What to do if your server is used for spammingPosted about 2 years ago 1k
We notice, that it is the most common issue among our servers. Most likely you have faced this issue at some point of your experience with VPS. We have decided to make this article to address the possible options on the spamming problem.
Why is your server sending spam?
In general, there can be a lot of reasons for it, but we narrow it down to these:
Your VPS was hacked;
Your Website was hacked;
You are sending spam intentionally.
Now, we are going to look to the first two of these reasons separately and provide some suggestions to prevent the server from being used in spam activities as much as possible.
What if your VPS was hacked?
Assuming your VPS is not being used for Web Hosting and rather used for data storing, data processing, VPN or something else, you most likely have no need for mail services.
The first thing should be to disable or remove all the mail services, such as Exim, Postfix, Sendmail on your server.
Secondly, block all the SMTP related ports: 25, 465, 587. This can be done via iptables or some other firewall software you are using as well.
Sometimes email can be sent by using SSH tunnels in such way the spam appears to be sent by localhost. This is done, by port forwarding via SSH, which creates a secure connection between a local computer and a remote machine through which services can be relayed, such as SMTP. Since this method requires access to some user on the hacked server, it shows how important is to create a strong password, use custom SSH port, enabling and using SSH Key. Keeping your credentials and access to the server only to yourself or the people that you trust.
Last but not least, keep your software up to date, always. Perform routine security checks or antivirus scans. Get yourself a firewall to block unwanted connections and keep logs on the security matters of your server.
What if your Website was hacked?
This is the most common spam incidents on our servers since our VPS are focused on Web Hosting purpose. So how do you proceed after?
1. Check and scan your server with antivirus software. Most attacks are not very original and have happened already so the malware or injection will be found by proper antivirus tool.
2. Make sure your Content Management System is up to date and if not, update it! The updates are being released not only because some new feature is added to the software, but also to fix the vulnerabilities that have become public and abused by the 3rd party. Make sure to set automatic updates or at least check it manually once in a while.
3. If your VPS uses Apache as default web service, there is a great tool called ModSecurity, which is Web application firewall. It helps to scan and block a lot of bad request towards your websites and keep it in check constantly. It is great way preventing your websites from being infected with the most common injections. ModSecurity can be manually set up to block unwanted or suspicious request manually.
4. Make sure to use secure and strong passwords for your CMS, do not share it.
5. Do not use unknown plugins, which can, in fact, be created and published to get access to your website.
6. Limit the file extensions you allow to be uploaded to your websites.
7. Assign proper permissions to your files and folders, and try to avoid “777”.