Spam Best Practise

6 posts / 0 new
Last post
#1 Fri, 09/10/2010 - 16:00
steeloctopus

Spam Best Practise

Hi

I have recently configured a Centos 5 web server but unfortunately it fell victim to a spam attack.

Can anybody provide some tips on how best to configure webmin to avoid this from happening again.

Any suggestions are welcome.

Thanks

Fri, 09/10/2010 - 16:46
andreychek

Howdy,

What do you mean by a spam attack... was spam sent to one of your accounts on the server, or was your server used in order to send spam to others?

The most common spam issue is that spammers break into a web app that has some sort of vulnerability in it, and use that vulnerability to send spam out.

The fix for that is to make sure that both all the packages on your system are up to date, as well as all the web apps on your system. If anything is even the slightest bit out of date, it can potentially be used by spammers to send spam.

-Eric

Sat, 09/11/2010 - 04:54
steeloctopus

Hi

My server was used to send spam to others, I had 37000 emails in the postfix queue, but I'm unsure how I can prevent it from happening again.

I thought that if I improve security on the server side like lock down postfix abit more and ensure that there are good security setting for sendmail that would prevent them.

Also I want start getting my server config to check the blacklists and that sort of thing.

Any guidance would be great, if one of the things I have to do is look at vulnerable scripts on the site then so be it.

Any suggestions are welcome. I would like to put in place a number of measures to prevent this happening again.

Sat, 09/11/2010 - 08:31
andreychek

I thought that if I improve security on the server side like lock down postfix

Well, it's certainly good to improve the security... but chances are, it's not Postfix at fault, it's another app on your server.

Any guidance would be great, if one of the things I have to do is look at vulnerable scripts on the site then so be it.

Chances are that it was a vulnerable script on your server that was at fault.

Unfortunately finding vulnerable scripts, it's just a long, tedious process, of going through every web application you and your customers have installed, and making sure there isn't a newer version available.

I'd suggest removing any web apps you don't want or need in addition to performing those upgrades.

-Eric

Sun, 09/12/2010 - 00:33
Dim Git

Do you by any chance have an email account that you used to test the system which is easily guessed ?

For example user "test" password "Test". It could be that a spammer has discovered that account.

Perhaps another place to look (it happened to me). One of my customers has a MS Exchange server which sends email through my server. He had an account called "test" with the password "test" and his server was not very secure. A spammer sent email through his server, which of course simply relayed it through my server.

Daily I check the Logwatch report under the Postfix section there is an entry like "SASL Authenticated messages from: XXXX Host(s), XXXXXXXX Time(s)". If the numbers are unusual I know I have a problem

I could be wrong but it is worth a look. Will the logs give you any info about the source and therefore aid in diagnosing the entry point?

Good luck

[goes back to sitting quietly in the corner]

Sun, 09/12/2010 - 04:36
steeloctopus

Thanks I will have a look. Did create a TEST account but I'm pretty sure that I deleted the account after I finished my testing but I will have a look just in case.

Thanks for the heads up

Topic locked