These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Is it possible to block default mailing for web-user on the new forum.
Web Hosting and Cloud Computing Control Panels
You should delete or repair that user account/website as blocking emails on hacked website is not a solution.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Howdy,
Note that one of the reasons the Email Rate Limiting feature was added was due to the problem you're seeing. Jamie had a web app that was broken into and used to send spam; he added the email rate limiting feature to slow down the rate of outgoing spam so admins could have time to deal with the issue before too much spam is sent out and the IP address gets blacklisted.
You could always consider using that to help with breakins and spam.
That can be configured in Email Messages -> Email Rate Limiting.
-Eric
Did someone physically hack into the account? If so take Diabolico advice and repair it ASAP and give that account a new username with new databases using the new username. Encourage the client to change passwords on a monthly base.
Did someone take advantage of a unsecure script? find the script and remaove it and do the same above.
Or is someone just using the the accounts defualt username that is usually easy to guess by just using the domain name to forge spam email. best practice is when creating an account to create a username that is not familiar to the domain or the domain name owner.
Do you have mod security installed with some rules from OWASP. It helps to block spiders crawing your server looking for emails and other things they can get into.
Do you have a firewall like configserver to block ports and send you alerts when someone is trying to intrude?
Regards,
Peter
Eric your suggestion was absolutely out of context. OP clearly said he have problem with websites being hacked and limiting emails will do nothing. We should encourage people to learn how to secure their servers and repair possible mistakes not apply something what would do nothing. Is it possible to block the mailing for this user or to force authentication so when a website got hacked they do not can send (spam)-mail. You need to find a reason why the website was hacked and repair whatever has to be repaired. Limiting emails or completely blocking email will do nothing in case your website or server was compromised. In case you rent your servers to others (reseller) then best solution is to shut down the client and then ask him to sort the problem or just say goodbye.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Diabolico, Eric in my opinion was not out of context at all. OP is asking for help with spam that is technically not an issue related to Virtualmin but was able to offer advice as to where too start. If you set the rating you can slow down to even stop the emails wich will give you time to sort through the logs and find out where the problem is actually occuring. That is if the email is relaying through the server or just a forged email coming in.
You don't want to shut down the email server nor the email account in question. Shutting it down will only make things worse by jepordizing your server IP to being on an RBL and bad reputation list.
If the logs indicate that your server is being used to relay through a user account than start by changing the password and username to stop the relay. This way there is no bounced emails and the server can stop it at the EHLO by simplying saying no such user and closing the connection.
If there was a script compromized than search the logs and find out what directory the script is located at and remove it ASAP.
As I suggested using modsecurity with OWASP would help in preventing this in the near future by setting rules that would stop the spammer from injecting any code into the script.
Also a firewall with good rules such as configserver would block the ip that is being used to relay through the server.
I believe everyone here gave good advice and no harm was done to anyone.
OP I hope you sortted out your problems and that everything is back on track.
Regards,
Peter