Topic: My sme is sending spam or fake emails

[phalon]

Hello:

I have a problem, my users and I are getting mail from accounts that don't exist in my user lists in my server. Is there a Way to know if my server is being used by a hacker or by a virus to send spam. And is there a way to protect my server.

I have a SME 7.2

Thanks for any help that anyone can give.

[mercyh]

Phalon,

You should upgrade to the latest version 7.3. This is the best way to protect your server.

You might try looking at the internet headers of the mail that you are suspecting. It is slightly different in different clients to get to this. In MS Outlook right click on the downloaded mail and go to properties. In MS Outlook Express do the same thing, then click on the details tab.

You will specifically want to look at the line something like the following:

>Received: from hypermail106.service.govdelivery.com (HELO hypermail106.service.govdelivery.com) (209.46.19.106)
>   by YourMailServerDomain.com (qpsmtpd/0.40) with ESMTP; Fri, 11 Apr 2008 10:41:45 -0500


If the first Received: from is not one of your users somebody is spoofing your domain to send mail and unless one of your machines is infected and doing it you will not be able to stop them. Following is the Receive header line sent from an internal machine to my server:

>Received: from pc-00217.MY_Domain.com (HELO Client_Machine's_Host_Name) (192.168.123.217)
>    by My_Domain.com (qpsmtpd/0.40) with SMTP; Fri, 25 Jan 2008 08:02:07 -0600

If you wish to post header information be careful about what you leave in or the problem could get Worse instead of better..........

[phalon]

Thank you very much for the hints, all start downloading the 7.3 sme and the investigating the source of the problem.

[raem]

phalon

sme server rejects messages for invalid users, so those messages are getting in by some other devious method, probably just a disguised email address.

Have you enabled RBL & SBL lists, see Email FAQ ?
Have you enabled incoming virus scannning of messages, see server manager email panel ?
Have you enabled spam filtering & rejection, see server manager email panel ?
Have you enabled executable content pattern matching rejection, see server manager email panel ?

Have you scanned all your local workstations for viruses ?
use
iptraf
to monitor source of traffic
and
look in qpsmtpd & qmail logs to see where those messages are coming from.

[phalon]

RayMitchell

I've configure all the virus and spam scan, that comes with the SME 7.2, and also disable any entrance to the server from external networks. And in every PC of my network has the NOD32 antivirus up to date. It could be that this mails comes in disguise with my domain name. But right now I'm checking the emails.

Thank you for your hints

[raem]

phalon

What about RBL & SBL lists, which are not options in server manager and are not enabled by default.
Enabling those by command line, will reject a lot of messages from problematic sources, which will most probably include those you are mentioning.

> Have you enabled RBL & SBL lists, see Email FAQ ?

[phalon]

Hi, I never configure the RBL & SBL lists. Right now I`m investigating about it. Too

[raem]

phalon

I never configure the RBL & SBL lists.

Then you are missing out on one of the most effective features of sme mail server ie at reducing unwanted mail


http://wiki.contribs.org/SME_Server:Documentation:FAQ#Real-time_Blackhole_List_.28RBL.29

http://wiki.contribs.org/Updating_to_SME_7.2#RHSBL_Servers

http://wiki.contribs.org/Updating_to_SME_7.2#DNSBL_Servers

Be conservative initially, ie follow the first link above.


This may also be useful to add whiteliste entries.

http://wiki.contribs.org/SME_Server:Documentation:FAQ#Email_WBL_server_manager_panel