# Spamming hosting clients



## ParkInHost (Dec 18, 2014)

Hello,

What are the steps taking by(Hosting providers) you when your client is reported to be spamming?

Whats the best way to solve this case?


----------



## Asim (Dec 18, 2014)

I report, give them a call if they are reachable and tell them they have x hours to fix it

If its very serious (like this last time when someone's Wordpress got hacked and was causing a significant CPU load), I suspended the account, told them they could clean it up WHEN they are available (I enabled account, they logged in to clean it up etc)


----------



## comXyz (Dec 18, 2014)

If the report come from trusted source, and it's serious problem, you can temporary suspend the service, then contact your customers.

Otherwise you need to contact your customers first, and give them at least 24 hours to reply.


----------



## DaringHost (Dec 18, 2014)

With proper order screening and scripts setup to monitor SMTP connections we've cut down on customers signing up to send spam in the first place. However of course nothing is 100%, customers websites do get exploited, ect. In the event that we receive a notice in regards to spam, we manually investigate it. If found that it's valid and the customer is indeed sending spam the site/VPS is suspended and notice is sent to the customer to contact us when they're online so that they can resolve the issue. 

It's also important to note that some spammers will claim that their VPS was hacked (even though it wasn't), request a new OS install, and then start sending spam again.


----------



## RTGHM (Dec 18, 2014)

I can't believe no one has said the obvious. Set a limit of x amount of emails that can be sent per hour. Eg: 100 emails / hour max sent.


----------



## mojeda (Dec 18, 2014)

RTGHM said:


> I can't believe no one has said the obvious. Set a limit of x amount of emails that can be sent per hour. Eg: 100 emails / hour max sent.


I don't know, honestly I think port 25 should be blocked and only enabled at the user's request after they are a customer for X amount of days unless customer service believes, without a doubt, that the person will be ok to have port 25.

Even if someone needs port 25 for legit reasons they can use services like mandrillapp.com and just smtp everything to it to be dealt with.


----------



## ParkInHost (Dec 18, 2014)

Asim said:


> I report, give them a call if they are reachable and tell them they have x hours to fix it
> 
> If its very serious (like this last time when someone's Wordpress got hacked and was causing a significant CPU load), I suspended the account, told them they could clean it up WHEN they are available (I enabled account, they logged in to clean it up etc)


Suspension without notice is isnt a problem? Will the clients consider us to order again?


----------



## ParkInHost (Dec 18, 2014)

c1bl said:


> If the report come from trusted source, and it's serious problem, you can temporary suspend the service, then contact your customers.
> 
> Otherwise you need to contact your customers first, and give them at least 24 hours to reply.


contacting customers and providing some time duration to clean is the best solution rather then direct suspension. Thanks


----------



## ParkInHost (Dec 18, 2014)

DaringHost said:


> With proper order screening and scripts setup to monitor SMTP connections we've cut down on customers signing up to send spam in the first place. However of course nothing is 100%, customers websites do get exploited, ect. In the event that we receive a notice in regards to spam, we manually investigate it. If found that it's valid and the customer is indeed sending spam the site/VPS is suspended and notice is sent to the customer to contact us when they're online so that they can resolve the issue.
> 
> It's also important to note that some spammers will claim that their VPS was hacked (even though it wasn't), request a new OS install, and then start sending spam again.


yes, i have seen this case aswel. They spam and blame on their clients or account being hacked. Tough call


----------



## comXyz (Dec 18, 2014)

ParkInHost said:


> contacting customers and providing some time duration to clean is the best solution rather then direct suspension. Thanks


Well, it depends.

If you know the VPS is sending out DDOS attack, you still wait for customer response?


----------



## RockTBN (Dec 18, 2014)

c1bl said:


> Well, it depends.
> 
> If you know the VPS is sending out DDOS attack, you still wait for customer response?


I agree with your point. If a customer was reported as DDOS attack, we would suspend the VPS immediately then then send them an email to inform, cos it would affect other customers on the same node too. We give spamming complaints/reports customers 24 hours to solve the issue.


----------



## ParkInHost (Dec 19, 2014)

c1bl said:


> Well, it depends.
> 
> If you know the VPS is sending out DDOS attack, you still wait for customer response?


Difficult situation.. If we suspend without informing we might lose the client also. But tough task!!


----------



## ParkInHost (Dec 19, 2014)

RockTBN said:


> I agree with your point. If a customer was reported as DDOS attack, we would suspend the VPS immediately then then send them an email to inform, cos it would affect other customers on the same node too. We give spamming complaints/reports customers 24 hours to solve the issue.


Yes this looks good too.


----------



## GaleDribble (Dec 20, 2014)

Throw them in a fire.


----------



## HH-Josh (Dec 20, 2014)

Call the client, then investigate and suspend where necessary after the investigation. Every case is different so treat each customer differently. Cover it in your terms of service that spamming isn't tolerated and the client can be suspended or terminated for it (that way it covers your actions and procedures). Can sometimes be a case of their script has been exploited.

We've never had any major issues with spamming client's if I'm honest, been more to do with people signing up to our services with fake details and then uploading a mail script - which is then dealt with straight away.


----------



## uniweb (Dec 21, 2014)

Using putty.exe, if I enter this short script 

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


----------



## Aurimas (Dec 22, 2014)

Well, our terms of service clearly state that spammers are always suspended. However, if there's a problem, it can always be resolved with our support department. But from our experience, no one gets suspended without a proper reason.


----------



## ParkInHost (Dec 30, 2014)

Thanks guys


----------



## datarealm (Dec 30, 2014)

ParkInHost said:


> Difficult situation.. If we suspend without informing we might lose the client also. But tough task!!


No reason not to notify them.

Anyhow, in the grand scheme of things one clients vs. your entire reputation is never a tough call.


----------



## pravint (Dec 31, 2014)

When we found any client spamming, We suspend his hosting.


----------



## ParkInHost (Jan 2, 2015)

Thank you all for your responses


----------



## Francisco (Jan 2, 2015)

uniweb said:


> Using putty.exe, if I enter this short script
> 
> grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


Going through the customers files isn't kosher and should never been seen as a 'good idea'.

If you don't want to suspend the customer, then just block DST port 25 from their IP addresses. If they only have a couple, you can do like


```
iptables -A FORWARD -p tcp --dport 25 -s IP -j DROP
```
Francisco


----------

