We are running a server with Debian Sarge and Qmail and we have noticed that people are sending spam through the server, even though all our tests indicate is not an open relay. We are now at a loss as to what to check next. Here are the details. Note that I have carefully changed the name of our server to h0000000 and mydomain.com. These are the only changes I've made to the output.
We have /var/qmail/control/rcpthosts set up to list our virtual domains. For example:
Code:
localhost
h0000000.serverkompetenz.net
mydomain.com
/var/qmail/control/locals contains:
Code:
localhost
h0000000.serverkompetenz.net
/var/qmail/control/virtualdomains contains:
Code:
mydomain.com:mydomain.com
/etc/tcp.smtp is set up to stop relaying from external servers:
Code:
127.0.0.1:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
tcpserver is running as:
Code:
/bin/tcpserver -R -H -u 64011 -g 65534 -x /etc/tcp.smtp.cdb 0 smtp /usr/sbin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true
Here are the headers of an example email we found in /var/qmail/queue/mess:
Code:
Received: (qmail 4053 invoked by uid 64020); 8 Jun 2007 19:38:36 +0200
Received: from 200.241.73.131 by h0000000 (envelope-from <fqqgvh@mydomain.com>, uid 64011) with qmail-scanner-1.25st
(spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:0(200.241.73.131):.
Processed in 2.250737 secs); 08 Jun 2007 17:38:36 -0000
Received: from unknown (HELO SERVER251) (info@200.241.73.131)
by mydomain.com with SMTP; 8 Jun 2007 19:38:34 +0200
From: "Ftlbpz" <fqqgvh@mydomain.com>
To: "liu15519" <liu15519@tom.com>
Subject: =?GB2312?B?17/Uvc/6ytu8xsTczOHJ/bXEOLj2sr3W6DM5MA==?=
Date: Sat, 9 Jun 2007 01:37:53 +0800
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Qmail-Scanner-Message-ID: <11813243159224042@h1105258>
I then tried manually sending a message with the same details:
Code:
220 h0000000.serverkompetenz.net ESMTP
helo SERVER251
250 h0000000.serverkompetenz.net
mail from: "Ftlbpz" <fqqgvh@mydomain.com>
250 ok
rcpt to: "liu15519" <liu15519@tom.com>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
We also used the relay check at abuse.net to check if our server was an open relay. It passed all tests.
So how are these emails getting into the send queue? If we reboot the server and clear the send queue then they stop for about half an hour before starting again.
If there is any information missing let me know and I will gladly post it.
Andy