Topic: Spam relay

[Peasant]

A client running SME 7.1.2 has had their IP blacklisted because of spam. I am usually called in to firefight any problems they have, and I suspect another machine on the network is the source of the problem. From searching this forum I can see that I can check the /qmail/current log to see if spam is coming from SME.

Is there any way I can see what IP address or machine on the network may be the source?

What other logs should I be looking at to try and get to the bottom of this.
I am going down there this afternoon, so any help will be much appreciated.

Many thanks.

[Stefano]

A client running SME 7.1.2 has had their IP blacklisted because of spam. I am usually called in to firefight any problems they have, and I suspect another machine on the network is the source of the problem. From searching this forum I can see that I can check the /qmail/current log to see if spam is coming from SME.

Is there any way I can see what IP address or machine on the network may be the source?

What other logs should I be looking at to try and get to the bottom of this.
I am going down there this afternoon, so any help will be much appreciated.

Many thanks.

Hi..

usually I follow 2 rules:
- none of clients can send email but via sme (i.e. rule on firewall to prevent clients to access external smtp server)
- sme sends mail via isp smtp (smart host)

if you do the same:
- you'll see blocked smtp connections in firewall log: so it's easy to discover infected pcs
- you'll hardly be blacklisted

Just my 2c

Ciao

Stefano

[Peasant]

usually I follow 2 rules:
- none of clients can send email but via sme (i.e. rule on firewall to prevent clients to access external smtp server)

Do you mean you set a rule on the sme firewall? If so, can you explain how I can do this?

- sme sends mail via isp smtp (smart host)

Thanks, I'll need to investigate this further as I'm pretty sure they only have a connection with their ISP, not and mail servers.

Cheers.

[Stefano]

Do you mean you set a rule on the sme firewall? If so, can you explain how I can do this?

I was referrig to a "single server" sme installation.. if your sme is acting as server and gateway, go to "Proxy" item under "security" section in server-manager and set smtp proxy active

Thanks, I'll need to investigate this further as I'm pretty sure they only have a connection with their ISP, not and mail servers.

Under "Configuration" section -> "e-mail": be sure "Address of Internet provider's mail server" is not blank

Ciao

Stefano

[Peasant]

if your sme is acting as server and gateway, go to "Proxy" item under "security" section in server-manager and set smtp proxy active

Thanks, I'll check this out this afternoon. On my machine here it is set as active (it appears to be by default). Assuming it is the same at my clients, does this mean that only users can use SME to send e-mail? In other words any spam will have to have come from a logged in user?

[Stefano]

if your sme is acting as server and gateway, go to "Proxy" item under "security" section in server-manager and set smtp proxy active

Thanks, I'll check this out this afternoon. On my machine here it is set as active (it appears to be by default). Assuming it is the same at my clients, does this mean that only users can use SME to send e-mail? In other words any spam will have to have come from a logged in user?

it means that (assuming sme is the default gateway for lan) every email clients send, even if via a different smtp server, is filtered by sme

Ciao

Stefano

[Peasant]

OK, looking at the mail logs, sender statistics, there is a lot of spam going out from userID 400 - 406. The usernames for these are qmaild, qmaill, qmailp, qmailq, qmailr, and qmails. Also, UID 453, which is listed as qpsmtpd system user.

As SME is really only used as a mail server there are very few going from genuine users. None of the users log in to the server, only their e-mail clients have the login details for a user. Any further pointers appreciated.

[Peasant]

I think I'm beginning to get somewhere. It appears that one of the Windows machines is doing the spamming. My reasoning is as follows.

Please correct me if I'm wrong, but if a user is logged in to a windows workstation as an SME user, and sends an e-mail, then the logs will show it as having come from the user ID. If the user is logged on under an account name not in SME, and sends an e-mail, the SME logs will just show it as having come from a system account (400 usually). When the system was set up the IT manager at the time did not like the strong passwords that SME insisted on, and so decided only to use it as a mail server and gateway. Users just log on to their local machines, but the e-mail client (Thunderbird) is set up to collect e-mail from SME. 95% of the e-mails are coming from UID 400. There are also about 900 coming from the one user account we did log on properly - but he has now left the company. So, is it possible that this user's machine is doing the spamming, but as the new user is not logged on to the SME server it, all the spam is now being registered as UID 400?

[cosmin]

You can see the IP of the spamming computer in qpsmtpd log file.... just look for multiple entry  with  same ip address! That`s how i found mine...

I think that solution to this problem is to force SMTP to use non-standard port (accepting from internal network) and block port 25 and use authentication before sending e-mail.

But i don`t know how to do it... i open a post but no-one reply yet.

[Peasant]

You can see the IP of the spamming computer in qpsmtpd log file.... just look for multiple entry with same ip address! That`s how i found mine...

Thanks for that. The server holds the logs for the last week and there is absolutely nothing suspicious there at all, so I did a bit more digging. If I run the recipient hosts report, it shows all the hosts that mail has been sent to. This revealed a significant number of hosts that  no one in the company would have sent mail to. Some of these had been sent over 100 messages, so we ran a filter over the qmail logs with the pattern as one of the dodgy hosts, and 'to' highlighted. This revealed messages sent to these hosts at all times of the day, but only for 1 week at the end of Feb/beginning of March. Unfortunately we do not have the qsmtp logs that far back to follow this up. There appears to have been little or no activity since then, but we'll keep monitoring.