For the past 3 days, we were trying to stop spammers from using our server. We tried everything and spam was still going out. No matter what we did, whenever we ran netstat -a | grep "smpt" we would see tons of SMTP connections within a few minutes as soon as we restarted SMTP. We setup firewalls, blacklists, whitelists, you name it... We watched the maillogs and still spam was being sent. What made it worse, our sites could no longer send email from our scripts.
Those damn spammers were getting back on our server no matter what we did. We almost gave up...
But then we finally figured it out. The LAST ITEM on the list was the final piece of the puzzle - so remember this if it ever happens to you! Boy do we feel stupid now.
So here is what we eventually did to stop them
1) Upgrade to Plesk 8.
2) Install Firewall module.
3) Set firewall rules to block all access from foriegn country IP blocks (Class A blocks - enter by hand). Most of the spam we saw was from china or russia.
4) under SERVER->MAIL->MAIL PREF - set to RELAY to CLOSED
5) in SERVER->MAIL->Mail White List: ONLY this 1 entry:
127.0.0.1 / 32
THis allows localhost mail to be sent to the outside world.
6) under SERVER->MAIL->MAIL PREF: set the following on:
Enable SPF spam protection ON
Reject mails when when SPF resolved to "fail"
include:spf.trusted-forwarder.org
Enable MAPS spam protection
MAPS zones = bl.spamcop.net
7) Under SERVER->server prefs:
Make sure Full hostname * = your resolvable primary host name. Must be sure the reverse DNS will resolve to this host when mail being sent. Otherwise, your servermail will be rejected
Last but most importantly, CLEAR YOUR MAIL QUEUE and reboot.
If you dont do number 8, the thousands of pending SPAM emails stacked up in the queue will be resent by SMTP as soon as you restart!!!!!!! When we ran netstat -a | grep "smpt" we saw connections to russia and elsewhere. We thought all our efforts were not stopping the spammers. We did stop them but just did not think so... their previous spam emails were still stacked up and waiting to be sent. What a monumental waste of time for us until we figured it out.
Clear the Qmail Email Queue by hand - here is how we did it:
http://forums.ev1servers.net/showthread.ph...ear+Qmail+queue
Now our SMTP connections are clean, clear, and no more spam being sent. Not only that, tons of incoming spam has been stopped dead in it's tracks. Our email box is no longer cluttered with crap.
Watch your maillog for successful email:
tail -f /usr/local/psa/var/log/maillog | grep "success"
Watch your smtp connections:
netstat -ta | grep "smtp"
CLOSE MAIL RELAY and setup the MAIL WHITE-LIST to include local host connections only. Otherwise, your server emails wont go out.
Some of this may sound really simple, but it never occurred to us what was going on with respect to the old spam stuck in the queue -> it was opening SMTP connections to send pending spam.
it all looked like new spammer connections and spam mail being sent. Even plesk 8 with its mail queue feature could not open - too many in there - timeout would occur.
Hope this helps some other poor soul out there...