[BlueOnyx:13506] R: Re: Mailing Spam Issue

Marcello Torchio lellozone at gmail.com
Fri Aug 9 14:24:44 -05 2013 

Hi Chris,

thanks for your response.

I'm sure that on my BO server are running different instances of Joomla,
WordPress or similar CMS' sites.

I'm running two scripts in cron to monitor mail queue status.

The first one it's running every 5 minutes and mails me if the mail queue
size should be over 200 messages threshold.

The second script runs on 4:00 AM and makes stats of delivered/received mail
from the server.

This is useful for example to see if there is strange traffic in unusual
hours. 

Honestly, I have tried to grep information about POST action on websites but
found anything of interest.

I'm also running the free version of dfix to prevent some types of attacks.

Now I have tuned Av-Spam settings to lower value for rejecting mails.

If I will discover something I'm going to write to the list.

Thanks

Best regards

-----Messaggio originale-----
Da: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] Per conto di Chris Gebhardt -
VIRTBIZ Internet
Inviato: venerdì 9 agosto 2013 14:44
A: BlueOnyx General Mailing List
Oggetto: [BlueOnyx:13500] Re: Mailing Spam Issue


On 8/8/2013 12:40 AM, Marcello Torchio wrote:
> Hi everybody,
>
> I'm having trouble on my BO boxes with SPAM issues.
>
> Sometimes it happens that at the beginning of the month my customers 
> receive spam mails from themselves.
>
> The mail, if analyzed in source code, contains FROM and TO fields the 
> same (eg. the mail of a customer) but in return-path different address.
>
> The mail are incoming from outside servers and they are not sent 
> through my servers.
>
> On servers I've running different tools to check mailq size and mail 
> stats to analyze if there are possible outgoing SPAM issues, but it 
> does not seems to be.
>
> I don't understand why, at the beginning of the month, a lot of 
> customers receive these mails.
>
> Someone else had similar experience?
>
> Could be a "normal" SPAM issue?

Hi Marcello,
You are not talking about the barely-usable "Mail Queue Manager" in 
cPanel, are you?   I've never found that feature to be anything but slow 
and useless, especially in the event of a spam outbreak.

On a BlueOnyx server, I'd immediately like to take a look via CLI.

First off, you can view your mailq like this:
# mailq

That's it.  That will print a list of everything that is in the mailq. 
It will even give you the message ID numbers, which will look something like
this:  "r76Ib2wt003915"

 From there, you can grep for the message ID in the maillog like this:
grep "r76Ib2wt003915" /var/log/maillog

And that will print to screen every instance of that message ID that has
been logged.

 From what you have said about the spam problem that you are having, my
advice would be to look for a web script that is being exploited.  For
whatever reason, I've seen a lot of Joomla exploits lately, and they all
happen to be on our cPanel servers.  I don't know what the connection 
is.   Maybe it's because many of our BlueOnyx hosting customers are 
using something other than Joomla?   Who knows.   At any rate, similar 
problems have been seen across the board without regard to control panel.

BlueOnyx makes it very easy to find the problem because of the shared 
httpd access log.   You can tail a single log file and see activity for 
all the sites hosted on the box.

Better yet, if you already know the domain that is the source of the
problem, you can further narrow the search.

I would be looking for POST commands.  You can tail the log and pipe to grep
for easy diagnosis like this:

tail -f /var/log/httpd/access_log | grep "POST" | grep "domain.tld"

Of course you want to replace domain.tld in the above example with the
actual domain.

If the problem is ongoing, you'll be sure to find it because you'll see a
particular URL getting hit with a POST command over and over, likely from a
handful of IP addresses.

Or if the problem is not ongoing, and you want to just search past entries,
then you just modify the command a bit to eliminate the tail

grep "domain.tld" /var/log/httpd/access_log | grep "POST"

I hope that helps get you on your way a bit.

--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated www.virtbiz.com | toll-free (866)
4 VIRTBIZ _______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list