How To Stop a Spamming Server

Reading Time: 4 minutes

Protecting Your Server From Spamming

Spamming is a serious issue for your business and can take a toll on your time and resources to fix. The best way to solve this problem, of course, is to never have it in the first place. The number one way to help prevent spamming is to ensure all CMSs (like WordPress, Joomla, and Drupal) including themes, plugins are up-to-date. This may sound too simple, but there are innumerable times when an outdated plugin allows hackers to destroy an otherwise secure domain.

Another way in which you can secure against spamming is to enforce strong passwords either by manually asking or setting a configuration that forces users to have an uppercase and lowercase letter, symbol and a number in their password. In WHM, you can force password strength in Security Center >> Password Strength Configuration. Here you can require users to have at least a certain strength for all their cPanel passwords.In WHM, find Security Center and Password Strength Configuration for setting up password restrictions for all your services.

If you are a Liquid Web customer something you may want to consider is our server protection packages.

Tracking Down Who is Spamming

But let’s say the worst has already happened. How do you go about tracking down who is spamming and how the spam is being sent?

The first tool you have is in WHM under Email >> Mail Queue Manager. In WHM, locate email and Mail Queue Manager to view and manage email messages queued for delivery.

Mail Queue Manager allows you to see the email queue and discern what emails are being sent. You will be tempted to delete all the spamming emails right away, but hold off on that. First, you want to figure out who is sending it and what sort of spamming is going on: a password compromise or script spamming. While there are other ways that spamming can take place, these are the top two methods we see regarding spamming servers.

To start, you should review where the emails are coming from via the Mail Queue Manager. You will want to select a small recent period of time to review emails that were sent. Once you have those results you will want to look at the subject of the email. Ask yourself:

  • Does it sound like spam?
  • Who is it being sent to?
  • Do you know the receiver?

Once you have ascertained that the email is spam, you will want to look at the headers of the email. While the headers may look confusing we are here to break down the important parts:

The following is an example header from what a spamming email may look like:

1g8rz7-1001y8-3K-H
username  609 500
<user@domain.com>
1538853089 2
-received_time_usec .072187
-ident username
-received_protocol local
-body_linecount 241
-max_received_linelength 499
-auth_id username
-auth_sender username@domain.com 
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
user23@somedomain.com

209P Received: from username by domain.com with local (Exim 4.91)
    (envelope-from <username@domain.com>)
    id 1g8rz7-0001y8-2K
    for recepient@otherdomain.com; Sat, 06 Oct 2018 15:11:29 -0400
030T To: recepient@otherdomain.com
033  Subject: NEW SUBJECT
058  X-PHP-Script: domain.com/index.php for xxx.xxx.xxx.xxx
050  X-PHP-Originating-Script: 609:class-phpmailer.php
037  Date: Sat, 6 Oct 2018 10:11:23 +0000
041F From: username <username@domain.com>
035R Reply-To: recepient@otherdomain.com
063I Message-ID: <06a1eccf94af6ffdb9a951780deb589c@teamworkers.org>
068  X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
018  MIME-Version: 1.0
039  Content-Type: text/html; charset=UTF-8

The important parts are highlighted in blue:

-auth_id username
-auth_sender username@domain.com

and

058  X-PHP-Script: domain.com/index.php for xxx.xxx.xxx.xxx
050  X-PHP-Originating-Script: 609:class-phpmailer.php

 

A Compromised Email Account

The first two highlighted lines indicate that it was sent via an authenticated sender “username@domain.com”. If auth_sender was blank you would skip to the next section Script Spamming. If this is filled in you will want to change the password for that email account. They should also run local malware scans on any device which has access to the email account as they may have malware on their computer that stole the password. Once that has been completed, you can proceed on to the next section called Clearing Spam in the Queue.

Script Spamming

The lines below indicate the sender’s domain and that a script (class-phpmailer.php) generated the email.

058  X-PHP-Script: domain.com/index.php for xxx.xxx.xxx.xxx
050  X-PHP-Originating-Script: 609:class-phpmailer.php

From this point, you will want to find the script by searching the domain’s document root for the file name.

First, you will need to SSH into the server as root.

To find the file, you will run the following command replacing “phpmailer.php” with the name of the script you found and add the document root in for the domain (Typically this is under /home/{username}/public_html).

find /doc/root/for/the/domain -name “phpmailer.php” -type f

Once you have located the malicious file location, you will want to disable or delete it. To disable the file, you will run the following command

Important:
This may break the functionality of the website, but it will stop the spamming and is important that you do so to prevent your IP from being blacklisted.

chmod 000 /name/of/file/to/be/disabled

You will also want to check for additional malware on the account. One of the best tools to do this is Maldet. How to set up the Maldet scanner is found here.

Once you have installed the software and properly configured it, you will want to run a manual scan of a directory. To do this, you will SSH into the server and run the following command, after editing it to show the actual document root of the domain (typically this is under /home/{username}/public_html).

maldet -b -a /document/root/for/the/domain

After you have done that you can check the scan progress by running the following command

tail /usr/local/maldetect/event_log

When it has finished you can view the report by running the following replacing the x’s with the report number:

maldet --report xxxxx-xxxxx.xxxx

From here you can disable the files individually just like you did before:

chmod 000 /name/of/file/to/be/disabled

 

Clearing Spam in the Queue

After you have stopped the spamming either by changing the password for the account or by disabling the spamming script you will want to clear the queue. The first thing to do is clear the spamming emails. You will want to use the following command to clear out the potentially spamming emails replacing {email_address} with the email address that was spamming or the domain that was sending the spamming emails.

Important:
This will delete all emails related to the email address or domain.

grep -R --include='*-H' 'auth_id' /var/spool/exim/input | grep {email_address} | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs -n 1 exim -Mrm

Once completed, you will want to clear out all the emails that have bounced back to the server, with the following command.

exim -bpr | grep '<>' | awk '{print $3}' | xargs -I % exim -Mrm %

Finally, continue to monitor the server to make sure there was not two sources of spamming but beyond this you have successfully stopped the server from spamming.

 

Refer a friend and receive hosting credit