D3m055
By:
D3m055

Fighting exim4 outgoing spam with spamassassin

May 17, 2014 1.8k views
Hi, I used DO tutorials to setup exim for my wordpress websites for outgoing mail sending only. However, I've faced the problem with huge outgoing spam. CanI fix this issue with spam assassin solution. If yes, would you please guide me through it. I have Ubuntu installed.
3 Answers
Hi,

When you say that you are having a problem with outgoing spam, do you mean that you believe your server has been compromised? Spamassassin will only help catching spam that is sent to your mail server. If the spam is originating from your server, then you might have a bigger problem.

You might want to install something like rkhunter to check for compromised files:

https://www.digitalocean.com/community/articles/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps

You should also look at /var/log/auth.log for ssh logins from unknown IP addresses.
by Justin Ellingwood
Rootkits are a serious problem for any internet-facing computers. A rootkit allows an intruder to continue to access the compromised machine even after the initial point of entry has been secured. In this article, we will cover how to check your server against known rootkits using a utility called rkhunter.
Thank you, I've followed the tut. Here's what I got:
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script, ASCII text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable
Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script, ASCII text executable
Warning: The following processes are using deleted files:
Process: /usr/sbin/mysqld PID: 682 File: /tmp/ibah5HJE
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'


Looks like nothing is extremely wrong. Am I right?
@Arkady: Have you run apt-get upgrade recently?
Have another answer? Share your knowledge.