How to stop being a spam dupe
May 21, 2007 12:16 PM Subscribe
My virtual server has been hijacked - I'm getting around 1000 bounced message notifications an hour. My sys admins seem fairly useless and likely will not get back to me anytime soon... is there anything I can do to stop the spam going out over my network? It's the usual apache/linux setup. thanks.
Are you sure the original messages are going out over your server? It could be that the original message was spoofed making the sender look like you@yourdomain.com. This has happened to me a few times and my server wasn't being used to send the original spam.
posted by chillmost at 12:23 PM on May 21, 2007
posted by chillmost at 12:23 PM on May 21, 2007
shoot me an email.. serverhelp-magwich at vtwireless dot kom.
posted by SirStan at 12:27 PM on May 21, 2007
posted by SirStan at 12:27 PM on May 21, 2007
Response by poster: How can I tell if it's going out over my server or if my domain is just being spoofed?
posted by magwich at 12:28 PM on May 21, 2007
posted by magwich at 12:28 PM on May 21, 2007
chillmost is right; that's probably what's happening. As long as your not running an open relay (check) or some poorly written PHP mail script, there's nothing much you can do.
posted by sbutler at 12:30 PM on May 21, 2007
posted by sbutler at 12:30 PM on May 21, 2007
I should mention that I get some of this on my personal domain (not nearly 1,000 an hour though). I used to just have all my undeliverable mail dumped to my inbox, but that became unfeasible. Now I have postfix set with the luser_relay to sbutler-junk, and then in my home directory a .forward-junk delivering all undeliverable mail to the appropriate folder.
Has helped a lot, especially with the bounces.
posted by sbutler at 12:38 PM on May 21, 2007
Has helped a lot, especially with the bounces.
posted by sbutler at 12:38 PM on May 21, 2007
With that quantity of mail, it sounds like someone is exploiting a PHP script on your webserver. You need to go through your scripts carefully, folder by folder and upgrade them to newer, more secure versions. It's best to actually wipe out the directory and then upload the latest versions, that way you remove any extra php files that that have been used.
I had a similar situation happen with vbulletin. I had left an importing utility on the server that someone was exploiting.
posted by fcain at 1:28 PM on May 21, 2007
I had a similar situation happen with vbulletin. I had left an importing utility on the server that someone was exploiting.
posted by fcain at 1:28 PM on May 21, 2007
Check /var/log/mail.log, /var/log/exim/mainlog, or whatever is appropriate for your OS/MTA/syslog.conf and see if your system's actually sending these messages (at least through normal channels). Also at least *some* of the bounces should include enough information to see if you're actually the sender.
Bounces from mails you didn't send *can* be filtered out, but how easy it is depends on your MTA and experience.
posted by Freaky at 2:45 AM on May 22, 2007
Bounces from mails you didn't send *can* be filtered out, but how easy it is depends on your MTA and experience.
posted by Freaky at 2:45 AM on May 22, 2007
This thread is closed to new comments.
Also, is this coming from your server or were you joe-jobbed?
posted by SpecialK at 12:22 PM on May 21, 2007