I am having an issue where my ispconfig server is sending spam. my server ip address is blacklisted by UCEPROTECTL3. I am trying to figure out which user or site is sending spam. I have disabled all sites using (disable_functions = mail )in the Custom php.ini for settings in ispconfig. I have no emails in the mail queue. how can i investigate this issue. thank you.
Take a look at the mail.log to see which user has been sending out spam. Change the password of this user, or if it is a site, disable the site and notify the owners that their site has most likely been hacked. I personally always disable mail for PHP scripts, and have users use SMTP accounts to send out mails.
there are so many entries in the mail.log which is kind of confusing. how can I identify good email logs from the spamming ones. thanks
Are you sure you ended up on UCEPROTECT after YOUR server sent spam? My server has been on and of that list, and has not sent spam. My understanding is that UCEPROTECT adds ALL IP-numbers in a subnet when one IP sends spam. And I am not sure if sending spam is a requirement, they seem to add with somewhat flimsy evidence.
In practice I usually catch some mail in queue to examine or look at the headers of spam complaints; in the absence of either, checking mail logs and watching active network connections (for eg. direct SMTP spam) or maybe even web logs would be next. Commonly (not always) an abused account will have many logins from all manner of ip addresses around the world. Some basic stats of how many emails were sent by each account and how many ip addresses logged in per account might be very telling, especially if you start tracking that and have a historical "normal"to compare to. Ispconfig does not provide that info, but it could be worth looking in to existing mail log stats programs and maybe add something in the future.
@Taleman is correct, UCEPROTECTL3 blocks the entire DSN. every ip in the range assigned to the DSN is blocked, even if your own server has never sent a single spam. there's also absolutely nothing you can do to fix the blacklisting. it's entirely between your ip provider, and the buggers at uceprotect to resolve. uceprotect appear to put entire ranges on their blacklist on a whim. they did it with AWS last year, 31M+ ip's blocked for months. and microsoft uses them, so any mails to office365/outlook.com, hotmail, btinternet (uses microsoft hosted servers) etc will be blocked. you have 2 options, 1 move your mailserver to another ip with your current provider if possible, or move if to another hosting provider. this will cause even more disruption, including to the mail that is still working, and will require dns changes (and more disruption whilst the dns changes propagate) 2. set up a send only mailserver elsewhere and relay your outbound mail through that, and wait for your ip provider to get removed from the blacklist (note you may end up in an argument with microsoft, who may continue to falsely claim they can see you've been recently sending them spam from the original mailserver ip's which would be a blatant lie ). once the blacklisting is removed, you can remove the mail relay. depending on your existing dns records, you may need to adjust the spf records for domains your responsible for sending mail for.
