Hi, I recently discovered that my Ubuntu 10.4 server was blaclisted at several sites (I used http://mxtoolbox.com to check). Checking the logs I could see that one email account was sending several spam messages every second! I have disabled the account, but my questions are: 1) How can I troubleshoot this problem in the best way? How can I see if the spam was sent from the persons own computer or from some exploit on my server? (I already checket for rootkits - none were discovered, and I have amavis running) 2) How can I make sure this doesn't happen again? 3) Should I contact the blacklisting servers directly to be removed or does that happen automatically after some time? Google is not accepting mails from my servers for instance :-( This is a real big problem as it affects all my users, so any help is greatly appreciated thanks!
1) I described the procedure to find the source of outgoing spam here a few days ago: http://www.howtoforge.com/forums/showthread.php?t=63319 So pbasically you get a email id from a spam email with: postqueu -p and then inspect it with postcat. 2) There is no 100% protection against that. Most spam is sent trough vulnerable websites, so ensure that the cms systems that are installed on your server are updated regularily. another option is to use policyd to restrict the number of emails that can be send by a user. You can also scan your server with maldet to find hacked websites: http://www.howtoforge.com/forums/showthread.php?t=58440 3) They will remove you automatically after some time (in most caese 1+ days). If you want to get whitelisted earlier, then you should contact them. But not before the source of the issue has been found and the spam sending stopped.
