LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-29-2009, 11:41 AM   #1
phlampe
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Rep: Reputation: 0
Is my server sending spam ? (qmail question, lots of mails going out)


Hello All !

I'm posting hoping you can help me with my qmail server. It runs on Debian with Plesk 8.6 on top of it, and it is used by a small number of persons (less than 10 accounts) sending a normal amount of e-mail for a human being (I mean no lists, no commercial spam, just person to person e-mails).

I've setup logwatch ( http://www.logwatch.org/ ) on my server to keep an eye on it, and also checked that there's no relay open with http://www.spamhelp.org/shopenrelay/ , so that part is ok.

But logwatch tells me there's a lot of mail going out : a typical day would be like this: (that's from yesterday's qmail logs)

Code:
Remote Server Responses:
    Deferral(400) - 47 Time(s)
    Deferral(421) - 103 Time(s)
    Deferral(443) - 4625 Time(s)
    Deferral(450) - 740 Time(s)
    Deferral(451) - 362 Time(s)
    Deferral(452) - 36 Time(s)
    Deferral(453) - 14 Time(s)
    Deferral(454) - 8 Time(s)
    Deferral(550) - 5 Time(s)
    Failure(450) - 7 Time(s)
    Failure(451) - 6 Time(s)
    Failure(501) - 8 Time(s)
    Failure(503) - 3 Time(s)
    Failure(504) - 40 Time(s)
    Failure(511) - 7545 Time(s)
    Failure(530) - 2 Time(s)
    Failure(550) - 1451 Time(s)
    Failure(551) - 6 Time(s)
    Failure(552) - 4 Time(s)
    Failure(553) - 78 Time(s)
    Failure(554) - 288 Time(s)
    Failure(555) - 4 Time(s)
    Failure(556) - 2 Time(s)
    Failure(571) - 10 Time(s)
    Success(250) - 7167 Time(s)
    Percentage(s):
         Deferral - 26.33 %
         Failure - 41.90 %
         Success - 31.77 %
-> 7167 successul remote connections... Sounds a lot to me. I don't know if I have to add the 7545 (code 511) + 1451 (code 550) failures to get an idea of how many mails were outbound.

On the receiving end, that server got around 6800 e-mails (83% of spam in it) yesterday, filtered by spamassassin.

And another bit of information: logwatchs lists all the remote addresses qmail has sent mail to. Here's the first few lines of the list, with the number of mails sent (I replaced the @ sign by _AT_ in the addresses below):

Code:
Emails to Remote Server (Threshold of 2):
    2521494_AT_leathercraft.de - 2 Time(s)
    31786984_AT_bounce.sendnes.fr - 2 Time(s)
    31846958_AT_bounce.sendnes.fr - 2 Time(s)
    39758176_AT_bounce.sendnes.fr - 2 Time(s)
    39832431_AT_bounce.sendnes.fr - 2 Time(s)
    39871459_AT_bounce.sendnes.fr - 2 Time(s)
    3dm.kliem_AT_bm-system.de - 2 Time(s)
    3dmanuel.galocha_AT_juntadeandalucia.es - 2 Time(s)
    7a2jmz_AT_hotmail.com - 2 Time(s)
    818911201.20910970062934_AT_na.cokecce.com - 2 Time(s)
    _nzhelika_AT_a_AT_panasonicplus.ru - 7 Time(s)
    _nzhelika_AT_a_AT_photoliner.ru - 5 Time(s)
    _vdeeva_AT_a_AT_pfiq.ru - 5 Time(s)
    a.doat_AT_formatys.fr - 2 Time(s)
    a.fazeli_AT_sheffield.ac.uk - 2 Time(s)
    abandono43_AT_obcruise.com - 2 Time(s)
    abjurationsx43_AT_dapcstudy.com - 2 Time(s)
    abodes45_AT_beazleysharpe.com - 2 Time(s)
    abominatingm310_AT_inventorone.com - 2 Time(s)
    abrogationsf92_AT_pc138.nissho-ele.co.jp - 2 Time(s)
    abstentionw1_AT_wwwhvd.com - 2 Time(s)
    acai_AT_bitisgroup.vn - 38 Time(s)
    acai_AT_imafex.sk - 13 Time(s)
    acai_AT_swbell.net - 2 Time(s)
    acai_AT_topoli.net - 35 Time(s)
    accessibilityz02_AT_eurobike-expo.com - 2 Time(s)
    acclimatesrh5_AT_rumseyandramsey.com - 2 Time(s)
    achromaticz849_AT_wisdirect.com - 2 Time(s)
    acquitingu_AT_222-spybot.com - 5 Time(s)
...
All of those addresses are unknown to us, and we have no reason to mail them...

Why is qmail sending these guys e-mails ? Are they answers (bounces, error codes or whatever) generated because of the spam coming in ?

What can I check further to be sure these mails *aren't* spam relayed from my server ?

