5/27/2558

My server is sending spam. What do I do?

If your server is sending spam, most likely you've already ended up on an RBL blacklist.
The first thing you need to do is to find out who is spamming and stop them.

There are several ways they could be sending spam:
- they've figured out an email password and are sending remotely
- they are sending from a script on the server (insecure script)
- they've created a cronjob to send emails in the background

1) Make sure that you have a send limit enabled
echo 200 > /etc/virtual/limit
This will put a daily cap on the number of emails a DA user can send.  This is the sum of all their email account's' sends totaled together.
http://help.directadmin.com/item.php?id=81

This also requires that you've got the latest version of the /etc/exim.pl
2) Check /etc/virtual/usage to see which User has a higher-than-average bytes log.  If any User stands out, then they're likely it.

3) If you have the latest exim.pl, and DA 1.41.1 or newer, you should be able to log into DA as that User, and go to:
User Level -> E-Mail Accounts -> E-Mail Usage

which will give you a better breakdown of who is sending what, and to where.

4) Go to:
Admin Level -> Mail Queue Admin

If spam is being sent, there are usually going to be messages stuck in the Queue.
Click one of these messages (the ID) and check the contents (to ensure it's spam), and the headers of the messages to try and get info about who sent it (IP), where it's going, and if there are any  X-PHP-Originating-Script headers, telling you wish script did the sending.

5) Check to see if there are any repeated smpt-auth values:
cd /var/log/exim
grep 'A=login:' mainlog* | less
although, step 3 above should tell you what login was used, if one was used.

6) Check your exim logs for anything out of the ordinary:
http://help.directadmin.com/item.php?id=151

7) Although not related to the prevention of sending spam, if you use DKIM with your email sends, it will both lower your spam score on remote boxes as it will confirm that your emails are indeed from your server, and not spoofed from elsewhere.
http://www.directadmin.com/features.php?id=1189

8) Newer setups should have php-mail.log files, to log all php sends using the mail() function.   Check the log:
/home/username/.php/php-mail.log