Having a bit of a nightmare with our Linux server.
Somehack is using our server for spaming. I sanitaized all inputs, have captcha image, change passwords, etc. but still.
Somehow they keep on doing it. Getting thousands of email by the hour. We have a 3000 emails limit daily, so this is blocking our SMTP nearly right after I clean the queue. The things is that all those emails that keep coming in, are stored as "unprocessed" somewhere and this increase our disk space to the limit and then I cant even see the websites. Our server is a typical Linux, using Plesk 9.3 as panel. On all those spam email, they display root@ip-188-121-62-27.ip-secureserver.net as the sender, which is a default system address I guess.
I desperately need to stop this and I simply don't know how. Is there a way of blocking that email address from sending emails? Via SSH or in Plesk?
This is the header of 1 of those spam emails:
Received: (qmail 20441 invoked by uid 48); 9 Mar 2012 09:29:55 -0200
Date: 9 Mar 2012 09:29:55 -0200
Message-ID: <20120309112955.20439.qmail@ip-188-121-62-27.ip.secureserver.net>
To: harsadeyes@aol.com
Subject: Viaqra 0,89
From: "Reuben Velasquez" <reuben_velasquez@vigrxplus-ue.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Best Answer
It looks like the root account has been compromised, or has some processes or scripts running that it shouldn't. It's also possible you're running an open relay (which is a really bad idea).
You can easily check if you are running an open relay with mxtoolbox, just enter your domain and test SMTP.
In case the root account has been compromised, the only real solution is to get rid of the server entirely, and reinstall the OS.
Either restore it from a backup that you can trust has not been compromised, or do a clean install from scratch.