Thanks for your help,
Paul-Henri
 
Old 04-29-2009, 01:55 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,897

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
You can check qmail log files (usually located in /var/log/qmail/current and /var/log/qmail/smtpd/current) to see who is supposed to send mail to these addresses and from what IP.

Regards
 
Old 04-29-2009, 02:12 PM   #3
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,231
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
could always use one of the online Open Relay tests to check your server.

Odds are a lof of that failed outbound mail that is defered and clogging your queues is bounces from the spam to email addresses in your domain that do not exist. Your mail server is probably receiving and processing the messages rather than simply rejecting the messages when they arrive. Your mail server would them email out a ton of replies, this effect is sometimes called backscattter.

Might want to configure your qmail server to reject that junk.
http://www.jm-associates.com/admin/qmail_list_faq.html
Quote:
FAQ-7.0 How can I prevent qmail from accepting mail for non-existing users?

There are basically four ways to do this that I know of:
1) Use Paul Jarc's realrcptto patch found here http://multivac.cwru.edu/qmail/
2) Use Eben Pratt's goodrcptto patch found here http://http.netdevice.com:9020/qmail/
3) Use Dr. Erwin Hoffmann's recipients extension patch found here http://www.fehcom.de/qmail/qmail.html
Or, if you're like me and not real fond of patching qmail unneccessarily:
4) Use Bruce Guenter's mailfront package found here http://untroubled.org/mailfront/
Happy patching !!

Last edited by farslayer; 04-29-2009 at 02:16 PM.
 
Old 04-30-2009, 04:06 AM   #4
phlampe
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by farslayer View Post
could always use one of the online Open Relay tests to check your server.

Odds are a lof of that failed outbound mail that is defered and clogging your queues is bounces from the spam to email addresses in your domain that do not exist. Your mail server is probably receiving and processing the messages rather than simply rejecting the messages when they arrive. Your mail server would them email out a ton of replies, this effect is sometimes called backscattter.

Might want to configure your qmail server to reject that junk.
http://www.jm-associates.com/admin/qmail_list_faq.html

Thanks for your help and suggestions

I checked my server for open-relayness, and it's OK on that side of the battle.

Your suggestion about configuring qmail to reject that junk is a good idea, and seems to fit well my problem. I'll check the faq and links you gave me, thanks again.

I'll also try to get a list of those outgoing mails with destination and subject appearing to understand more about what's going on.

Paul-Henri
 
Old 05-06-2009, 08:03 AM   #5
phlampe
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Well... things aren't as easy as I thought : patching seems out of the way, for 2 reasons: all those patches require recompiling qmail, and I haven't got a compiler on my server (I guess it's like that for security reasons), and the other is that since it's a server with Plesk installed, I'm not sure if the version that Plesk uses isn't patched in some way or another, and I'd be reluctant to recompile a vanilla-qmail and replace the one used by Plesk (given the configuration tampering that I already saw that was made by Plesk).

I also looked at qmailtap, in order to get a copy of all the stuff that's sent by my server and have an idea of what's going out, but it's also a patch... sigh...

Is there a way to configure qmail logs in order to have the subject of the outgoing mail written somewhere ? I have the destination in my maillog file, but it isn't enough to know if it's bounces or spam going out.

Paul-Henri
 
Old 05-06-2009, 10:57 AM   #6
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,231
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
the last option in the list might be of interest..
Quote:
Or, if you're like me and not real fond of patching qmail unnecessarily:
4) Use Bruce Guenter's mailfront package found here http://untroubled.org/mailfront/
All the patching to get functionality was the reason I decided on Postfix rather than qmail. While qmail itself is very secure, I wasn't sure what I would end up with after adding a bunch of patches. Would it still be as stable and secure ? I dunno..



Sorry I am not familiar with qmail logging so I don't know if you can increase the detail level of your logs. I can't say that i have ever seen the mail subject in a MTA log file before though. Maybe this will help. http://qmail.jms1.net/logfiles.shtml
 
Old 05-14-2009, 02:53 AM   #7
phlampe
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Original Poster
Rep: Reputation: 0
I finally went around the problem by activating a DNSBL check at the smtp level, and that has dramatically decreased the spam I get: for the first time in years, I get more clean mail than spam mail... wow

I'm also looking into switching to Postfix for the same reasons as you did. I found an MTA comparison chart, btw: http://shearer.org/MTA_Comparison, quite helpful.

Paul-Henri
 
  


Reply

Tags
debian, qmail, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sending mails at server address sharma.kashyap Linux - General 3 03-19-2009 02:17 AM
Qmail is not sending mails sajith Linux - Networking 1 12-16-2008 08:30 PM
qmail - mail server hacked,sending spam - help.. > skate Linux - Server 8 07-29-2008 02:25 AM
my Qmail is sending spam linderox Linux - Server 4 05-24-2007 04:23 PM
qmail not sending mails spank Linux - Software 0 05-21-2004 12:08 PM


All times are GMT -5. The time now is 03:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration