Hey NoLimit
Let's take a step back, and see what we can figure out.
First, from a domain level, disable generic MX accounts. In other words, make sure that only mail sent to REAL eMail addresses gets through. If you must have a "catch all" mail account, make it something that you don't link to your main inbox.
Now, make sure SpamAssassin is turned on. You should have 10 levels; if it's on, increase the level. If it's not on, start with level 3, and increase to 5, 7, and 10 until you can see what gets rid of most of the spam without creating false positives.
Make sure that any of your scripts use some kind of session naming techniques to prevent basic attacks of that sort. In other words, instead of having a login script set $_SESSION['login'] = true; try hashing the person's IP address, and use that instead of "true". It's an easy way to make sure that the person loading the page is most likely who logged in.
Use a captcha on form eMail pages, or at least something that will keep robots from really obviously sending mails. You can make a very simple captcha by creating just 5 or 10 images with a few letters on them, warped a bit, and numbering them, and having the script randomly select one, and check the users input against what you have recorded for it. There are also several good captcha libraries and API's, such as ReCaptcha, which is a pretty cool project.
Turn off directory indexing, set a logical 404 page, and verify eMail addresses of people who register.
If you have any more questions, let us (or me) know.
Hope that helps a bit!
-OmniUni
|