How to immediately stop spam users
Eventually some of my users get their accounts compromissed, and start sending spams or viruses. To stop then, i'm using a combination of CSF and some scripts.
The problem is that even tho I detect spam and promptly change their passwords and suspend the account using cpanels UAPI, those accounts keep sending mails for the next 2-10 minutes before stopping. Why is this happening? How can i stop then immediately? Is there some login cache?
Thanks!
-
You might find the email sitting in the queue: WebHost Manager "Email "Mail Queue Manager Mail Queue Manager - Version 68 Documentation - cPanel Documentation 0 -
If they are using SMTP Authentication to send out these messages, then Exim may be relying on a Dovecot cache since it uses Dovecot for the authentication part. Make sure you are restarting Dovecot (and for good measure, I'd restart Exim too) after changing the passwords to see if that has any affect. That should clear out any cache that these systems are using. I have noticed something similar in the past with this and this helped me. 0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening? Thank you. 0 -
If you know what email account is being used, I would tail the exim_mainlog after you reset the password and clear the dovecot cache and see if the perpetrator is still sending out mail using the SMTP authentication credentials tail -f /var/logs/exim_mainlog | grep '%emailaccount%' I suppose the %emailaccount% could be [plain]user@example.tld[/plain] or [plain]user+example.tld[/plain] or perhaps something else, so you'd have to know what they are using 0
Please sign in to leave a comment.
Comments
5 comments