It happens that your hosting account starts to send a lot of e-mails without you meaning to. For this reason, we limit the amount of e-mails that can be send per day to prevent further damage on our servers. In such event, DirectAdmin will send a notification to you about this. If the e-mails are legal and intentional, please contact us so we can upgrade the limit for you.
How to check if I send spam?
- Log in to DirectAdmin.
- If one domain is active, skip to step 3. Else, choose any random domain to continue. The choice does not matter for the results.
- Choose E-mail accounts.
- Choose E-mail history.
You will find in this overview all the e-mails that are send today. Sometimes you have to click on "This month" in order to view all the sent e-mails.
The table contains the information you need to find the cause of the spam source. If the column authentication contains an e-mail address for every e-mail you did not send on purpose, it means that a third party has found your password on your computer and uses it to send spam. We recommend to scan your devices for viruses and to always use a secure connection. Also change your password but do not configure your devices until you have scanned them. We make sure that nobody can brute force your password on your servers for your safety, so it is likely that you have used an insecure connection or that a virus is/was active on your devices.
When you change your password, your other devices will be unable to log in on the server and fail. This will cause the server to block your IP after some attempts. Therefore we recommend to turn off synchronisation first. In the event when you are blocked, you can unblock yourself via the client area.
If the column Path contains a value (you can ignore the rows with the text retry), than a script is sending the e-mails. This is usually the case. Navigate to the shown path and check if there (or in a nearby folder) infected PHP files exist. The best temporarily solution to prevent that spam is being send, is blocking all access for third parties by using the following code in your .htaccess file:
order deny,allow deny from all #allow from 126.96.36.199 # Remove the first # at the beginning of the row and replace 188.8.131.52 with your own IP.
How to find infected files
There are a lot of ways how your PHP files may be infected. Sometimes restoring a backup is a better solution to go. Be sure that you delete all your existing files first.
If restoring a backup is not the solution or possible, check every file for code that not corresponds with the original code. Sometimes you can find the infected files by looking at the last updated time, however attacks get more and more sophisticated where this is manipulated.
Search in every file for abnormal code. The code does not necessarily have to reside in PHP files, also image files can contain PHP code (depending on the kind of leak found in your PHP application).
After removing the abnormal files, make sure that your application is up-to-date. There is a bug in your application somewhere that allows attackers to store and execute files.