Re: [toaster] Issues With Relay Mail and Spam
Anybody? I have more messages in the queue because of this and I'm getting rather frustrated because I'm not sure what is going on. Thanks. On 3/8/09 10:13 PM, AJ Bourg wrote: Hi Folks, I have been having a persistent issue the last few days with a bot using my server as a relay to send spam. The other day I had 24,000 spam messages stuck in my qmail queue. I used qmail-remove to remove all these messages, and this spammer is using a consistent (fake) from address on my server and is using a consistent netblock in China so I used iptables to just block the whole network. But I would like to figure out why the the messages are being accepted. Here's an example from the log: @400049b3f675121b5e4c tcpserver: pid 32237 from 121.206.74.211 @400049b3f675121b6234 tcpserver: ok 32237 0:65.98.207.151:25 :121.206.74.211::2...@400049b3f67a155cba24 CHKUSER accepted sender: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt : sender accep...@400049b3f67a155cc5dc CHKUSER relaying rcpt: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt yt...@yaho.cn : client allowed to relay @400049b3f68a372996f4 simscan:[32237]:RELAYCLIENT:16.5675s:-:121.206.74.211:ty...@bella2.srihosting.com:yt...@yaho.cn: (bella2.srihosting.com is the local system name and was in the RCPT hosts file until the other day when I removed it, hoping that would help. We do not receive email on that domain.) Here's a header from one of the messages: Received: (qmail 22570 invoked by uid 89); 9 Mar 2009 03:40:25 - Received: by simscan 1.3.1 ppid: 21148, pid: 22563, t: 0.7776s scanners: attach: 1.3.1 clamav: 0.94.1/m: Received: from unknown (HELO F35D3CCB236648E) (anonym...@121.206.73.92) by 0 with ESMTPA; 9 Mar 2009 03:40:24 - From: =?gb2312?B?zuTPwMPUYm80NTgxOTg50rsyMDA5?= ty...@bella2.srihosting.com Subject: =?gb2312?B?MjAwOb3wxcbTzs+3zfVibzQ1ODE5ODk=?= To: bo4581...@yahoo.com.cn Content-Type: text/html; charset=gb2312 MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 9 Mar 2009 11:40:45 +0800 My rcpthosts file contains only two lines: bella-solar.com bellaenergy.com I am using POP before SMTP, but every time I check that file, I can't find that IP/netblock in it, so it shouldn't be allowed to relay from that address. My tcp.smtp file looks like this: 127.:allow,RELAYCLIENT= :allow,QMAILQUEUE=/var/qmail/bin/simscan (I'm not sure what the second line does or if perhaps this is a source of my problems? is it allowing all mail to pass through to simscan?) I've manually attempted to relay through telnet but am always blocked. Why is CHKUSER allowing this client to relay? How do I go about figuring this out? I thought I generally understood how qmail worked, but trying to solve this has shown me I'm not quite there yet. Any help any of you folks could provide in solving this issue would be greatly appreciated. AJ
Re: [toaster] Issues With Relay Mail and Spam
AJ Bourg wrote: Anybody? I have more messages in the queue because of this and I'm getting rather frustrated because I'm not sure what is going on. Thanks. On 3/8/09 10:13 PM, AJ Bourg wrote: Hi Folks, I have been having a persistent issue the last few days with a bot using my server as a relay to send spam. The other day I had 24,000 spam messages stuck in my qmail queue. I used qmail-remove to remove all these messages, and this spammer is using a consistent (fake) from address on my server and is using a consistent netblock in China so I used iptables to just block the whole network. But I would like to figure out why the the messages are being accepted. Here's an example from the log: @400049b3f675121b5e4c tcpserver: pid 32237 from 121.206.74.211 @400049b3f675121b6234 tcpserver: ok 32237 0:65.98.207.151:25 :121.206.74.211::2...@400049b3f67a155cba24 CHKUSER accepted sender: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt : sender accep...@400049b3f67a155cc5dc CHKUSER relaying rcpt: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt yt...@yaho.cn : client allowed to relay @400049b3f68a372996f4 simscan:[32237]:RELAYCLIENT:16.5675s:-:121.206.74.211:ty...@bella2.srihosting.com:yt...@yaho.cn: Sounds like some spammer has figured out the password of one of your users and is using SMTP Auth to send the emails. Check your logs for vchkpw-smtp and see what user name is doing it. One my system the log file is /var/log/maillog Regards, Rick
Re: [toaster] Issues With Relay Mail and Spam
AJ Bourg wrote: Anybody? I have more messages in the queue because of this and I'm getting rather frustrated because I'm not sure what is going on. Received: from unknown (HELO F35D3CCB236648E) (anonym...@121.206.73.92) This line suggests that the user is authenticated with the user id of anonymous.
[toaster] Issues With Relay Mail and Spam
Hi Folks, I have been having a persistent issue the last few days with a bot using my server as a relay to send spam. The other day I had 24,000 spam messages stuck in my qmail queue. I used qmail-remove to remove all these messages, and this spammer is using a consistent (fake) from address on my server and is using a consistent netblock in China so I used iptables to just block the whole network. But I would like to figure out why the the messages are being accepted. Here's an example from the log: @400049b3f675121b5e4c tcpserver: pid 32237 from 121.206.74.211 @400049b3f675121b6234 tcpserver: ok 32237 0:65.98.207.151:25 :121.206.74.211::2...@400049b3f67a155cba24 CHKUSER accepted sender: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt : sender accep...@400049b3f67a155cc5dc CHKUSER relaying rcpt: from ty...@bella2.srihosting.com:anonymous: remote F35D3CCB236648E:unknown:121.206.74.211 rcpt yt...@yaho.cn : client allowed to relay @400049b3f68a372996f4 simscan:[32237]:RELAYCLIENT:16.5675s:-:121.206.74.211:ty...@bella2.srihosting.com:yt...@yaho.cn: (bella2.srihosting.com is the local system name and was in the RCPT hosts file until the other day when I removed it, hoping that would help. We do not receive email on that domain.) Here's a header from one of the messages: Received: (qmail 22570 invoked by uid 89); 9 Mar 2009 03:40:25 - Received: by simscan 1.3.1 ppid: 21148, pid: 22563, t: 0.7776s scanners: attach: 1.3.1 clamav: 0.94.1/m: Received: from unknown (HELO F35D3CCB236648E) (anonym...@121.206.73.92) by 0 with ESMTPA; 9 Mar 2009 03:40:24 - From: =?gb2312?B?zuTPwMPUYm80NTgxOTg50rsyMDA5?= ty...@bella2.srihosting.com Subject: =?gb2312?B?MjAwOb3wxcbTzs+3zfVibzQ1ODE5ODk=?= To: bo4581...@yahoo.com.cn Content-Type: text/html; charset=gb2312 MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 9 Mar 2009 11:40:45 +0800 My rcpthosts file contains only two lines: bella-solar.com bellaenergy.com I am using POP before SMTP, but every time I check that file, I can't find that IP/netblock in it, so it shouldn't be allowed to relay from that address. My tcp.smtp file looks like this: 127.:allow,RELAYCLIENT= :allow,QMAILQUEUE=/var/qmail/bin/simscan (I'm not sure what the second line does or if perhaps this is a source of my problems? is it allowing all mail to pass through to simscan?) I've manually attempted to relay through telnet but am always blocked. Why is CHKUSER allowing this client to relay? How do I go about figuring this out? I thought I generally understood how qmail worked, but trying to solve this has shown me I'm not quite there yet. Any help any of you folks could provide in solving this issue would be greatly appreciated. AJ
