I run qmail on a Mandrake 10.1 box. I also have an OpenBSD firewall. Today when I came home I noticed unusual disk activity on the mail server. When I did ps aux it was full of qmail-remote processes.

qmailr 8826 0.0 0.0 2720 792 ? S 21:00 0:00 qmail-remote soza.com anonymous@mail.mydomain.com 4woman@soza.com
qmailr 8830 0.0 0.0 2720 792 ? S 21:00 0:00 qmail-remote exemplary.net anonymous@mail.mydomain.com bent@exemplary.net
qmailr 8839 0.0 0.0 2720 792 ? S 21:00 0:00 qmail-remote vm.tcnj.edu anonymous@mail.mydomain.com admiss@vm.tcnj.edu

I yanked the network cable and rebooted. I figured that someone was using my server to send spam. There are only about 4 in there now. Any idea what this is and how to track it down.

Also, any idea if there is anywhere I should look on the OpenBSD firewall to get some insight on a securtiy breach?

Thanks for any help

Hi,
See if you have a file called local-host-names and make sure your host only is in there. Mine is in my etc/mail directory, also look at relay-domains your host only in there and look at the others in that directory. I use sendmail and see people trying to spam me but they get denied. I use iptables as a firewall. I also shut down submission I believe it is port 587 I only have port 25 open, and all is running ok. Also do a netstat -nl and see what is listening and shut off all that you don't need open to the public. Hope this is a help.
Rick

Try looking in the queue and see what they are. Maybe use "find" to look for any files under /var/qmail/queue. Don't try deleting these manually. You will ruin your mail server. Look but don't touch.

My suspicion is they are spam messages and you're trying to deliver bounce messages. For example, spammer sends you some junk to non-existent mailbox. Spam bounces, but they used a fake "from" address, so they are sitting in your queue with no hope of being delivered.