LinuxQuestions.org - Is my server sending spam ? (qmail question, lots of mails going out)

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Is my server sending spam ? (qmail question, lots of mails going out) (https://www.linuxquestions.org/questions/linux-server-73/is-my-server-sending-spam-qmail-question-lots-of-mails-going-out-722518/)

Is my server sending spam ? (qmail question, lots of mails going out)

Hello All !

I'm posting hoping you can help me with my qmail server. It runs on Debian with Plesk 8.6 on top of it, and it is used by a small number of persons (less than 10 accounts) sending a normal amount of e-mail for a human being (I mean no lists, no commercial spam, just person to person e-mails).

I've setup logwatch ( http://www.logwatch.org/ ) on my server to keep an eye on it, and also checked that there's no relay open with http://www.spamhelp.org/shopenrelay/ , so that part is ok.

But logwatch tells me there's a lot of mail going out : a typical day would be like this: (that's from yesterday's qmail logs)

Code:

Remote Server Responses:

    Deferral(400) - 47 Time(s)

    Deferral(421) - 103 Time(s)

    Deferral(443) - 4625 Time(s)

    Deferral(450) - 740 Time(s)

    Deferral(451) - 362 Time(s)

    Deferral(452) - 36 Time(s)

    Deferral(453) - 14 Time(s)

    Deferral(454) - 8 Time(s)

    Deferral(550) - 5 Time(s)

    Failure(450) - 7 Time(s)

    Failure(451) - 6 Time(s)

    Failure(501) - 8 Time(s)

    Failure(503) - 3 Time(s)

    Failure(504) - 40 Time(s)

    Failure(511) - 7545 Time(s)

    Failure(530) - 2 Time(s)

    Failure(550) - 1451 Time(s)

    Failure(551) - 6 Time(s)

    Failure(552) - 4 Time(s)

    Failure(553) - 78 Time(s)

    Failure(554) - 288 Time(s)

    Failure(555) - 4 Time(s)

    Failure(556) - 2 Time(s)

    Failure(571) - 10 Time(s)

    Success(250) - 7167 Time(s)

    Percentage(s):

        Deferral - 26.33 %

        Failure - 41.90 %

        Success - 31.77 %

-> 7167 successul remote connections... Sounds a lot to me. I don't know if I have to add the 7545 (code 511) + 1451 (code 550) failures to get an idea of how many mails were outbound.

On the receiving end, that server got around 6800 e-mails (83% of spam in it) yesterday, filtered by spamassassin.

And another bit of information: logwatchs lists all the remote addresses qmail has sent mail to. Here's the first few lines of the list, with the number of mails sent (I replaced the @ sign by _AT_ in the addresses below):

Code:

Emails to Remote Server (Threshold of 2):

    2521494_AT_leathercraft.de - 2 Time(s)

    31786984_AT_bounce.sendnes.fr - 2 Time(s)

    31846958_AT_bounce.sendnes.fr - 2 Time(s)

    39758176_AT_bounce.sendnes.fr - 2 Time(s)

    39832431_AT_bounce.sendnes.fr - 2 Time(s)

    39871459_AT_bounce.sendnes.fr - 2 Time(s)

    3dm.kliem_AT_bm-system.de - 2 Time(s)

    3dmanuel.galocha_AT_juntadeandalucia.es - 2 Time(s)

    7a2jmz_AT_hotmail.com - 2 Time(s)

    818911201.20910970062934_AT_na.cokecce.com - 2 Time(s)

    _nzhelika_AT_a_AT_panasonicplus.ru - 7 Time(s)

    _nzhelika_AT_a_AT_photoliner.ru - 5 Time(s)

    _vdeeva_AT_a_AT_pfiq.ru - 5 Time(s)

    a.doat_AT_formatys.fr - 2 Time(s)

    a.fazeli_AT_sheffield.ac.uk - 2 Time(s)

    abandono43_AT_obcruise.com - 2 Time(s)

    abjurationsx43_AT_dapcstudy.com - 2 Time(s)

    abodes45_AT_beazleysharpe.com - 2 Time(s)

    abominatingm310_AT_inventorone.com - 2 Time(s)

    abrogationsf92_AT_pc138.nissho-ele.co.jp - 2 Time(s)

    abstentionw1_AT_wwwhvd.com - 2 Time(s)

    acai_AT_bitisgroup.vn - 38 Time(s)

    acai_AT_imafex.sk - 13 Time(s)

    acai_AT_swbell.net - 2 Time(s)

    acai_AT_topoli.net - 35 Time(s)

    accessibilityz02_AT_eurobike-expo.com - 2 Time(s)

    acclimatesrh5_AT_rumseyandramsey.com - 2 Time(s)

    achromaticz849_AT_wisdirect.com - 2 Time(s)

    acquitingu_AT_222-spybot.com - 5 Time(s)

...

