Page 1 of 1

The website is infected and continuously sending spam emails - how can it be stopped

Posted: Thu Nov 17, 2022 1:25 pm
by isscbta
In a situation where some websites got infected, there is a big chance that they will start sending spam emails at some moment. There are multiple ways to prevent this and get alarmed on time, but here we will see how to inspect suspicious domains and see are there some spam emails are being sent

In your SSH, as root, run:

Code: Select all

grep 'website.com' /var/log/php-mail.log
If you realize, based on log output, that spam emails are being sent, you should suspend this domain by running this command:

Code: Select all

v-suspend-web-domain someUsername website.com
The suspension of the website will prevent the malicious PHP scripts from sending more spam emails.

After that run this command, to clean exim sending queue or in another words remove all mails that contains 'website.com' string:

Code: Select all

grep -r '/var/spool/exim4/input' -e 'website.com' | cut -d: -f1 | cut -c 24-39 | xargs -n 1 exim -Mrm
Another (maybe better) solution is to delete all emails sent from SomeUsername account:

Code: Select all

grep -r '/var/spool/exim4/input' -e 'auth_id SomeUsername' | cut -d: -f1 | cut -c 24-39 | xargs -n 1 exim -Mrm
The reason for this is that remote SMTP servers (which are being spammed by emails from our server) detect high sending rates and block our server.
As a result, almost all of the spam emails have been kept in exim4 queue, so we need to clean them out.

At the end, inform the website owner that he should do the website cleaning, before unsuspending the website.