Topic: Backscatter causing server slowdown?

[guest14620]

Hi all, I recently set up a virtual machine running SME server that is replacing our old Windows NT mail server.  Essentially it's only running for my Dad's home business, and only has 3 mailboxes.  I believe I've set it up as secure as I can (through the web interface) and the spam filtering was working fantastically, however a couple of weeks after setting it up, we are now receiving ALOT of automated replies saying our emails can't be delivered (emails that we didn't even send).  I originally thought that it could've been someone spoofing our domain and having the bounce-back come to us, but I also noticed that the mail server runs super slow when exposed to the internet (when I close the ports and reboot it, it's fine), which leads me to believe that it's getting backed up with loads of spam to redirect.  The server specs are very decent, and I've allocated about 256mb RAM to the virtual machine, which should be plenty.  I'm not real experienced with Linux, but I am learning, and I do have a bit of experience administering our old mail server.

Is it possible that somehow our SME Server is being used as an open relay by spammers?  I would've thought such options would be disabled by default.  Additionally, how would I go about further securing our server (going above and beyond the web interface)?

Our server is running behind a firewall, with only the SMTP port (25) and POP3 port (110) forwarded to the SME server.

[pfloor]

and I've allocated about 256mb RAM to the virtual machine, which should be plenty

First of all, this is barely enough memory and only meets the "minimum requirements" for a file/print/gateway server and will most likely not work well when you start using the email/spam features.  Recommended is at least 512MB when you fire up the mail server and I wouldn't run anything less than 1 Gig myself. See: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter4#4.1._Minimum_Hardware_Requirements

Is it possible that somehow our SME Server is being used as an open relay by spammers?

If the server is set up stock then it is highly unlikely.  I would first look at the clients connected to the network before suspecting SME.

[guest14620]

Oh really, you might be surprised to note that the server admin where I work has actually been running a SME server (7.0) virtual machine with 64mb RAM allocated doing only mail tasks for the past year and a bit and has never had problems.  Anyway, I upped the memory to about 512mb and have noticed a performance hit.

However, I noticed when I do a "ps aux | less" a number of instances of the qpsmtpd-forkserver processes running with remote hosts that I don't know, could this be causing the problem (I'm unfamiliar with what qpsmtpd-forkserver does, so feel free to enlighten me if I'm way off).

[CharlieBrady]

I'm unfamiliar with what qpsmtpd-forkserver does ...

Google knows.

[guest14620]

Google knows.

Thanks for that helpful tidbit.  Maybe I should just go back to using Exchange.

[thomasch]

butters1337,

1. I would suggest you to double check your email setting particularly Domains and email settings.

2. Use Address of Internet provider's mail server (smtp server) instead and see if that helps.

3.Install this contrib can help you troubleshoot your SME server email system :

http://wiki.contribs.org/Qmhandle_mail_queue_manager

4. Also, check logfiles maybe you see anything suspicious

thomas

[guest14620]

Thank you thomas.  I'll check out that contrib and see if I can shed any more light as to what's going on.  I've also notice that all the spam emails have been returning to one specific address, so I've tried locking the account to see if it has any affect on whether spam is still sent.

[purvis]

are you using the same wan(internet) ip address as the exchange email server was on

[guest14620]

Yes, we only have the single static IP for our home office.

[cactus]

Yes, we only have the single static IP for our home office.

Than you have most likely been hit by a hacker as I do not see any notice of a firewall... running the setup I guess you are using is a very unsafe one, please install a firewall between your lan and your wan.

[guest14620]

:S I don't understand, there is a firewall on our D-Link router, and I only have a select few ports open for our mail and web servers.  GRC.com's ShieldsUP! test only identified several of the open ports, the rest it detected as stealthed.  Disabling the user account that is sending the spam that is getting bounced back did not prove effective at all.  What if this is just standard spoofing, how can I protect against that, does SME have any tools or contribs to combat this (eg. using the new SPF method)?

[purvis]

so butters, i am not email expert at all but i am learning the ropes.
questions
1. is your server sending the original spam.
2. is your server just receiving a bounce email
3. what do your lines on from and on subject have using webmail
4. how many emails are being bounced a day.

i made one bounce from an account setup for testing
the bounce email has this

my from has the line   :MAILER-DAEMON@mysite.com
my subject has          :failure notice

[CharlieBrady]

Than you have most likely been hit by a hacker as I do not see any notice of a firewall...

A firewall won't protect against hackers, unless there are open services. But anyway, the original report says the system is beind a firewall, and only ports 25 and 110 are accessible.

The original report also complains about bounce messages for messages which weren't sent from his server. That just indicates that a spammer is using his addresses on forged spam messages. They don't indicate unauthorised relaying, and there's nothing he can do about those.

If he were to report details of one of those bounce messages here, someone could interpret them for him, I'm sure.

[purvis]

i wrote a program that runs in windows, it is a console program, that will pop a email account and delete unwanted messages.
as i said, i am just learning email and started programming for it.
i figured most bounced emails where sent back to the email server from which they came, unless a you can spoof an wan ip address.
then, in that case i can understand how that could be.
does the name on the account have a common name for emails  jwlliams@mysite.com.
 

ps.
if somebody had a program written in windows for the good of the whole, is there a way to upload it.

[CharlieBrady]

i figured most bounced emails where sent back to the email server from which they came...

You figured wrong. Bounce messages are sent back to the claimed sender of the message, not the server from which the message came. Since the sender address is forged on nearly all spam, that will be a different server that the one which produced it. In fact most SPAM is sent from 'servers' which don't receive email (i.e. from botnet zombies).

You'll probably help more people, or at least confuse fewer people, if you just post what you know, and not what you guess.