LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   somebody sending emails from my server (https://www.linuxquestions.org/questions/linux-newbie-8/somebody-sending-emails-from-my-server-707405/)

proNick 02-25-2009 08:05 AM

somebody sending emails from my server
 
hi all!

can you help me with one specifing problem...

somebody sent a lot of (spam) email using my server. how can i figure who done that, because my server is now on spam list, and that is a big problem for me.


thank you in advance!

repo 02-25-2009 08:11 AM

which mail server?
which distribution?
Your mailserver is probably an open relay
Take a look at
http://www.debian-administration.org/articles/41
more info over open relay
http://www.google.com/search?q=linux...nt=iceweasel-a

proNick 02-25-2009 09:36 AM

it's qmail, on fedora.

any idea what and where to check?

repo 02-25-2009 09:42 AM

You can test if you have an opn relay here:
http://www.abuse.net/relay.html

more info about open relay
http://www.google.com/search?q=qmail...nt=iceweasel-a

farslayer 02-25-2009 09:54 AM

are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..

proNick 02-25-2009 10:22 AM

Quote:

Originally Posted by farslayer (Post 3456987)
are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..



i know that, so i want to check which account is used to send emails from server.

i need your help for that...

repo 02-25-2009 10:29 AM

1 make sure the mail server is not an open relay
2 harden the website
3 look in th logfiles from the mailserver to find some pointers

Matey 02-25-2009 11:07 AM

yeah, /var/log is a good start.
on the web server we can do this it may help on mail server as well? I donno? wouldnt hurt to try:

to edit your /etc/hosts.deny and add the intruders IP addresses (from auth.log)and block them.
you can actually make an executable file under /log and run it; here's a little widget i found and modified it to work with my system;

grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt
sleep 2
cat ct-result.txt |more


here's a link which has vpop and qmail and a lot more in middle of the page;

http://bowe.id.au/michael/isp/webmail-server.htm

btw I think many ppl run clamd on their mail servers?

proNick 02-25-2009 11:33 AM

ok,

so i checked, and my server does not act as open relay.

i guess that some script is on the server, and it is used to send emails.


all i want is to know which log i have to check, to find out which qmail user account is used to send emails?


thank you in advance!

repo 02-25-2009 11:42 AM

Hi,

Take a look at
http://qmail.jms1.net/logfiles.shtml

Perhaps you should disable the mailserver until you find the problem.

proNick 02-25-2009 12:56 PM

ok, since i'm not qmail guru, i would like to ask a few more questions about this...

i checked my /var/qmail/users/assign file

i found there several usernames that i don't want they stands for.

will it be wrong if i remove some of them i know i don't use for my web applications?


All times are GMT -5. The time now is 03:23 PM.