Our provider suspended our account with 5000+ clients and their sites. The reason was that the whole IP range was blacklisted by SpamHouse, but our provider did not explain what emails, form what IP and with what content was sent exactly.
So now we are just suspended and 5000+ sites are not working, and all users moaning. Big problems, as you can see.
First thing I have is that we can (or we must?) buy separate professional SMTP server, fully configurable with GUI, and integrated with lots of spam detection software... so bad outgoing emails will be stopped, and will be able to detect who is doing bad things -> and then close their accounts at our hosting.
Is it good idea, or do you have any other idea to effectively and quickly find solution for this problem? It must be 100% effective, ad it's the only way to convince our provider to un-suspend our account.
Please help urgently as we are losing our business....
Thanks in advance, Anton
P.S. This question duplicated to: https://stackoverflow.com/questions/3921906/im-hosting-reseller-and-i-got-spam-problems-please-help-to-solve
UPD. After all your comments - we are now looking for an expert to hire to server administrator position in our company.
No, sorry. You need to get your outgoing emails under control.
You do not need full anto spam, though - it is good enough if you can mark every (!) outgoing email with an ID you can track back to the customer (account) that did send it, and then follow up legally with that (i.e. shut down your customers, recover expenses from them).
But you obviously have a problem here - or your customers have. Likely their sites being abused by bots.
It is not entirely clear for me what you are asking and you do not provide a lot of details about your current situation. What would help answering your question properly:
When allowing others to send e-mail from or through your server, you should first make sure that:
Judging from your question, I do not think extra servers will be a solution at all.
You have to get this under control and if you cannot, you should definately not be thinking about managing another server as well.
Catching a spammer in your network is a handjob more than anything else (speaking from my history). I would use a mail gateway (postfix will doit) with per-client queues. All the client servers should be set to use the mail gateway as the smarthost, so emails sent to localhost (either with sendmail or by connecting to localhost sendmail service) will reach the gateway. Also installing a firewall rule for redirecting external port 25 traffic to localhost mail service (or directly to smarthost) is a must. On the mail gateway you should freeze the emails on arrival for 2-3 minutes and use a cron script to count the number of emails from each queue. Unfreeze the emails from queues that hold a total number of emails lower than a threshold (spammers are speedy, they will usually send tons in seconds). Doing this manually for a while will allow you to spot some patterns in the mail traffic. A spamassassin milter will help as well. The per-client queue setup can be a little bit complex and will surely require some scripting but will help in locating the spammer and with getting things working for the other customers.
On the other hand, if things are really bad, you should disable smtp traffic for everyone and re-enable it per customer request. This means mail service downtime for them but more control on your end. Anyway, given the situation I don't think the newly caused "downtime" means a lot. And yes, you need a sysadmin. Not a whm guru. Not really a clickety-click task ;)
If you are looking for a simple to setup and manage mail server with antispam and antivirus + inbound and outbound tracking, setup something running postfix + spamassassin + clamav + MailScanner - a lot of the install work will actually be done by the MailScanner package and it works well with CentOS - I have 8 Mail Servers configured this way. Start out here for MailScanner and here for a howto
I am wondering what you're already doing to mitigate the problem.
You're saying Spamhouse won't tell you about the emails. That routine in my experience. Headers can be forged, and it can take a lot of time to trace things back. It's easier just to blacklist the originator of the reported spam and put the onus on them to prove they're cleaned up. Often the originator is A) a spammer that is going to move to another block or B) some unwitting user that infected their system with a bot, so their ISP already mitigates the risk by blocking all outgoing port 25 traffic unless it comes from their mail server's IP.
So what are you doing now to mitigate the problem? Do you tag outgoing mail with a special ID for the customer? Do they get their own queues? Do you monitor outgoing mail volume, and restrict sending rates so they can't send unreasonable volumes of mail out? Do you block outgoing port 25 traffic unless the customer has a specific request for email service? Run monitoring reports on bandwidth used by your customers to find anomalies, in case their host server is compromised? Or are you literally just hosting, letting your users do whatever and however they please?
I would think that if you haven't done anything before now, you're going to need to major reworking of your logical layout to the network. You'll need a mail server (maybe more depending on your customers,) lock outgoing traffic for SMTP to only customers that need email outside your network, put in monitoring scripts and rate limiting, and you might want to consider outgoing spam scanning, although this can lead to headaches for outgoing customer mail if it's incorrectly flagged as spam and their mail just disappears into the ether. I'd personally advise against that or at least set it to catch the most obvious spam, or alternatively offer it as an option for customers to opt in or out of using. With 5,000 customers hosted, you may very well need a system administrator to oversee your spam/email configuration. Following up on reports and auditing your hosted user's bandwidth can take up quite a bit of time to maintain.
This is not an answer to deal with actually scanning the mail but this is a method for potentially catching the source. If your hosting allows PHP and your mail gateway is simply sendmail, you likely don't have any clue what's passing through it or where it's coming from.
Remember this is for PHP + sendmail. It involves setting up a file that is prepended to all PHP scripts that sets environment variables (
prepend.php) that are then logged when mail is sent using PHP by calling a wrapper for sendmail (sendmailwrap) rather than calling sendmail directly.In your php.ini,
Content of
/usr/local/etc/prepend.phpContent of
/usr/local/bin/sendmailwrap:The point of this is that your sendmail log file will now have something like the following:
If this is setup incorrectly you could cripple your clients' ability to mail so understand the steps and test before putting in production.