LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   qmail - mail server hacked,sending spam - help.. > (https://www.linuxquestions.org/questions/linux-server-73/qmail-mail-server-hacked-sending-spam-help-658695/)

skate 07-28-2008 01:53 AM
qmail - mail server hacked,sending spam - help.. >
 
Hello, I have problem with one of my mail servers...,
I am using qmail , from 2 days I notice that there is huge load average on the server - 9 and up :( ..., I stopped its wlan access , when I look at the top table the mail services make big load average, and when I stop qmail the average stops. (qmailctl stop) ..
So I checked the queues of qmail, and saw that My server actually is sending hundreds of mails :/ (last time where 1000+), I deleted them and it starts to send again more and more...,
My problem is that I can't locate the source of the hack, where should I look to stop the process which makes my server sending SPAM..
Thanks.

Mr. C. 07-28-2008 03:15 AM
They are most likely backscatter. Are you accepting mail using wildcard names, or do you do strict recipient validation. I'm betting those are all bounce messages to innocent third parties. If you don't get that under control, your site will be blacklisted, and that will trouble your ability to send mail.

skate 07-28-2008 03:45 AM
Quote:
Originally Posted by Mr. C. (Post 3228390)
They are most likely backscatter. Are you accepting mail using wildcard names, or do you do strict recipient validation. I'm betting those are all bounce messages to innocent third parties. If you don't get that under control, your site will be blacklisted, and that will trouble your ability to send mail.
I do have added host to rpchosts allow and deny...,
And if I stop and start or restart the server it starts sending spams and filling the queue with mails even if the LAN cable is unplugged ..... and load average getting high.

Mr. C. 07-28-2008 03:47 AM
You are repeating yourself, but didn't answer my question.

Are you accepting mail using wildcards?
Are you performing strict recipient validation?

Have you looked at any of those outbound messages?

skate 07-28-2008 04:05 AM
EDIT1: I have changed the Qmail hostname and there is not problem now.., load average is normal and the machine is not sending spam messages (I dont see any in qmail queue)
So what was the problem? Somebody or something is attacking/flooding the old hostname?

Mr. C. 07-28-2008 04:11 AM
You mean you changed your MX or the mail servers'c concept of its own domain? Simply changing the hostname shouldn't clearup old bounce messages. Perhaps they are no longer considered by your mailer as part of its domains.

This is the third time you've haven't bothered to respond to my questions... which are designed to help you.
I won't ask or answer further questions here.

skate 07-28-2008 07:16 AM
Quote:
Originally Posted by Mr. C. (Post 3228462)
You mean you changed your MX or the mail servers'c concept of its own domain? Simply changing the hostname shouldn't clearup old bounce messages. Perhaps they are no longer considered by your mailer as part of its domains.

This is the third time you've haven't bothered to respond to my questions... which are designed to help you.
I won't ask or answer further questions here.
I'm sorry but I did not understand your questions.. ;/

Are you accepting mail using wildcards?
Are you performing strict recipient validation?

Mr. C. 07-28-2008 11:47 AM
What addresses are you accepting mail for ? anything @ yourdomain.com ?

skate 07-29-2008 02:25 AM
Quote:
Originally Posted by Mr. C. (Post 3228830)
What addresses are you accepting mail for ? anything @ yourdomain.com ?
It was username@yellowpages . bg , but I changed it now and its in my local network for now.
I think that there is some kind of bash perl script in the system that generates the mails :/ ....


All times are GMT -5. The time now is 10:55 AM.