spamfu

Liquid Web Help Videos

19 Nov 201411:11

Summary

TLDRThis presentation provides an in-depth guide on identifying and resolving spam issues on Exim cPanel servers, focusing on using command-line utilities and log analysis. It covers common causes of spam, such as compromised SMTP logins, malicious scripts, and dark mailers. The presenter emphasizes troubleshooting without over-relying on automated scripts, and offers practical tips for tracking down the source of spam, cleaning the mail queue, and addressing server overload. The presentation also includes recommendations for enhancing security through password management and preventive measures against future spam incidents.

Takeaways

😀 Spam can originate from various sources like compromised email accounts, malicious scripts, legitimate script abuse, or dark mailers.
😀 Exim provides several useful command-line utilities, such as `exim -bp` to list mail queues and `exim -Mvh` to view message headers, which help identify spam.
😀 When investigating spam, focus on patterns in the sending IDs, message IDs, and subjects to identify spammy characteristics.
😀 Identifying a compromised email account involves checking for fixed login information like `Courier login` in the logs, which shows the email responsible for sending spam.
😀 If the spam originates from a script, the logs will show a `local` protocol, and the username will typically be `nobody` or a system user.
😀 If you find spam from an email account, lock the account, change the password, and check the billing information to verify whether the user is responsible for the issue.
😀 When dealing with script spam, identify the directory where the malicious script resides and use `grep` to track down the script responsible.
😀 If a legitimate script is sending spam, inform the customer about the issue, secure the script, and re-enable it once it’s fixed.
😀 For malicious scripts, it's best to disable the offending file or directory and clean the mail queue to prevent further spam.
😀 Dark mailers are difficult to detect unless they are running, but checking connections to Port 25 with `lsof` can help uncover them if they are sending mail outside of Exim.
😀 To prevent future spam, use SMTP tweak or SMTP block to restrict access to Port 25 and ensure that only Exim can send mail through the server.

Q & A

What is the primary goal of this presentation?
-The main goal of this presentation is to provide a method for identifying and addressing spam issues on Exim cPanel servers, using log and queue information rather than relying on automated scripts.
What are some common causes of spam on servers discussed in the presentation?
-The common causes of spam mentioned are compromised SMTP logins (where an email password is stolen), spam from militia scripts (where a malicious script is uploaded to the server), spam from legitimate scripts (where a loophole in a customer's site is exploited), and dark mailers (which are hard-to-find spam senders).
What command is frequently used to investigate the mail queue on Exim?
-The command most frequently used is 'exim -bp', which lists the mail queue. The command 'exim -bpc' is used to count the items in the queue.
How can you identify patterns in the mail queue to find spam?
-You can identify patterns by looking at the 'From' envelope or sending ID. Often, spam emails share a common sending ID or envelope, and the size of the messages can also be similar.
What role do message headers play in identifying spam?
-Message headers provide important information about the origin of the email. By using the 'exim -Mvh' command, you can see whether the email was received locally (suggesting script-based spam) or via SMTP (indicating email account-based spam).
What does the 'exim -Mvl' command do, and when should it be used?
-The 'exim -Mvl' command shows the message logs for an email that's still pending delivery. It's useful for quickly determining whether the spam is coming from a script or an SMTP login.
What is the recommended approach when dealing with a spamming server?
-When dealing with a spamming server, it's important to first check the mail queue, use commands to examine headers and message bodies, and identify whether the spam originates from a script or an email account. If the server is overloaded, avoid running a virus scan as it can increase server load.
How can you stop a server from sending spam if it's overloaded?
-If the server is overloaded, you can disable Exim by using 'service exim stop' or 'chkconfig exim off'. This prevents further spam from being sent but should be done cautiously and with monitoring in place to ensure you don't forget to re-enable it.
What is the process for dealing with an email account sending spam?
-If an email account is sending spam, the first step is to lock the account and check the billing contact information. Then, set a random password for the account, avoid emailing the password, and advise the customer to reset it. For repeated issues, enforce stronger password policies in WHM.
How do you handle script-based spam on a server?
-To address script-based spam, you need to find the working directory of the offending script using the 'grep' command and look through access logs. Once identified, disable or remove the malicious file, clean the mail queue, and inform the customer to secure the script or file.