Topic: Help please!!! Spamers use my server as sender!!!!

[Normando]

Hello. Today I see the log "Sender statics" under "Mail log file analysis" in server manager, and exist a lot of sender email address don't have in my server. Sorry for my english. In other words, I have two accounts in my server/gateway. Account aaa@xxx and bbb@xxx. I se in the log others accounts as senders? it is posible? I see my IP in the "Remote host said: 451 http://dsbl.org/listing?xxx.xxx.xxx.xxx". DSBL sites list my IP as posbble spammer!!!!!
I look at the http://dsbl.org/sender for help, but i don't know how to stop spam trough my server.
I am sure my accounts don't send spam.
I have a static IP
Thanks

[raem]

Run anti-relay test to check system is OK:
There are two ways this can be done

At the server's command prompt do:
telnet relay-test.mail-abuse.org

Note: This only works if the outgoing address is also your mailserver address, which is usually the case in standard installations. This may not be true in some more complex network setups.

Alternatively browse to
www.abuse.net/relay.html
and enter your server details and perform the test


Do you have external pop access enabled ? Best to disable it as this is not secure (use secure pop contrib if necessary).
Do you have external ssh enabled, might be best to disable it too ?

[CharlieBrady]

Hello. Today I see the log "Sender statics" under "Mail log file analysis" in server manager, and exist a lot of sender email address don't have in my server. Sorry for my english. In other words, I have two accounts in my server/gateway. Account aaa@xxx and bbb@xxx. I se in the log others accounts as senders? it is posible? I see my IP in the "Remote host said: 451 http://dsbl.org/listing?xxx.xxx.xxx.xxx". DSBL sites list my IP as posbble spammer!!!!!
I look at the http://dsbl.org/sender for help, but i don't know how to stop spam trough my server.
I am sure my accounts don't send spam.

"sender statistics" includes inbound email, and inbound email can have your domain included in the sender address.

If you have any concerns about the security of the SME server, send a detailed email to security@contribs.org.

[Normando]

Thanks for the replies.
Ray, I test as you say and run ok, my server does not accept relay. It's ok.


Well, thanks Charly, now I realice

"sender statistics" includes inbound email

.
I suppose "sender statistics" are only my accounts senders.
What about anonymous@mydomain sender? This "account" has sended a lot of emails.

Sorry my inexperience in some topics
Normando

[MSmith]

Examination of the smtpfront-qmail/current log will reveal the suspect workstation(s) by IP address.  I know, because I'm poring over it just now for a client whose server slowed to a crawl because of the umpty-zillion SPAM emails flooding out from that workstation.

[ephraims]

I am having a similar problem with one of my customers they are reciving tones of bounce backs saying the messages were underliverable. When i look at isolog it say that the anonymous user sent out 3000 emails and is the top sender looking at the headers of the bounced emails i can not see any evidence of where it originated from the server. i have eliminated the workstations as they were turned off at the time the bounce backs started comming in. Any ideas? what can i check on the server to see if it has been hacked. Also they have stoped the messages sent out 3000 and stopped but it has happend on two days both tuesdays

[raem]

ephraims

The messages are most probably coming from an external system that has been infected and is just using addresses from the infected computers address book (ie your clients addresses). There's not much you can do about that.
Look at double bounce message deletion
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm