Email Relay abuse

novice06 · 03-28-2006, 04:29 AM

Hi,

My Mail server is abused. ISP report my ip is out spam mails. When i check my mail queue over 300 ad mail are queueing. I using Qmail MTA. How can i secure that relay abuse?

suggest me.

novice06

jomen · 03-28-2006, 06:20 AM

http://qmail.3va.net/qdp/qmail-antirelay.html
and
http://www.palomine.net/qmail/relaying.html
the above address I got from here:
http://www.qmail.org/top.html

basically - if you only want to send and receive for yourself - disable relaying altogether.

The other possibility is: you got hacked and now are abused as a source of spam and/or other possibly worse things.
I'd check for signs of this too...

novice06 · 03-28-2006, 09:21 PM

Hi,

As u suggested, my server is hacked.
I configured software firewall(iptables) and i close other unused services.
That cracker changed my root password.
I can't buy hardware firewall because of our company budget.
It is secure only with iptables especially for Qmail server.
For my server security, what other step i should do?
Please suggest me.

Thanks,
novice06

jomen · 03-29-2006, 03:52 AM

Back up your personal and client data and do a complete reinstallation if you are not absolutely sure that nothing else happened beyond your root password being changed. I seriously doubt that and strongly suggest a reinstallation - and set up the firewall.

novice06 · 03-29-2006, 04:03 AM

Hi,

Thanks for your suggest.
After I know my server is cracked, Email relay is abused.
Other services are working properly.
I can't login with ssh shell. I have other control panel.
I can change my root password. After that i setup firewall.
As u say, I afraid is that cracker can handle my server and abuse again.

Thanks,
novice06

jomen · 03-29-2006, 04:34 AM

Quote:

I afraid is that cracker can handle my server and abuse again.

...and rightly so - the only really sure thing to correct this under the circumstances (as I see them) is:
take the system off the net, backup the data you and/or your clients need and reinstall.
Set up a proper firewall and do not allow root logins from outside (ssh).
Do it now.

nx5000 · 03-29-2006, 04:53 AM

As the cracker seems to have completly compromised your server, you have to change all information he has seen, in particular all passwords of your server and all password that were used from your server (webmail passwords, passwords used to access other servers,ssh keys,...)
Because he has maybe installed a sniffer.

But before this, you have to know how he entered so that he doesn't come again 10mns after complete reinstallation ;-)
Like you could do this (the script at the beginning):
http://www.linuxquestions.org/questi...21#post2159321

Then you could look at all the connections present, maybe plug yourself a ethereal to record a few hours of traffic (or put a sniffer on a machine plugged to a hub where your server is) , then unplug it from the net, and analyse your system.
Then you can boot from a live-cd and make an other analysis: at this time the connections of the cracker will not be there anymore and the RAM will not contain any interesting information anymore but the disk will still contain his traces.

There is a very usefull thread of Unspawn in this forum, be sure to read it and follow it very carefully, its a very effective method.
http://www.linuxquestions.org/questi...ad.php?t=45261

novice06 · 03-29-2006, 06:53 PM

Thanks for all suggestions.
I check on it.

Thanks alot,
novice06