|
somebody sending emails from my server
hi all!
can you help me with one specifing problem... somebody sent a lot of (spam) email using my server. how can i figure who done that, because my server is now on spam list, and that is a big problem for me. thank you in advance! |
which mail server?
which distribution? Your mailserver is probably an open relay Take a look at http://www.debian-administration.org/articles/41 more info over open relay http://www.google.com/search?q=linux...nt=iceweasel-a |
it's qmail, on fedora.
any idea what and where to check? |
You can test if you have an opn relay here:
http://www.abuse.net/relay.html more info about open relay http://www.google.com/search?q=qmail...nt=iceweasel-a |
are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..
|
Quote:
i know that, so i want to check which account is used to send emails from server. i need your help for that... |
1 make sure the mail server is not an open relay
2 harden the website 3 look in th logfiles from the mailserver to find some pointers |
yeah, /var/log is a good start.
on the web server we can do this it may help on mail server as well? I donno? wouldnt hurt to try: to edit your /etc/hosts.deny and add the intruders IP addresses (from auth.log)and block them. you can actually make an executable file under /log and run it; here's a little widget i found and modified it to work with my system; grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt sleep 2 cat ct-result.txt |more here's a link which has vpop and qmail and a lot more in middle of the page; http://bowe.id.au/michael/isp/webmail-server.htm btw I think many ppl run clamd on their mail servers? |
ok,
so i checked, and my server does not act as open relay. i guess that some script is on the server, and it is used to send emails. all i want is to know which log i have to check, to find out which qmail user account is used to send emails? thank you in advance! |
Hi,
Take a look at http://qmail.jms1.net/logfiles.shtml Perhaps you should disable the mailserver until you find the problem. |
ok, since i'm not qmail guru, i would like to ask a few more questions about this...
i checked my /var/qmail/users/assign file i found there several usernames that i don't want they stands for. will it be wrong if i remove some of them i know i don't use for my web applications? |
| All times are GMT -5. The time now is 02:18 AM. |