Facebook
Twitter
dragnovich
Basic Pleskian
Hello I have some customers that their email accounts, where compromissed and are sending hundreds of emails per minute, so when this happens I need to "suspend the hole site" how ever the spamer email connection is "live", and it keeps sending emails EVEN IF I DELETE THE USER ACCOUNT, this is because once plesk grants the connection to a user, that connection is not dropped until the user drops it, this can take several minutes, even hours!. Mean while the spammer is happly sending emails.
Is there any way I can KILL all the opened STMP connections, forcing the users to relogin, and/or reducing the time the connection is keept open?
I try
/etc/init.d/qmail stop
(wait 1 minute)
/etc/init.d/qmail start
But did not drop the attackers connection, it just stopped sending emails in that period. I also try restarting the hole qmail service, how ever if I dont stoped and wait more than 5 minutes, it does not kill the connections. And in a production server I cant wait that ammount of time.
Any Ideas?
NOTES:
1) Changing the users email or password is not an option (I al ready did that), because their computers/networks are compromissed
2) Deleting the sites are also not an option
3) I just need to block the current compromised email/domain until the problem is fixed.
Regards
Is there any way I can KILL all the opened STMP connections, forcing the users to relogin, and/or reducing the time the connection is keept open?
I try
/etc/init.d/qmail stop
(wait 1 minute)
/etc/init.d/qmail start
But did not drop the attackers connection, it just stopped sending emails in that period. I also try restarting the hole qmail service, how ever if I dont stoped and wait more than 5 minutes, it does not kill the connections. And in a production server I cant wait that ammount of time.
Any Ideas?
NOTES:
1) Changing the users email or password is not an option (I al ready did that), because their computers/networks are compromissed
2) Deleting the sites are also not an option
3) I just need to block the current compromised email/domain until the problem is fixed.
Regards
