Blog

Spam Mailing — What to Do?

Learn how to identify and resolve spam mailing issues on your server.

Dmytro
spam prevention server security CMS vulnerabilities email management rootkit detection technical support

Spam Mailing — What to Do?

Every day, engineers from technical support assist our users in various situations. Often, this involves unauthorized mailing of spam emails — and the victims can be both owners of hosting accounts and virtual or dedicated servers.

Identifying Unauthorized Mailing

How can you tell if unauthorized commercial email (UCE) is occurring? The main tools for this are:

  • Checking the mail queue (the mailq command)
  • Reviewing the mail system log files (/var/log/maillog, /var/log/exim/mainlog)
  • Analyzing traffic

If there are thousands of messages in the mail queue, numerous entries in the log files for successful and unsuccessful deliveries, and tcpdump shows numerous TCP sessions directed towards various IP addresses — immediate action is required.

Common Causes of UCE

The most common reason for UCE is a vulnerability in the software running on the server. In most cases, the cause is an outdated CMS (Content Management System) and accompanying modules. Attackers rarely target the operating system directly; instead, specialized “bots” scan networks looking for outdated software or typical security configuration errors.

Actions Taken by Attackers

If a vulnerable OS or application is found, perpetrators can:

  1. Use a mechanism to send spam directly from the CMS.
  2. Upload a “rootkit” to disguise processes and execute commands at the attacker’s behest.
  3. Delete data or block access to the server owner.

Signs of Vulnerable CMS

  • The mail queue contains numerous messages from addresses like webmaster@your-domain.
  • In the website’s access.log, there are many POST requests from several IPs.

To combat spam mailing:

  • Block requests from suspicious IPs.
  • Disallow POST requests to URLs found in the log.
  • Update the CMS and plugins immediately.
  • Clear the mail queue to prevent IP blocking.
  • Consider temporarily blocking outbound SMTP connections via a firewall but do so carefully.

Stopping the mail system does not solve the problem! Even if you stop sendmail, postfix, or exim, the spam will remain queued.

When Under Attack

If a rootkit is loaded or the attacker has full OS access, caution is needed. The mail queue may appear empty, but activity can only be identified through TCP traffic analysis.

Consider this example:

user11 53224 76.3 0.1 15056 5160 ?? R 3:40AM 877:16.68 /usr/sbin/acpid (perl5.8.9)
user11 98626 61.9 0.1 15056 5160 ?? R 3:02PM 149:57.77 /usr/sbin/acpid (perl5.8.9)
user11 33622 0.0 0.1 15476 4508 ?? I 2:15PM 0:00.02 /usr/bin/perl ./sss.pl 0.0.0.0 12345 (perl5.8.9)

Prevention Strategies

Don’t delay updating your operating systems and applications on all computers and servers. Always make backups and use complex passwords.

If you suspect spam mailing, hacking, or other abnormal activities, contact support immediately. Prompt action is crucial for maintaining security.

Need Help?

Our support team is available 24/7 to assist you with any questions or issues.

Contact Support