my Qmail is sending spam

linderox · 05-23-2007, 01:14 AM

I have a problem with a qmail
My MTA server every day is sending for me letter with different adresses. I think that is spam and i'm

Hi. This is the qmail-send program at local1.example.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

<sec@fcradio.net>:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)
I'm not going to try again; this message has been in the queue too long.

i found this one on the google and i found one program SPAMDYKE

Code:

#!/bin/sh
exec 2%26gt;%261
exec envuidgid qmaild softlimit -d 30000000 tcpserver -x /var/qmail/tcp.smtp.cdb \ 
-p -DRHl mail.myserver.ru 0.0.0.0 25 /var/qmail/bin/qmail-smtpd \ 
mail.myserver.ru /usr/local/bin/checkpassword /usr/bin/true 2%26gt;%261

this i should be add to the /service/qmail-smtpd/run,but when i did this my server stoped work...

Code:

   /usr/bin/spamdyke -l -d /var/qmail/control/rcpthosts -a 5 -T 60 \
   -g /home/vpopmail/graylist \
   -m 300 -M 1814400 \
   -u http://proxy.org/tor_blacklist.txt  \
   -s /home/vpopmail/blacklist_senders    \
   -S /home/vpopmail/blacklist_recipients \
   -k /home/vpopmail/blacklist_keywords \
   -B /home/vpopmail/blacklist_ip \
   -b /home/vpopmail/blacklist_rdns.d
   -rRc -w /home/vpopmail/whitelist_rdns \
   -W /home/vpopmail/whitelist_ip -e 5 \
   -x zombie.dnsbl.sorbs.net -x dul.dnsbl.sorbs.net -x bogons.cymru.com \
   --reject-missing-sender-mx --smtp-auth-command-encryption "/home/vpopmail/bin/vchkpw /bin/true"\
   --hostname ${LOCAL} \
   --access-file /etc/tcp.smtp \

this is my /service/qmail-smtpd/run

Code:

#!/bin/bash
SERVICE=smtp
source /var/qmail/bin/qmail-config-system && \
exec /usr/bin/softlimit ${SOFTLIMIT_OPTS} \
${QMAIL_TCPSERVER_PRE} \
/usr/bin/tcpserver ${TCPSERVER_OPTS} -x ${TCPSERVER_RULESCDB} \
-c ${MAXCONN} -u ${QMAILDUID} -g ${NOFILESGID} \
${TCPSERVER_HOST} ${TCPSERVER_PORT} \
${QMAIL_SMTP_PRE}
/var/qmail/bin/qmail-${SERVICE}d ${QMAIL_SMTP_POST} \
2>&1

activeq · 05-23-2007, 08:29 AM

How does your tcp.smtp in /etc looks like?

JimBass · 05-23-2007, 11:09 AM

That message is what is generated by qmail when your server tries to bounce a message, and the bounce bounces, as detailed here:

Quote:

I tried to deliver a bounce message to this address, but the bounce bounced!

Here is what is happening -

Some spam program sends an email to your domain, using a created email address. Say your domain is example.com. The spam program will just attempt addresses, 99% of which don't exist, like say asdfadsf@example.com. Since your server is a mail server for example.com, the message will reach it. Then your server tries to deliver the message to asdfadsf@example.com, and can't because that user doesn't exist. Your server bounces the message (the first bounce) back to the sender. Now the problem is, the spam program just made its own email address up, just as it made up the address it was sending to. So the message that came to asdfadsf@example.com claimed to be sent by bozo@theclown.net. The problem is, there is no bozo@theclown.net. The mail will be bounced to the theclown.net MX, and it will bounce the bounce, because bozo@theclown.net was a false address to begin with. So the first bounce is your machine rejecting the initial message, and the message you're seeing is the bounce of the bounce, the rejection of the message by what is supposed to be the original sender. It is just spam being processed. Don't lose any sleep over it. My machines produce literally thousands of these each day. Almost every piece of spam your server sees will double bounce, and that email is the notification of a double bounce due to spam.

Peace,
JimBass

linderox · 05-24-2007, 12:49 AM

my tcp.qmail-smtp

Code:

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
10.0.3.:allow,RELAYCLIENT=""
:allow

JimBass · 05-24-2007, 04:23 PM

You didn't seem to understand what I wrote the first time. Those messages are not caused by someone sending spam pretending to come from your server, they are the rejection (bounces) of spam sent to your server.

Its the opposite direction of what you're thinking. It isn't outbound mail from you, it is originally inbound mail to your domain. Mail is sent to addresses that don't exist on your machine, and the "from" address is also falsified, so it double bounces.

Peace,
JimBass