SupportSuite Used for Spam

[BillDCat]

Hello,

I recently had my site suspended from from my host due to excessive CPU load. There were 600+ processes and probably 95% were similar tot he following:

Quote:

3268 0.0 0.0 8136 380 ? S 14:44 0:00 /usr/sbin/exim -Mc 1I1p3M-0000qY-Dl

... maybe 5%, maximum, were:

Quote:

5948 0.3 0.6 12564 6964 ? R 14:46 0:01 /usr/local/bin/php -q /home/[USERID]/public_html/cli/index.php

I can't check to see what the ./cli/index.php was chmod because it looks like the host chmod 000 on it - I guess that is possible . Anyway, I am fairly certain that it was chmod 755.

I will need to provide evidence that I have corrected the issue before they will unsuspend my site.

It looks like I am/was using 3.04.10.

Thanks for any help!

Dan

BTW, the host is actually using SupportSuite as their helpdesk sw.

[Jamie Edwards]

Hi Bill,

It could be that a mail loop occured, flooding SupportSuite with incoming and outgoing e-mails (for example, if SupportSuite sends an e-mail that bounces, and for that bounce SupportSuite sends another receipt that bounces).

Are you sure it was used for spam? If so, it is probably because you are running a very outdated version of SupportSuite, which is susceptible to cross-site-scripting attacks.

[bear]

Quote:

Originally Posted by Jamie Edwards

it is probably because you are running a very outdated version of SupportSuite

Quote:

It looks like I am/was using 3.04.10.

More likely the mail loop idea; otherwise, that would be very bad news.

[supportskins]

Has to be a mail loop which can cause such load on a server. I am sure there is no other reason.

[BillDCat]

Ok, assuming it is a mail loop, how do I correct that?

Also, wouldn't I see the responses in the Support Suite? I have had email that bounced back and forth but they always show up in the support suite.

I guess one of the reasons I assumed it was spam is that a quick view of the access logs showed the top 5 IP's that hit the site were:

#1 - My IP address at the office (not surprising)
#2 - An IP in the UK - a little surprising but not too bad
#3 - An IP in Vietnam - (odd)
#4 - An IP in the Republic of Georgia (very odd)
#5 - An IP in Cuba (very odd)

Unfortunately, the logs only go back a few days so that could account for these. The guy in Georgia was my top suspect because I can see him connected for days at a time via the Live Response and he never browses an other pages!!

Thanks for the input! It's a relief to think that it's probably not Spam!!
... Now I just need to figure out how to fix it!!

[supportskins]

Disable email piping and check if there is a bounced email going around in your system. My guess is numerous ticket posts might be added to a single ticket causing such an issue.

[BillDCat]

I must say that I find it amazing that Support Suite doesn't have any way to deal with a bounced email?!? Surely I can't be the only person that had SupportSuite trying to email a user that didn't exist, had a full mailbox or any other reason that an email might be bounced back.

So as I understand it, if i choose the Send Email option when creating a ticket and the email I put in doesn't exist, Support Suite send the email. The server bounces the email back. Support Suite autoreplies to the bounced email, the server bounces again etc. etc. etc.?

Is that what the problem is?

Thanks for the help everyone! Hopefully I can get this resolved ASAP

[supportskins]

Kayako enhanced the parser to deal with email loops. You might want to consider upgrading to the last build. If you are on a UNIX server try running the top command to see if it is yet executing cli/index.php file. You might also want to clear your maillog which too will fix the load issue. If this fails I suggest you create an urgent ticket with Kayako support.

[BillDCat]

supportskins,

Thanks for the replies! I will try that if they turn my account back on

[supportskins]

You can ask your host to look into it. Just let them know this is what they need to check

[BillDCat]

Well, the host turned my account back on but it turns out that I was using the latest build - 3.10.02. Also, it turns out that Flood PRotection is turned on by default - despite what I was told on a chat with a Kayako support guy.



For now I have turned email piping off until I can figure out what might have happened.

Any other ideas on what would cause so many of these processes:

Quote:

3268 0.0 0.0 8136 380 ? S 14:44 0:00 /usr/sbin/exim -Mc 1I1p3M-0000qY-Dl

Please note that this site has nothing but SupportSuite on it.

Thanks!

[supportskins]

I suggest you create a ticket with Kayako support. They will look into the issue and provide you with a fix for the same.

[bear]

You should look at the exim mail log to see if it might not be Kayako, but a mail flood. There might be a spammer hitting your mail queue, and the address just happens to be the one being piped.
Assuming a cpanel server and sufficient access, at the shell prompt, type the following (substitute email@address.here with the real address for the piped account/alias):
tail -f /var/log/exim_mainlog |grep email@address.here

Watch for a bit and see how many emails are arriving.
To quit the tail, type <CTRL> C.