How do I stop SPAM from being sent from my server?

Question

I have a VPS which I rent and it is running Centos 6. The VPS has ZPanel installed which is used to host some websites and emails.

One of my clients has noticed thousands of 'undeliverable' messages in her inbox. (FYI, Roundcube Webmail is used for email).

This lasted for a few days and now her email does not work at all. I have come to the conclusion that her email address is sending out Spam and now the emails have stopped working because the domain has been blacklisted.

I checked out MXToolbox and I have confirmed that there are many blacklists.

I want to stop all spam from being sent out so here is my action plan:

1. Complete a virus scan on my server
2. Change my client's webmail password
3. Change all FTP passwords
4. Change my ZAdmin Password
5. Change the server root password
6. Request removal from blacklists

I am nervous about this issue because I do not have a lot of experience with servers and I have heard that if I am black listed too many times it can become permanent. (This is the fourth time however I believe the previous occurrences were from bad reverse DNS settings??)

What further actions would you recommend I take? I need to be 100% sure that my sever is secure.

(FYI, my Antivirus is ClamAV).

Answer 1

I think you need to be sure of what has happened before you take corrective action.

You have some indication that a particular user is involved. It may be that the user got phished (or otherwise had their password stolen), in which case your server may not be compromised at all.

Analyzing your webserver logs for logons by this user from anomalous source addresses is probably a good starting place. Correlating the undeliverable messages to your mail server logs will help, too. You should also examine the headers in the undeliverable messages to make sure the source messages were actually sourced by your server, and aren't just backscatter from spam sourced elsewhere in your user's name.