somebody sending emails from my server

proNick · 02-25-2009, 07:05 AM

hi all!

can you help me with one specifing problem...

somebody sent a lot of (spam) email using my server. how can i figure who done that, because my server is now on spam list, and that is a big problem for me.

thank you in advance!

repo · 02-25-2009, 07:11 AM

which mail server?
which distribution?
Your mailserver is probably an open relay
Take a look at
http://www.debian-administration.org/articles/41
more info over open relay
http://www.google.com/search?q=linux...nt=iceweasel-a

proNick · 02-25-2009, 08:36 AM

it's qmail, on fedora.

any idea what and where to check?

repo · 02-25-2009, 08:42 AM

You can test if you have an opn relay here:
http://www.abuse.net/relay.html

more info about open relay
http://www.google.com/search?q=qmail...nt=iceweasel-a

farslayer · 02-25-2009, 08:54 AM

are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..

proNick · 02-25-2009, 09:22 AM

Quote:

Originally Posted by farslayer

are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..

i know that, so i want to check which account is used to send emails from server.

i need your help for that...

repo · 02-25-2009, 09:29 AM

1 make sure the mail server is not an open relay
2 harden the website
3 look in th logfiles from the mailserver to find some pointers

Matey · 02-25-2009, 10:07 AM

yeah, /var/log is a good start.
on the web server we can do this it may help on mail server as well? I donno? wouldnt hurt to try:

to edit your /etc/hosts.deny and add the intruders IP addresses (from auth.log)and block them.
you can actually make an executable file under /log and run it; here's a little widget i found and modified it to work with my system;

grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt
sleep 2
cat ct-result.txt |more

here's a link which has vpop and qmail and a lot more in middle of the page;

http://bowe.id.au/michael/isp/webmail-server.htm

btw I think many ppl run clamd on their mail servers?

proNick · 02-25-2009, 10:33 AM

ok,

so i checked, and my server does not act as open relay.

i guess that some script is on the server, and it is used to send emails.

all i want is to know which log i have to check, to find out which qmail user account is used to send emails?

thank you in advance!

repo · 02-25-2009, 10:42 AM

Hi,

Take a look at
http://qmail.jms1.net/logfiles.shtml

Perhaps you should disable the mailserver until you find the problem.

proNick · 02-25-2009, 11:56 AM

ok, since i'm not qmail guru, i would like to ask a few more questions about this...

i checked my /var/qmail/users/assign file

i found there several usernames that i don't want they stands for.

will it be wrong if i remove some of them i know i don't use for my web applications?