What to do if your VPS is being used for Spam
This article will explain what to do if your VPS has been used for the sending of spam.
The first thing you need to do is change your passwords for all email accounts/FTP accounts, making sure that they are strong passwords. This may be enough to stop spam from being created.
The next thing to do is to stop the mail server in your services and check the email headers within the Mail Queue.
In Plesk, you can find this by going to Server Wide Mail Settings > Mail Queue
In cPanel, you can find this by going to WHM and go to Main >> Email >> Mail Queue Manager
Check the headers of the emails, these are the “Subjects” of the emails, In these you will see either domains or IP addresses in the “from” field, if you see any of these in this field then either blacklist them if they are domains or create a firewall rule blocking the IP.
This may stop the spam and may need to be repeated if multiple IP’s are being used. If so start the mail server again. If there is no information in the From field then it is likely that you have malware, and you may have a spamming script installed on your VPS
Check your scripts on any sites that you have which contain forms (they may have been exploited by a Spamming script). Scan your domains for malware.
Check if your accounts have weak passwords.
Spammers will typically connect to a server and try a few hundred common passwords before moving on. These may well include passwords that are the same as the username and domain name. They will also include common obfuscations of the word password. Attackers will always make login attempts using either the full email address as the username or just common names.
Tip: You should always have passwords with upper and lower case letter, numbers and symbols.
Server security issues come in two main types. Firstly were the server is compromised, attackers have full control of the server. Secondly is individual websites being compromised. Scripts running in a website normally only have access to the account they are running in, this means if an account is hacked attackers can’t alter other sites running on the server or make changes to the underlying server configuration. The second type of hack results from attackers exploiting the code of a website.
If the Spam stops restart the mail server.
If you have scanned all the websites on your VPS and the Spam is still present you will need to scan the whole VPS.
For a Windows VPS please see the following article from the Microsoft support centre: http://support.microsoft.com/kb/2671662
Once you have scanned the server you should be able to locate the malware or Spam bot and remove it. Then start the mail server.
How can I prevent this from happening again?
There are a number of steps to reduce the likelihood of your server and emails coming from it being used to send SPAM.
Configure a hostname for your VPS i.e mail.domain.com which will be checked and compared to your reverse DNS entry by ISP’s.
Contact support using the Ask a question option so that a ReverseDNS/PTR record can be created to match the IP address of your VPS to the hostname you have created in Step 1. Support will also check the SMTP banner which is also used in email verification.
Implement a SPF record which will allow you to specify which IP addresses are legitimately allowed to send email for your domain name, the purpose of this is to stop spammers from trying to use your domain name.
You can generate an SPF record for your site at https://panel.cloudfloordns.com/dns/spfwizard.php If you are using an external registrar you will need to ask your domain provider to add the SPF record. If your domain is managed by123 Reg, please see the following support article How do I add an SPF record to my domain name?
The SPF contains the IP address and the hostname of your VPS which will be used when checking the authenticity of the emails location.
If you find that your IP has been blacklisted at all, by Spam Cannibal for example then you will need to use the following guide What do I do If my 123 Reg server IP address has been blacklisted?