It seems one of my customers has got a virus, and he uses one o my virtualmin virtual servers. It is sending spams using my SMTP, and I’ve been blacklisted.
I don’t have access to my customers network, and can’t wait for fim to fix the problem, so what can I do?
Actually, it seems someone (not my customer) is using my SMTP server to send spam. I’ve checked all open relay tests that I know of and none of them reported my server as open.
How can I identify and block this user? Where should I look?
Spammers frequently use security holes in older web apps – where they can coax it to send spam emails on their behalf.
What I might recommend is going through all the web apps installed on your system, and verify that they’re fully up to date.
I’d also recommend running a tool like chkrootkit and perhaps rkhunter to look for some problem files in common locations. They won’t discover everything, but they can assist in finding problems.
The problem was somehow a spammer got a valid user email and password on the system. He was sending the spams as regular user uses the email. I’ve warned the user and we’ve changed the password. The spams have stopped for now. I’m keeping an eye on it, and doing that, I wander if there are any detailed reports on the mail system. Reports like how many messages were sent/received for each user and domain.
Is there any module, or application that I can install that would give me this information?
There’s a few different tools out there for parsing email logs. I don’t have a significant amount of experience with many of them, but I can offer that pflogsumm.pl is a quick and easy tool that may get you the info that you’re after.
It’s available in the apt repository if you’re using Debian or Ubuntu. Or, you can install it manually if you’re using CentOS, it’s available here: