exploited to gain root-level access, wich they then used to install a rootkit, spamming software, DDoS software, etc.
When I ran my own Linux server, I ran into this problem no less than three times within a year. Each time I had to back up my data, re-install Debian and upgrade everything. It was truly a pain in the ass. My syasmin skills are pretty weak, so I opted to give up my dedicated server and go with a shared hosting plan where I don't have to worry about OS-level security or keeping software up to date to prevent hackers from expoiting vulnerable software.
But I agree with the previous answers. If your hosting provider says the culprit machine was not yours, then you're likely in safe water and now just have to deal with the Spamhaus listing your hosting provider's block if IP numbers as sources of spam.
posted by camworld at 12:01 PM on December 22, 2005
When I ran my own Linux server, I ran into this problem no less than three times within a year. Each time I had to back up my data, re-install Debian and upgrade everything. It was truly a pain in the ass. My syasmin skills are pretty weak, so I opted to give up my dedicated server and go with a shared hosting plan where I don't have to worry about OS-level security or keeping software up to date to prevent hackers from expoiting vulnerable software.
But I agree with the previous answers. If your hosting provider says the culprit machine was not yours, then you're likely in safe water and now just have to deal with the Spamhaus listing your hosting provider's block if IP numbers as sources of spam.
posted by camworld at 12:01 PM on December 22, 2005
Just remove your IP from their database. See website -
http://www.spamhaus.org/
posted by lpctstr; at 1:04 PM on December 22, 2005
http://www.spamhaus.org/
posted by lpctstr; at 1:04 PM on December 22, 2005
The A1 method of seeing if you're a spammer due to application misconfiguration is to keep at least a cursory eye on the logs generated by your mail server and your apache server. You almost don't even need to read the things, just see if they suddenly get huge.
If someone tells you that you're a spammer (for instance spamhaus), you need to be given a copy of a spam that purportedly came from or traversed your server. The way to tell if it's true is if the mail server that comes AFTER your mail server in the headers is reliable enough to believe that it got the spam from you. Also, it's possible that you're sending emails out to your customers or partners that one or more of them have decided are unsolicited, and rather than unsubscribing, they reported you as a spammer (that happens a lot).
If the spam originated from your machine, and your application logs are clean, then it is possible that you have some kind of worm/rootkit problem to solve.
If the mail merely traversed your machine (it's not the first hop in the email headers), you probably have a mail misconfiguration or cgi form problem. (In some cases, you cannot trust the headers.) You can get help learning how to read email headers here or from your ISP. Odds are that a problem like this would be caused by a cgi script that you installed. Break the script (move it out of the cgi-bin directory) until you can figure out the problem.
All of this advice so far assumes that you know your own IP address.
Another point to remember is that there are a billion different DNS-based spam blacklists, and they're not all created equally. Some blacklists are completely impossible to get removed from. The good news is that most people ignore those lists. If you find yourself getting bounces again, go punch your IP into some blacklist searching tools like OpenRBL or DNS Stuff, and see how many "real" blacklists have you on there.
Also, I'm not sure how worried I'd be if I was on Spamhaus, to be honest, as I don't think that many people use it anymore.
Another good resource for figuring out if you are a spammer is the bandwidth-consumption reports from your ISP. If your bandwidth graph spikes up to 10mb/s and stays there (and you were not slashdotted), you might be having an issue.
As far as preventing yourself from being a spammer in the future, the best course is to:
1) make sure your server and application patches and versions are up to date. This is sometimes as easy as running "up2date" or something similar from cron.
2) Have someone who knows qmail give your configuration a looking over.
3) Don't make forms that send an email to someone (like to sign up for stuff) if you can avoid it.
Good Luck!
posted by popechunk at 1:34 PM on December 22, 2005
If someone tells you that you're a spammer (for instance spamhaus), you need to be given a copy of a spam that purportedly came from or traversed your server. The way to tell if it's true is if the mail server that comes AFTER your mail server in the headers is reliable enough to believe that it got the spam from you. Also, it's possible that you're sending emails out to your customers or partners that one or more of them have decided are unsolicited, and rather than unsubscribing, they reported you as a spammer (that happens a lot).
If the spam originated from your machine, and your application logs are clean, then it is possible that you have some kind of worm/rootkit problem to solve.
If the mail merely traversed your machine (it's not the first hop in the email headers), you probably have a mail misconfiguration or cgi form problem. (In some cases, you cannot trust the headers.) You can get help learning how to read email headers here or from your ISP. Odds are that a problem like this would be caused by a cgi script that you installed. Break the script (move it out of the cgi-bin directory) until you can figure out the problem.
All of this advice so far assumes that you know your own IP address.
Another point to remember is that there are a billion different DNS-based spam blacklists, and they're not all created equally. Some blacklists are completely impossible to get removed from. The good news is that most people ignore those lists. If you find yourself getting bounces again, go punch your IP into some blacklist searching tools like OpenRBL or DNS Stuff, and see how many "real" blacklists have you on there.
Also, I'm not sure how worried I'd be if I was on Spamhaus, to be honest, as I don't think that many people use it anymore.
Another good resource for figuring out if you are a spammer is the bandwidth-consumption reports from your ISP. If your bandwidth graph spikes up to 10mb/s and stays there (and you were not slashdotted), you might be having an issue.
As far as preventing yourself from being a spammer in the future, the best course is to:
1) make sure your server and application patches and versions are up to date. This is sometimes as easy as running "up2date" or something similar from cron.
2) Have someone who knows qmail give your configuration a looking over.
3) Don't make forms that send an email to someone (like to sign up for stuff) if you can avoid it.
Good Luck!
posted by popechunk at 1:34 PM on December 22, 2005
"The server is hosted by Aplus.net and is not in our physical care."
That might be it right there. Aplus.net are apparantly quite lax on spammers. I have been getting spam from them on & off for a couple of years, in addition to cold-call phone spam from aplus.net salesdroids. As soon as I mention "Do Not Call" list, they try to claim it's a "business to business" call or that I had requested information. Both are BS. I own a web hosting provider. I do not need any services from Aplus.net. They were scouring WHOIS records for phone numbers to spam.
But, you might be stuck. spamhaus/spews/etc often block large blocks of IP addresses. I think that anyone that uses those lists to *reject* email is an idiot. Tooooo much collateral damage.
posted by drstein at 9:36 PM on December 22, 2005
That might be it right there. Aplus.net are apparantly quite lax on spammers. I have been getting spam from them on & off for a couple of years, in addition to cold-call phone spam from aplus.net salesdroids. As soon as I mention "Do Not Call" list, they try to claim it's a "business to business" call or that I had requested information. Both are BS. I own a web hosting provider. I do not need any services from Aplus.net. They were scouring WHOIS records for phone numbers to spam.
But, you might be stuck. spamhaus/spews/etc often block large blocks of IP addresses. I think that anyone that uses those lists to *reject* email is an idiot. Tooooo much collateral damage.
posted by drstein at 9:36 PM on December 22, 2005
This thread is closed to new comments.
Most mail servers come secured by default now, so it's very unlikely that you had been abused as an open relay.
posted by delmoi at 11:38 AM on December 22, 2005