LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-25-2009, 08:05 AM   #1
proNick
Member
 
Registered: Apr 2005
Posts: 104

Rep: Reputation: 15
somebody sending emails from my server


hi all!

can you help me with one specifing problem...

somebody sent a lot of (spam) email using my server. how can i figure who done that, because my server is now on spam list, and that is a big problem for me.


thank you in advance!
 
Old 02-25-2009, 08:11 AM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
which mail server?
which distribution?
Your mailserver is probably an open relay
Take a look at
http://www.debian-administration.org/articles/41
more info over open relay
http://www.google.com/search?q=linux...nt=iceweasel-a
 
Old 02-25-2009, 09:36 AM   #3
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
it's qmail, on fedora.

any idea what and where to check?
 
Old 02-25-2009, 09:42 AM   #4
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
You can test if you have an opn relay here:
http://www.abuse.net/relay.html

more info about open relay
http://www.google.com/search?q=qmail...nt=iceweasel-a

Last edited by repo; 02-25-2009 at 09:48 AM.
 
Old 02-25-2009, 09:54 AM   #5
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,241
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..
 
Old 02-25-2009, 10:22 AM   #6
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by farslayer View Post
are you hosting a website on the server as well ? sometimes there are exploitable code on web servers that can be used to send spam, so don't over look the website if you have one there..


i know that, so i want to check which account is used to send emails from server.

i need your help for that...
 
Old 02-25-2009, 10:29 AM   #7
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
1 make sure the mail server is not an open relay
2 harden the website
3 look in th logfiles from the mailserver to find some pointers
 
Old 02-25-2009, 11:07 AM   #8
Matey
Member
 
Registered: Jan 2009
Posts: 114

Rep: Reputation: 17
yeah, /var/log is a good start.
on the web server we can do this it may help on mail server as well? I donno? wouldnt hurt to try:

to edit your /etc/hosts.deny and add the intruders IP addresses (from auth.log)and block them.
you can actually make an executable file under /log and run it; here's a little widget i found and modified it to work with my system;

grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt
sleep 2
cat ct-result.txt |more


here's a link which has vpop and qmail and a lot more in middle of the page;

http://bowe.id.au/michael/isp/webmail-server.htm

btw I think many ppl run clamd on their mail servers?

Last edited by Matey; 02-25-2009 at 11:10 AM.
 
Old 02-25-2009, 11:33 AM   #9
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
ok,

so i checked, and my server does not act as open relay.

i guess that some script is on the server, and it is used to send emails.


all i want is to know which log i have to check, to find out which qmail user account is used to send emails?


thank you in advance!
 
Old 02-25-2009, 11:42 AM   #10
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Hi,

Take a look at
http://qmail.jms1.net/logfiles.shtml

Perhaps you should disable the mailserver until you find the problem.
 
Old 02-25-2009, 12:56 PM   #11
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
ok, since i'm not qmail guru, i would like to ask a few more questions about this...

i checked my /var/qmail/users/assign file

i found there several usernames that i don't want they stands for.

will it be wrong if i remove some of them i know i don't use for my web applications?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sending emails using telnet ddaas Linux - Networking 6 10-30-2007 06:15 AM
Sending Emails yos123 Linux - General 1 04-12-2006 10:56 AM
Sending Emails Dragons_Way Linux - Software 2 03-09-2005 03:53 AM
qmail not sending emails lsimon4180 Linux - Software 1 10-19-2004 12:35 AM
Maling List stops sending emails because my server is not configured efficiently pabloho7 Linux - Software 0 11-09-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration