Topic: Urgent PLEASE

[georgios]

My Provider notice me that my Server is used as SPAM, a lot of emails are been sent from my SMTP, where can I find the source IP Please from which account the mail are sending?


for SMTP Authentification is set, many thanks,


thank you

[brianr]

Almost certainly it will be one of the PCs on your network and not your server.

Examine each one in turn to make sure that it is not compromised.  Disconnect each one and observe the traffic on the system (perhaps your router/switch has lights that flash?).

Others will have extra suggestions...

[georgios]

Hi,

I have 50 PCs, i will check the log on the firewall

Currently with : qmHandle -l

Total messages: 1408
Messages with local recipients: 0
Messages with remote recipients: 1408
Messages with bounces: 25
Messages in preprocess: 0

Where can I see please where the message are sending from "THE IP"?

many thank you

[georgios]

is it possible to find it from which user/sme account is sending the mail?

thank you,

[ReetP]

Please don't use 'Urgent' as your subject line as it is meaningless.

Better to use something like 'Detect local user sending Spam'

It may be urgent to you, but please remember that everyone here is a volunteer and does not get paid. If you want 'Urgent' assistance then you need to find someone and pay them to help you....

I suggest you look here for starters :

tail /var/log/sqpsmtpd/current |tai64nlocal
cat /var/log/sqpsmtpd/current |tai64nlocal

That might give you an indication of where the mails are coming from. You should probably disconnect your server until you can isolate the issue.

B. Rgds
John

[Daniel B.]

Check qpsmtpd and sqpsmtpd logs (grep for the "logterse" keyword to have a better overview). Another possibility is a vulnerable webapps which could inject emails directly in qmail, bypassing qpsmtpd. Open one of the spam in /var/qmail/queue/mess/0 (for example) with less, and show the headers of the email, which will contains info to track the origine.

[georgios]

Please don't use 'Urgent' as your subject line as it is meaningless.

Better to use something like 'Detect local user sending Spam'

It may be urgent to you, but please remember that everyone here is a volunteer and does not get paid. If you want 'Urgent' assistance then you need to find someone and pay them to help you....

I suggest you look here for starters :

tail /var/log/sqpsmtpd/current |tai64nlocal
cat /var/log/sqpsmtpd/current |tai64nlocal

That might give you an indication of where the mails are coming from. You should probably disconnect your server until you can isolate the issue.

B. Rgds
John

ok really sorry Dear, I understand you.

things is that on the both commands lines, I dont find the mail "@yahoo.com.tw" or "@wysina.com.tw" that I see on the server-manager journal logs.

I would like to see which "client/smtp user" is sending this email if possible.

[georgios]

ok really sorry Dear, I understand you.

things is that on the both commands lines, I dont find the mail "@yahoo.com.tw" or "@wysina.com.tw" that I see on the server-manager journal logs.

I would like to see which "client/smtp user" is sending this email if possible.

Many thanks Daniel.

Will check it right now. I keep you informed for the all process I did

[georgios]

Check qpsmtpd and sqpsmtpd logs (grep for the "logterse" keyword to have a better overview). Another possibility is a vulnerable webapps which could inject emails directly in qmail, bypassing qpsmtpd. Open one of the spam in /var/qmail/queue/mess/0 (for example) with less, and show the headers of the email, which will contains info to track the origine.

Regarding this logs (i didnt know), I find all the message that my server want to send. I attach you one this in a txt file.
This email is trying to be sent from my SME 9.1 server but from another IP, no my "internet/provider" IP.
 I just delete my IP of my SMTP/MAIL Server with the text "MY_IP_MAIL_SERVER".

thats means another computer from other "IP" have access to the smtp authentication?

[Daniel B.]

We can see no trace of authentication, and as yahoo.com.tw is most likely not managed locally, it looks like your server is an open relay. Have you modified anything ? Please open a bug on bugzilla for further analysis

[georgios]

No, I update since 4/5 days to 9.1

Each time I reaload my IPTables.

My authentification for my SMTP is set.

[georgios]

is something to check if the SMTP is set with the authentication?



qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=psbl.surriel.com:zen.spamhaus.org:bl.spamcop.net
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

is it the probleM?

[brianr]

Each time I reaload my IPTables.

This bit scares me - are you overwriting the standard IPTables?

[Daniel B.]

Please open a bug on bugzilla for further analysis

[georgios]

This bit scares me - are you overwriting the standard IPTables?

Yes ...    

I am doing IPTABLES to not get spam with "DROPING certain IP" or Range.

Then when I reboot the server, each time I reload the last IP TABLES....

Probably because I "UPDATE" to 9.1, I had my IP Tables from my previous version that I reload or "Restore" with command line iptables-restore < FILENAME (at each reboot)

is it bad?

what should I do to clean the configuration?

many thanks,

[guest22]

Clearly you are not following the SME Server administration guidelines.


In this thread, you also show that you are manually changing IPTables, which is a bad thing. All changes must be done through custom templates or a especially designed contrib.


http://forums.contribs.org/index.php/topic,52133.msg266878.html#msg266878


Please read the administration manually carefully.

[ReetP]

Don't modify iptables manually - it is created by templates.

Read this :

http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables

You can also do something like this to completely block specific IPs or ranges.

