[URGENT] Mail spam source

[fossxplorer]

Unfortunately, my server has been used to send spam from 13.08.
Now my IP is blocked my many MTA and we are stuck as it causes huge problem to our business.

Can anyone help me to take the necessary steps to prevent this from happening?
I also need to document what steps i've taken before asking for white listing from many DNSBL.

@Mustafa, any idea what i can do?
I've changed the real IP with fictive one.

Rejected messages of MTA:
Remote_host_said:_550_DNSBL-rejected_zen.dnsbl
Remote host said: 554 5.7.1 Service unavailable; Client host [83.111.111.115] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=83.111.111.115

Spamhaus has a CBL block on my IP

From cbl.abuse.net:
IP Address 83.111.111.115 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-08-16 22:00 GMT (+/- 30 minutes), approximately 1 days, 12 hours, 29 minutes ago.

Update: looks like fake sender email addresses are being use (i got many emails in the mail queue!)
eturn-Path: <139byhtm@dell.com>
Received: (qmail 15451 invoked from network); 16 Aug 2014 22:40:24 -0000
Received: from unknown (HELO mail.server.com) (127.0.0.1)
  by mail.server.com with SMTP; 16 Aug 2014 22:40:24 -0000
Received: from 210.244.237.168 by (HELLO 111.111.111.111 ) (111.111.111.111) by dbzwmhziqmvouumyojhsiuj@yahoo.com.tw with cfxlnwenyl login by AOL 7.0 for Windows US sub 146 SMTP  ; Sun, 17 Aug 2014 00:23:06 +0200
Message-ID: <okqgpfweko.brnlgwdwbl831kiky@avon.com>
From: "???s??" <140ujky@nissan.com>
To: lucychang777@kcg.seed.net
Subject: ???G????DVD?s?n??


Is there no check against fake email address/sender on Kloxo-MR?

RIGHT NOW HUNDREDS OF CUSTOMER EMAILS ARE IN THE MAIL QUEUE WITHOUT BEING DELIVERED.

Also, i'm not sure if i should request whitelisting on various places before taking necessary preventive steps to avoid such to happen in the future.

What about Kloxo's support for external mail server? Using a non-Kloxo MTA might solve this kind of issue for me.


Any help is highly appreciated!

[Hugo]

Hello,

First you should disable the PHP Mail () function and have the websites use SMTP for forms, etc.

I'm assuming there's a script sending e-mails and that the issue is not a compromised email account.

After that, there are several things you can do to try to find that script.

lsof -c httpd  is a good start if it is happening right now.

[fossxplorer]

Thanks for your reply.

Part of the header:
From: "?d???T" <245afx@outlook.com>
To: jany168@tpts6.seed.net
Subject: ?v????C80???_
Date: Wed, 13 Aug 2014 16:58:18 -0500
X-Mailer: Microsoft Outlook, Build 10.0.2627288
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="--702571594019944634"
X-Priority: 3
X-MSMail-Priority: Normal

Do you block PHP Mail() inside the PHP settings of Kloxo?

How do i dig to find if there are compromised email accounts?

[Hugo]

Yes, I block the mail function inside the Control Panel's main PHP configuration, just add it to the disabled functions area.

Check your mail queue, there should be plenty of e-mails there to inspect.

[chrisf]

@Mella, I find disabling php mail function to be very intrusive for shared hosting, and some scripts are wrote with only php mail function.

Use my sendmail script:
http://forum.mratwork.com/kloxo-mr-tips-and-tricks/sendmail-userid-usage-limits-(script-v1-1b)/

Not only can you restrict how many mails through php a user can send, you can find the scripts directory in the sendmail-limit log.  Makes tracking spam scripts easy.  Plus, I limit my customers to 25 mails an hour for their first couple days.  Stopping spammers from getting a personal account ($1.95 a month) and ruining my ip creditability.

I ban clients instantly for spam.

[Hugo]

Thank you chrisf !

I will check your script!

[fossxplorer]

Yes, i agree that would a drastic limitation which isn't feasible.
Thanks a lot, i'll take a look at your script and put into production.

@Mella, I find disabling php mail function to be very intrusive for shared hosting, and some scripts are wrote with only php mail function.

Use my sendmail script:
http://forum.mratwork.com/kloxo-mr-tips-and-tricks/sendmail-userid-usage-limits-(script-v1-1b)/

Not only can you restrict how many mails through php a user can send, you can find the scripts directory in the sendmail-limit log.  Makes tracking spam scripts easy.  Plus, I limit my customers to 25 mails an hour for their first couple days.  Stopping spammers from getting a personal account ($1.95 a month) and ruining my ip creditability.

I ban clients instantly for spam.

[fossxplorer]

@chrisf, i followed your guide and installed the sendmail wrapper, seem ok.
But the test mail script did output "sent test email " but i got no email in my inbox.

Also i see this for some emails the server is trying to deliver:
Sep  5 12:49:12 mail send: 1409914152.319526 delivery 2832: deferral: User_and_password_not_set,_continuing_without_authentication./<8162ct@gmail.com>_173.194.66.26_failed_after_I_sent_the_message./Remote_host_said:_421-4.7.0_[33.11.111.111______15]_Our_system_has_detected_an_unusual_rate_of/421-4.7.0_unsolicited_mail_originating_from_your_IP_address._To_protect_our/421-4.7.0_users_from_spam,_mail_sent_from_your_IP_address_has_been_temporarily/421-4.7.0_rate_limited._Please_visit/421-4.7.0_http://www.google.com/mail/help/bulk_mail.html_to_review_our_Bulk/421_4.7.0_Email_Senders_Guidelines._o4si2423813wix.94_-_gsmtp/



AND STILL MY SERVER IS SENDING OUT SPAM I DON'T HAVE CONTROL OVER.


@mustafa, any idea how to fix this as my IP is being blocked by many MTAs and i can't reach my customers!

Is it safe to use Spamdyke option "Reject Servers With IP Address In RDNS Names" without risking to reject too many wanted emails?