All of those addresses are unknown to us, and we have no reason to mail them...

Why is qmail sending these guys e-mails ? Are they answers (bounces, error codes or whatever) generated because of the spam coming in ?

What can I check further to be sure these mails *aren't* spam relayed from my server ?

Thanks for your help,
Paul-Henri

You can check qmail log files (usually located in /var/log/qmail/current and /var/log/qmail/smtpd/current) to see who is supposed to send mail to these addresses and from what IP.

Regards

could always use one of the online Open Relay tests to check your server.

Odds are a lof of that failed outbound mail that is defered and clogging your queues is bounces from the spam to email addresses in your domain that do not exist. Your mail server is probably receiving and processing the messages rather than simply rejecting the messages when they arrive. Your mail server would them email out a ton of replies, this effect is sometimes called backscattter.

Might want to configure your qmail server to reject that junk.
http://www.jm-associates.com/admin/qmail_list_faq.html

Quote:

FAQ-7.0 How can I prevent qmail from accepting mail for non-existing users?

There are basically four ways to do this that I know of:
1) Use Paul Jarc's realrcptto patch found here http://multivac.cwru.edu/qmail/
2) Use Eben Pratt's goodrcptto patch found here http://http.netdevice.com:9020/qmail/
3) Use Dr. Erwin Hoffmann's recipients extension patch found here http://www.fehcom.de/qmail/qmail.html
Or, if you're like me and not real fond of patching qmail unneccessarily:
4) Use Bruce Guenter's mailfront package found here http://untroubled.org/mailfront/

Happy patching !! :)

Quote:

Originally Posted by farslayer (Post 3525024)

Thanks for your help and suggestions :)

I checked my server for open-relayness, and it's OK on that side of the battle.

Your suggestion about configuring qmail to reject that junk is a good idea, and seems to fit well my problem. I'll check the faq and links you gave me, thanks again.

I'll also try to get a list of those outgoing mails with destination and subject appearing to understand more about what's going on.

Paul-Henri

Well... things aren't as easy as I thought : patching seems out of the way, for 2 reasons: all those patches require recompiling qmail, and I haven't got a compiler on my server (I guess it's like that for security reasons), and the other is that since it's a server with Plesk installed, I'm not sure if the version that Plesk uses isn't patched in some way or another, and I'd be reluctant to recompile a vanilla-qmail and replace the one used by Plesk (given the configuration tampering that I already saw that was made by Plesk).

I also looked at qmailtap, in order to get a copy of all the stuff that's sent by my server and have an idea of what's going out, but it's also a patch... sigh...

Is there a way to configure qmail logs in order to have the subject of the outgoing mail written somewhere ? I have the destination in my maillog file, but it isn't enough to know if it's bounces or spam going out.

Paul-Henri

the last option in the list might be of interest..

Quote:

Or, if you're like me and not real fond of patching qmail unnecessarily:
4) Use Bruce Guenter's mailfront package found here http://untroubled.org/mailfront/

All the patching to get functionality was the reason I decided on Postfix rather than qmail. While qmail itself is very secure, I wasn't sure what I would end up with after adding a bunch of patches. Would it still be as stable and secure ? I dunno..

Sorry I am not familiar with qmail logging so I don't know if you can increase the detail level of your logs. I can't say that i have ever seen the mail subject in a MTA log file before though. Maybe this will help. http://qmail.jms1.net/logfiles.shtml

I finally went around the problem by activating a DNSBL check at the smtp level, and that has dramatically decreased the spam I get: for the first time in years, I get more clean mail than spam mail... wow :)

I'm also looking into switching to Postfix for the same reasons as you did. I found an MTA comparison chart, btw: http://shearer.org/MTA_Comparison, quite helpful.

Paul-Henri