How to stop a spammer who is using php to send mass mail

[turnkey]

Ok, I had this problem this morning and found a really quick way to stop it. Was not quick until I learned how to do this.

1. If you see a lot (A LOT) of exim and sendmails in your top process and suspect somebody is sending out mass mail you can do the following:

Note: if you enable phpsuexec is should show in the top process but for the rest of us who do not know it enough to run it it will show as user nobody.

Step 1.
disable exim

chmod 000 /usr/sbin/exim

Step 2.
watch the httpd error logs

tail -f /etc/httpd/logs/error_log

You will start to see a lot of permishion denied errors. It will show what file and what user is causing the spike in your server.

Then goto there directory and look at the file and see what they are doing.

In my case, a user was sending out 50,000 emails.

I suspended his account in WHM, moved all his php scripts to a off-line directory/drive and removed the files from his web site.

Now, once you have determined if the user is spamming or sending out mass mail use your best jugment to determin if you should delete the account or not.

I hope this helps, I spent 4+ hrs working on this until I figured out this quick and dirty way to determin who is causing the problem.

 

[turnkey]

oh, when you are done and things are back to normal:

chmod 755 /usr/sbin/exim

We want to be able to send mail once the spammer is off the server

 

[imported_maxhest]

Aye, that's key! Thanks for that, I was having a problem with that before I fixed it!

 

[imported_Stephen]

Wow nice method Robert
Thanks for sharing that
Im sure it will be useful useful to a lot of people

 

[imported_TheLinuxGuy]

for those of you that use qmail as your mailserver, if you are getting mailbombed. (not spam being sent from ur server, but geting a mailbomb to ur server)

grep Blocked /var/log/maillog | awk -F: '{print $5}' | awk '{print $1}' | sort | uniq -c | awk '{print $1": "$2}' | sort -n

will result in some ips. block the ones with the most send mail with iptables


run that command.

 

[turnkey]

Now that is cool, this might work with exim too as I am pretty possitive if you replace maillog with exim_mainlog you shold be able to apply this practise with cpanel also.

 

[imported_maxhest]

Wow! Thanks Steve, great tip!

 

[Decker]

Those are damn good ones, cheers guys, save that lot as a text file on yer desktops

 

[RobAPI]

I love seeing tips like these, maybe something can be added to the articles ( www.hostingrefuge.com/articles ) for this?
Think it would be a great idea to help people in the future