It took me a long time to finally become mail spam-free. It was a constant, daily effort for the spammers to find new holes after I plugged the old ones. I was most amazed at the persistence of these bot scripts, which continued to try using one of my servers to send mail for months, squeezing every last bit of spam through any means possible.
Here’s a list of just about everything I tried. I can’t be 100% certain what worked, but it should, if anything, give you a few ideas:
- Check /var/spool/deferred for files. Open one of them up and skim around to find which script is sending the email.
- Add an .htaccess file in any folder that is writable by your web server. This might include:
/wp-content/uploads
/wp-content/cacheThe contents of the .htaccess are as follows
<FilesMatch "\.(php|php5|php4|php3|pl|py|sh|cgi)$"> order deny,allow deny from all </FilesMatch>
This will prevent scripts in those folders from being executed by the web server.
Make sure this .htaccess file has execute permissions.
- After you’ve patched a hole, clear the mail logs so you can reset the score and see what holes were left unplugged:
rm -f /var/spool/mqueue/* postsuper -d ALL postsuper -d ALL deferred
- Although those PHP files in your uploads and cache directories are no longer executable, you still want to get rid of them. Any misconfiguration in your .htaccess file would give them free rein to wreak havoc again.
cd /var/www/html find . -path "*wp-content/uploads*" -name "*.php" -delete find . -path "*wp-content/cache*" -name "*.php" -delete