Topic: What means this - Is my server being used for spreading spam

[Rien]

Hi all,

According to www.GRC.com, ports 25 (SMTP) and 110 (POP3) are stealth, but I got the following alert:

[ALRT] mlkserver.focus.demon.nl : mail in = 375 (max=20)

mlkserver.focus.demon.nl :Fri Dec 22 01:12:19 2006
During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.
(Possible reasons : do you receive spam ? a mailbomb ? mailing-lists ?)

One line per recipient host. Information on each line:
* sbytes is the number of bytes successfully delivered to this host.
* mess is the number of messages sent to this host (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this host.

Maillog
   sbytes   mess  tries   xdelay  host
     3243      1      1     0.26  000host.com
     4405      1      1     0.22  004.com
     7968      2      2     0.52  006.com
     6081      2      2     0.45  007addict.com
     4624      1      1     0.20  007sluts.com
     3433      1      1     0.30  0101-long-distance.com
     4748      1      1     0.25  0113.com
     9399      3      3     0.85  01191.com
     2709      1      1     0.19  0-12.com
         .        .      .
         .        .      .
   21182      1      1     1.15  z-upit.dk
     2820      1      1     0.31  zurich.com
     2590      1      1     0.26  zybermail.com
    10512      2      2     0.68  zzbandb.com

End of Report

What is wrong?

[CharlieBrady]

... but I got the following alert:

Are you asking in the right forum? This "alert" has nothing to do with unmodified SME server.

[Rien]

Hi Charlie,

Well, the alert is from SME7Admin, that is a contrib. But my question has little to do with SME7admin.

I'm afraid that my server is hacked to spread SPAM, but I can't imagine how. My mail ports (25 and 110) are all closed (stealth) and I retrieve mail using fetchmail/maildrop.

In my mailclient I can't see any of these mail.

In "mail log file analysis", the report "List outgoing messages and recipients" is empty.

How can I detect if my mailserver is used for the purpose of spreading SPAM?

[CharlieBrady]

I'm afraid that my server is hacked to spread SPAM, but I can't imagine how.

Quite possibly via a web application. Do you have any PHP applications installed? Most of them are insecure at one time or another.

How can I detect if my mailserver is used for the purpose of spreading SPAM?

Examine the qmail logs.

[mdo]

mlkserver.focus.demon.nl :Fri Dec 22 01:12:19 2006
During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.

Looking at the time reported (01:12), this is most likely the time of the system's log rotation. I believe it is a known bug in sme7admin that it creates that (wrong) warning for log rotations (we have these warnings also at 01:12 during log rotation). My french is not good but here is the link http://bugs.contribs.org/show_bug.cgi?id=1051
Michael

[Rien]

If I'm interpreting the qmail log correctly, there is mail send via my server.  All adresses are not known by me.

I've Joomla! installed (PHP-based CMS). I'll check the Joomla forums.

QMail log:

Code: [Select]

2006-12-22 20:20:15.725137500 new msg 9246244
2006-12-22 20:20:15.725145500 info msg 9246244: bytes 14401 from <ikvtangible@vodw.com> qp 9101 uid 400
2006-12-22 20:20:15.733540500 starting delivery 581: msg 9246244 to local a1aaa1azzzz1zaaaaa@mlkserver.focus.demon.nl
2006-12-22 20:20:15.733550500 status: local 2/10 remote 0/20
2006-12-22 20:20:15.733555500 delivery 580: success: forward:_qp_9101/did_0+0+1/
2006-12-22 20:20:15.733560500 status: local 1/10 remote 0/20
2006-12-22 20:20:15.733565500 end msg 9246242
2006-12-22 20:20:15.746942500 delivery 581: failure: Recipient_unknown/
2006-12-22 20:20:15.746951500 status: local 0/10 remote 0/20
2006-12-22 20:20:15.759890500 bounce msg 9246244 qp 9105
2006-12-22 20:20:15.759899500 end msg 9246244
2006-12-22 20:20:15.760646500 new msg 9246243
2006-12-22 20:20:15.760824500 info msg 9246243: bytes 14938 from <> qp 9105 uid 406
2006-12-22 20:20:15.768050500 starting delivery 582: msg 9246243 to remote ikvtangible@vodw.com
2006-12-22 20:20:15.768257500 status: local 0/10 remote 1/20
2006-12-22 20:20:16.173623500 delivery 582: success: 194.159.73.194_accepted_message./Remote_host_said:_250_OK_id=1GxpwF-0000in-V1/
2006-12-22 20:20:16.173633500 status: local 0/10 remote 0/20
2006-12-22 20:20:16.173638500 end msg 9246243

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

Also could you please use a more descriptive subject. Thanks.

[CharlieBrady]

I've Joomla! installed (PHP-based CMS).

You should disable it until you are certain that it's not a problem.

[Franco]

During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.

You are receiving spam! Not sending.
I also noticed that from time to time sme7admin sends out bogus reports.

[Rien]

Just to be sure,

In Joomla! the setting of "PHP Register Globals" was "On". I turned it "Off". I also set the properties of the Joomla! files to 644 and the Joomla!  directories to 755.

I also set:
Maximum number of incoming e-mails : 15
Maximum number of outgoing e-mails :  15

Thanks,

[dede77b]

I'm getting the same message every night at 01.12.

I'm using joomla and sme7admin too.

I never discover if this is spam, an error or just a bug of a program i installed

[bpivk]

Had the same problem with sme7admin and i just disabled it and guess what... no problems.

And the message you're getting is for incoming mail not outgoing so you're not sending spam. You're receiving something.
And i got the same message. Somtimes even from sme7admin itself. (I set the limit to low and it warned me over and over on logrotation.)

The problem was fixed when i turned of some notifications. (Had 600 mail warnings from sme7admin    )