1

We use business email addresses from a private domain via pop3 on gmail, but our hosting company have started suspending us daily because one user's account has been hijacked by a phpmailer sending spam from his address.

The hosting company say its our problem to sort it out, but as far as I am aware there's little we can do on this side? Surely its up to them to block the IP addresses from accessing the server entirely?

Any help or advice would be greatly appreciated! Thanks

Michael Richmond
  • 11
  • 1
  • 3
    Do the spam mails actually come from your server, or from somewhere else entirely, just using your domain as sender address? – Gerald Schneider Jul 13 '17 at 09:47
  • Just our server, we've taken steps to add SPF and DKIM, but really if there's anything else we can do that's less obvious it would be appreciated, as luck would have it it's the director's email address which went bad so it's important it stays clean – Michael Richmond Jul 14 '17 at 10:06
  • Well, the obvious step is to fix the vulnerabilities, wipe the server and set it up again from clean backups. See https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Gerald Schneider Jul 14 '17 at 10:08

1 Answers1

1

The responsibility belongs to who ever is responsible for maintaining the vulnerable PHP script. If it's your site, find and fix it immediately. The problem is that this kind of vulnerability exists, not that someone somewhere else is using it!

If it's not your site, you can make an abuse report: the hosting company should inform the user about the problem.

If the user is not affiliated with your company and is just using the address, you should deploy SPF in order to tell the world that these messages are not from you. If you only use Gmail for your mail, you can e.g.

  • Allow only Gmail:

    @ TXT "v=spf1 include:_spf.google.com -all"

  • Allow Gmail, disallow this one server (example address), softfail for rest:

    @ TXT "v=spf1 include:_spf.google.com -ip4:198.51.100.0 ~all"
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Prevents it is the wrong term. It will make those mails more likely get flagged as spam. The server can still send the mails and your hoster can still suspend you. – faker Jul 13 '17 at 10:45
  • That was only for the second option. Hopefully more clear now. – Esa Jokinen Jul 13 '17 at 10:52