LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-28-2008, 01:53 AM   #1
skate
Member
 
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210

Rep: Reputation: 30
Question qmail - mail server hacked,sending spam - help.. >


Hello, I have problem with one of my mail servers...,
I am using qmail , from 2 days I notice that there is huge load average on the server - 9 and up ..., I stopped its wlan access , when I look at the top table the mail services make big load average, and when I stop qmail the average stops. (qmailctl stop) ..
So I checked the queues of qmail, and saw that My server actually is sending hundreds of mails :/ (last time where 1000+), I deleted them and it starts to send again more and more...,
My problem is that I can't locate the source of the hack, where should I look to stop the process which makes my server sending SPAM..
Thanks.
 
Old 07-28-2008, 03:15 AM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
They are most likely backscatter. Are you accepting mail using wildcard names, or do you do strict recipient validation. I'm betting those are all bounce messages to innocent third parties. If you don't get that under control, your site will be blacklisted, and that will trouble your ability to send mail.
 
Old 07-28-2008, 03:45 AM   #3
skate
Member
 
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Mr. C. View Post
They are most likely backscatter. Are you accepting mail using wildcard names, or do you do strict recipient validation. I'm betting those are all bounce messages to innocent third parties. If you don't get that under control, your site will be blacklisted, and that will trouble your ability to send mail.
I do have added host to rpchosts allow and deny...,
And if I stop and start or restart the server it starts sending spams and filling the queue with mails even if the LAN cable is unplugged ..... and load average getting high.
 
Old 07-28-2008, 03:47 AM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
You are repeating yourself, but didn't answer my question.

Are you accepting mail using wildcards?
Are you performing strict recipient validation?

Have you looked at any of those outbound messages?
 
Old 07-28-2008, 04:05 AM   #5
skate
Member
 
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210

Original Poster
Rep: Reputation: 30
EDIT1: I have changed the Qmail hostname and there is not problem now.., load average is normal and the machine is not sending spam messages (I dont see any in qmail queue)
So what was the problem? Somebody or something is attacking/flooding the old hostname?
 
Old 07-28-2008, 04:11 AM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
You mean you changed your MX or the mail servers'c concept of its own domain? Simply changing the hostname shouldn't clearup old bounce messages. Perhaps they are no longer considered by your mailer as part of its domains.

This is the third time you've haven't bothered to respond to my questions... which are designed to help you.
I won't ask or answer further questions here.
 
Old 07-28-2008, 07:16 AM   #7
skate
Member
 
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Mr. C. View Post
You mean you changed your MX or the mail servers'c concept of its own domain? Simply changing the hostname shouldn't clearup old bounce messages. Perhaps they are no longer considered by your mailer as part of its domains.

This is the third time you've haven't bothered to respond to my questions... which are designed to help you.
I won't ask or answer further questions here.
I'm sorry but I did not understand your questions.. ;/

Are you accepting mail using wildcards?
Are you performing strict recipient validation?
 
Old 07-28-2008, 11:47 AM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
What addresses are you accepting mail for ? anything @ yourdomain.com ?
 
Old 07-29-2008, 02:25 AM   #9
skate
Member
 
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Mr. C. View Post
What addresses are you accepting mail for ? anything @ yourdomain.com ?
It was username@yellowpages . bg , but I changed it now and its in my local network for now.
I think that there is some kind of bash perl script in the system that generates the mails :/ ....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Proper way to stop qmail while still sending mail? a2vr6 Linux - Newbie 0 11-20-2007 05:36 PM
my Qmail is sending spam linderox Linux - Server 4 05-24-2007 04:23 PM
qmail server, local users sending mail with incorrect email addresses HoundDog Linux - Networking 2 01-04-2006 02:40 AM
spam filter for qmail server? maxut Linux - Networking 4 10-11-2004 11:05 AM
Problems sending mail to a single domain with qmail dwbizzle Linux - Software 2 09-26-2003 07:36 AM


All times are GMT -5. The time now is 03:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration