from:"Michael Grier"

Qmailt and spam

2001-06-21 Thread Michael Grier


Yesterday I got about 100 failure notices bounced to me as postmaster.
Today I got an abuse notice from my server provider. So this spammer
must be able to relay through me somehow. Qmail has been working for me
for over a year. Is anybody else having this problem? Where should I
look for answers?

The spammer seems to somehow be using the user qmailt as the originator.
A copy follows. uid 12355 is the user qmailt.

Mike Grier
-

Delivered-To: x
Return-Path: [EMAIL PROTECTED]
X-Envelope-To: xX-Envelope-From: [EMAIL PROTECTED]
X-Delivery-Time: 993094914
Received: (qmail 13252 invoked from network); 21 Jun 2001 03:41:54 -
Received: from lightning.mail.pipex.net (158.43.128.144)
  by firestorm.mail.pipex.net with SMTP; 21 Jun 2001 03:41:54 -
Received: (qmail 6926 invoked from network); 21 Jun 2001 03:43:07 -
Received: from e1city.com (216.110.45.57)
  by depot.dial.pipex.com with SMTP; 21 Jun 2001 03:43:07 -
Received: (qmail 23293 invoked by uid 12355); 20 Jun 2001 22:30:44 -
Date: 20 Jun 2001 22:30:44 -
Message-ID: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: x
Content-Type: text/plain;charset=iso-8859-1
Subject: Attention!...

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 20 June 2001 23:31
To: x
Subject: Attention!...

disgusting spam snipped

Re: Qmailt and spam

2001-06-21 Thread Michael Grier

- Original Message -
From: Charles Cazabon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 21, 2001 5:39 PM
Subject: Re: Qmailt and spam

 Michael Grier [EMAIL PROTECTED] wrote:
  Yesterday I got about 100 failure notices bounced to me as
postmaster.
  Today I got an abuse notice from my server provider. So this spammer
  must be able to relay through me somehow. Qmail has been working for
me
  for over a year. Is anybody else having this problem? Where should I
  look for answers?

 In your logs

all logs are full of lines like this:
@40003b326259244df3f4 alert: cannot start: unable to open mutex

I rebooted.

and your configuration.  If qmail is an open relay on your
 system, you've configured it incorrectly.  Give us the output of
 `qmail-showctl`,

[root@server1 qmail]# bin/qmail-showctl
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 120.
subdirectory split: 23.
user ids: 12346, 12347, 12348, 0, 12349, 12350, 12351, 12352.
group ids: 12347, 12348.

badmailfrom: (Default.) Any MAIL FROM is allowed.

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is e1city.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: (Default.) SMTP DATA limit is 0 bytes.

defaultdomain: Default domain name is e1city.com.

defaulthost: (Default.) Default host name is e1city.com.

doublebouncehost: (Default.) 2B recipient host: e1city.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is e1city.com.

helohost: (Default.) SMTP client HELO host name is e1city.com.

idhost: (Default.) Message-ID host name is e1city.com.

localiphost: (Default.) Local IP address becomes e1city.com.

locals:
Messages for localhost are delivered locally.

me: My name is e1city.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is e1city.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800
seconds.

rcpthosts:
SMTP clients may send messages to recipients at localhost.
SMTP clients may send messages to recipients at mgrier.com.
SMTP clients may send messages to recipients at bigmweb.com.
SMTP clients may send messages to recipients at e1city.com.
SMTP clients may send messages to recipients at thecountrymill.com.
SMTP clients may send messages to recipients at countrymill.com.
SMTP clients may send messages to recipients at
cherryjuiceconcentrate.com.
SMTP clients may send messages to recipients at tartcherryjuice.com.
SMTP clients may send messages to recipients at doccherry.com.
SMTP clients may send messages to recipients at msistudios.com.
SMTP clients may send messages to recipients at msi-studios.com.
SMTP clients may send messages to recipients at tcsom.com.
SMTP clients may send messages to recipients at gospelofthekingdom.org.
SMTP clients may send messages to recipients at midlandfurniture.com.
SMTP clients may send messages to recipients at midlandpiano.com.
SMTP clients may send messages to recipients at michiganpiano.com.
SMTP clients may send messages to recipients at michiganorgan.com.
SMTP clients may send messages to recipients at sweetnita.com.
SMTP clients may send messages to recipients at tennes.com.
SMTP clients may send messages to recipients at j4t.org.
SMTP clients may send messages to recipients at intruderlc.com.
SMTP clients may send messages to recipients at sleepmethods.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 e1city.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains:
Virtual domain: mgrier.com:mgrier
Virtual domain: bigmweb.com:alias-bigmwebcom
Virtual domain: e1city.com:alias-e1citycom
Virtual domain: thecountrymill.com:mtennes
Virtual domain: countrymill.com:mtennes
Virtual domain: cherryjuiceconcentrate.com:mtennes
Virtual domain: tartcherryjuice.com:mtennes
Virtual domain: doccherry.com:mtennes
Virtual domain: msistudios.com:gjgadwa
Virtual domain: msi-studios.com:gjgadwa
Virtual domain: tcsom.com:alias-tcsomcom
Virtual domain: gospelofthekingdom.org:alias-gospelofthekingdomorg
Virtual domain: midlandfurniture.com:alias-midlandfurniturecom
Virtual domain: midlandpiano.com:alias-michiganpianocom
Virtual domain: michiganpiano.com:alias-michiganpianocom
Virtual domain: michiganorgan.com:alias-michiganpianocom
Virtual domain: sweetnita.com:alias-sweetnitacom
Virtual domain: tennes.com:mtennes
Virtual domain: j4t.org:alias-j4torg
Virtual domain: intruderlc.com:alias-intruderlccom
Virtual domain: sleepmethods.com:alias-sleepmethodscom

Re: Qmailt and spam

2001-06-21 Thread Michael Grier



  The spammer seems to somehow be using the user qmailt as the
originator.
  A copy follows. uid 12355 is the user qmailt.

 There is no such user in a normal qmail install.

 Are you sure they didn't get into your system another way?  A broken
formmail
 CGI, or something else?

I've now found that this user was most likely created yesterday when
this problem started, so now I probably have to figure out how I was
hacked. I've deleted the user.

failure notices

2001-06-20 Thread Michael Grier


I'm getting lots of failure notices like the following. Does this mean
that qmail is working or do I need to look further to see if this spam
is getting through for other addresses? The user qmailt seems to be
involved in all of them.

Mike

my server is represented herein by mydomain.com
---

From [EMAIL PROTECTED] Wed Jun 20 15:25:50 2001
X-Apparently-To: [EMAIL PROTECTED] via web13806.mail.yahoo.com; 20 Jun
2001 15:25:15 -0700 (PDT)
Received: from mydomain.com (216.110.45.57) by mta550.mail.yahoo.com
with SMTP; 20 Jun 2001 15:25:15 -0700 (PDT)
Received: (qmail 11487 invoked by alias); 20 Jun 2001 22:25:50 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 11461 invoked for bounce); 20 Jun 2001 22:25:50 -
Date: 20 Jun 2001 22:25:50 -
From: [EMAIL PROTECTED] | Block Address | Add to Address Book
To: [EMAIL PROTECTED]
Subject: failure notice
Content-Length: 1428




Hi. This is the qmail-send program at mydomain.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

[EMAIL PROTECTED]:
Sorry, I couldn't find any host named global.couk. (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: [EMAIL PROTECTED]
Received: (qmail 11421 invoked by uid 12355); 20 Jun 2001 22:25:49
-
Date: 20 Jun 2001 22:25:49 -
Message-ID: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Content-Type: text/plain;charset=iso-8859-1
Subject: Attention!...


disgusting spam snipped

Qmailt and spam

Re: Qmailt and spam

Re: Qmailt and spam

failure notices

4 matches

Site Navigation

Mail list logo

Footer information