Topic: Urgent PLEASE

[georgios]

My Provider notice me that my Server is used as SPAM, a lot of emails are been sent from my SMTP, where can I find the source IP Please from which account the mail are sending?


for SMTP Authentification is set, many thanks,


thank you

[brianr]

Almost certainly it will be one of the PCs on your network and not your server.

Examine each one in turn to make sure that it is not compromised.  Disconnect each one and observe the traffic on the system (perhaps your router/switch has lights that flash?).

Others will have extra suggestions...

[georgios]

Hi,

I have 50 PCs, i will check the log on the firewall

Currently with : qmHandle -l

Total messages: 1408
Messages with local recipients: 0
Messages with remote recipients: 1408
Messages with bounces: 25
Messages in preprocess: 0

Where can I see please where the message are sending from "THE IP"?

many thank you

[georgios]

is it possible to find it from which user/sme account is sending the mail?

thank you,

[ReetP]

Please don't use 'Urgent' as your subject line as it is meaningless.

Better to use something like 'Detect local user sending Spam'

It may be urgent to you, but please remember that everyone here is a volunteer and does not get paid. If you want 'Urgent' assistance then you need to find someone and pay them to help you....

I suggest you look here for starters :

tail /var/log/sqpsmtpd/current |tai64nlocal
cat /var/log/sqpsmtpd/current |tai64nlocal

That might give you an indication of where the mails are coming from. You should probably disconnect your server until you can isolate the issue.

B. Rgds
John

[Daniel B.]

Check qpsmtpd and sqpsmtpd logs (grep for the "logterse" keyword to have a better overview). Another possibility is a vulnerable webapps which could inject emails directly in qmail, bypassing qpsmtpd. Open one of the spam in /var/qmail/queue/mess/0 (for example) with less, and show the headers of the email, which will contains info to track the origine.

[georgios]

Please don't use 'Urgent' as your subject line as it is meaningless.

Better to use something like 'Detect local user sending Spam'

It may be urgent to you, but please remember that everyone here is a volunteer and does not get paid. If you want 'Urgent' assistance then you need to find someone and pay them to help you....

I suggest you look here for starters :

tail /var/log/sqpsmtpd/current |tai64nlocal
cat /var/log/sqpsmtpd/current |tai64nlocal

That might give you an indication of where the mails are coming from. You should probably disconnect your server until you can isolate the issue.

B. Rgds
John

ok really sorry Dear, I understand you.

things is that on the both commands lines, I dont find the mail "@yahoo.com.tw" or "@wysina.com.tw" that I see on the server-manager journal logs.

I would like to see which "client/smtp user" is sending this email if possible.

[georgios]

ok really sorry Dear, I understand you.

things is that on the both commands lines, I dont find the mail "@yahoo.com.tw" or "@wysina.com.tw" that I see on the server-manager journal logs.

I would like to see which "client/smtp user" is sending this email if possible.

Many thanks Daniel.

Will check it right now. I keep you informed for the all process I did

[georgios]

Check qpsmtpd and sqpsmtpd logs (grep for the "logterse" keyword to have a better overview). Another possibility is a vulnerable webapps which could inject emails directly in qmail, bypassing qpsmtpd. Open one of the spam in /var/qmail/queue/mess/0 (for example) with less, and show the headers of the email, which will contains info to track the origine.

Regarding this logs (i didnt know), I find all the message that my server want to send. I attach you one this in a txt file.
This email is trying to be sent from my SME 9.1 server but from another IP, no my "internet/provider" IP.
 I just delete my IP of my SMTP/MAIL Server with the text "MY_IP_MAIL_SERVER".

thats means another computer from other "IP" have access to the smtp authentication?

[Daniel B.]

We can see no trace of authentication, and as yahoo.com.tw is most likely not managed locally, it looks like your server is an open relay. Have you modified anything ? Please open a bug on bugzilla for further analysis

[georgios]

No, I update since 4/5 days to 9.1

Each time I reaload my IPTables.

My authentification for my SMTP is set.

[georgios]

is something to check if the SMTP is set with the authentication?



qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=psbl.surriel.com:zen.spamhaus.org:bl.spamcop.net
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

is it the probleM?

[brianr]

Each time I reaload my IPTables.

This bit scares me - are you overwriting the standard IPTables?

[Daniel B.]

Please open a bug on bugzilla for further analysis

[georgios]

This bit scares me - are you overwriting the standard IPTables?

Yes ...    

I am doing IPTABLES to not get spam with "DROPING certain IP" or Range.

Then when I reboot the server, each time I reload the last IP TABLES....

Probably because I "UPDATE" to 9.1, I had my IP Tables from my previous version that I reload or "Restore" with command line iptables-restore < FILENAME (at each reboot)

is it bad?

what should I do to clean the configuration?

many thanks,