Make a template like this :

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Add this :

/sbin/iptables -A INPUT -s 1.2.3.4/32 -j DROP

signal-event remoteaccess-update

[georgios]

Clearly you are not following the SME Server administration guidelines.


In this thread, you also show that you are manually changing IPTables, which is a bad thing. All changes must be done through custom templates or a especially designed contrib.


http://forums.contribs.org/index.php/topic,52133.msg266878.html#msg266878


Please read the administration manually carefully.

Look, I move to the SME 9 this summer before we had a configuration with SME Server 7. my Previous colleague told me to import and save/restore each time at the same reboot the IPTABLES.

This is a subject I send last days because I did not know the contribs "geoip".

With doing a restart / postupgrade : signal-event post-upgrade; signal-event reboot I see that my "IPTABLES" is now clean.

[guest22]

Look, I move to the SME 9 this summer before we had a configuration with SME Server 7. my Previous colleague told me to import and save/restore each time at the same reboot the IPTABLES.

That was a bad advise.

[ReetP]

Look, I move to the SME 9 this summer before we had a configuration with SME Server 7. my Previous colleague told me to import and save/restore each time at the same reboot the IPTABLES.

Your 'colleague' obviously did not read the manual

Save yourself a lot of time and trouble - read the manual and the other wiki pages. There's is a lot of useful information there that will help you

[georgios]

That was a bad advise.

That was a bad advise.

so, if I check the pb.

1) Summer 2015, I install the new SME Server with SMTP Authentification 9.0 version:
   a) inserting the IPTABLES RULES of the old mail server SME 7
   b)reinstalling parameters with db config and some new module like SOGO
   c) using SSL typical of SME 9.0
   d) doing update last month
   e) each time reloading the last IPTABLES File

2) Before 5 days: Updating my server from "server manager"
  a) I notice that my server move to  9.1
  b) my SSL Certificat has been also updated with updating to 9.1
  c) Reloading after the post upgrade configuration the last IPTABLES file from SME 9.0
  d) Today : a lot of spam are sending from my SMTP (Sme Mail Server), my Provider (OVH) blocks my port 25 to stop the "big traffic"
  e) all the header are not sending from a PC from my office... but IP Taiwan..etc..
  d) my SMTP requires authentification (always)

checking why my SMTP is sending SPAM without Authentificaiton
before 10 minutes, I have done a "reboot" postupgrade, my IPTABLES are now clean...

[guest22]

So you have 2 problems:


1. Something on your network is producing spam, and you are trying to cover the symptoms with manually editing IPTables, but the root cause needs to be found.
2. You are not very familiar with SME Server and especially the templating system


Put 1 and 2 together and you are where you are now.


I advise you to start with 1 for that is effecting your users the most.

[georgios]

So you have 2 problems:


1. Something on your network is producing spam, and you are trying to cover the symptoms with manually editing IPTables, but the root cause needs to be found.
2. You are not very familiar with SME Server and especially the templating system


Put 1 and 2 together and you are where you are now.


I advise you to start with 1 for that is effecting your users the most.

hi, I understand finally what the problem should come from.

I understand the "configuration" of SME but I did very wrong thing with the IPTABLES with "hearing" someone else.

I will describe the problem in few minutes.

many thanks for the Help

[georgios]

Dear Helper,

Dear all,

first of all I apologize for my misunderstood.

Secondly, I understand that with restoring an IPTABLES because all the previous service name has changed during the update from 9 to 9.1

Therefore reloading the entire "IPTABLES" config was very very bad !

I use http://wiki.contribs.org/Qmhandle_mail_queue_manager to clean all my SPAM present in the /var/qmail/queue/mess/

For info: All the spams email "queue" founds was from "IP" outside of my network with no authentication.

The good thing is that my provider during this hours stop my port "25"
Also I disconnect my "Ethernet" port from the Ethernet cable.

As I can probably deduce: my config was not filtering the SMTP Authentication because all the IPTABLES was false.

So I do a post upgrade and reboot my server: my IPTABLES are clean now.

Then I use only geoip module from Contribs.


do you think am I right on the problem I think it is?

many thanks

Geo.

[DanB35]

Sounds like you're on the right track.  Once your ISP turns port 25 back on for you, use a tool like http://mxtoolbox.com/diagnostic.aspx to check that your server is behaving properly and isn't an open relay any more.

[georgios]

Sounds like you're on the right track.  Once your ISP turns port 25 back on for you, use a tool like http://mxtoolbox.com/diagnostic.aspx to check that your server is behaving properly and isn't an open relay any more.

FYI,
yesterday evening I unblock the port 25 of my Internet Provider (hosting OVH).

Good thing is that French Provider OVH is also doing an ANTI SPAM filtering on my local internet connection through my dedicated server.

The problem was : the IPTABLES reloading because all the "service name" before the IP TABLES INPUT were totally "FALSE" after updating my server to the 9.1 version.

Also as you told me guy, I was full not good advice by my previous colleague with the very bad thing to use IPTABLES. It was a bad advice, sure!

I will read the contribs regarding IPTABLES FW as RequestedDeletion and ReetP wrote me:

• http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables

So finally I understand with this big issue the bad thing to change manually IPTABLES and other parameters.


Many thanks for all of yours, Daniel B., brianr, ReetP, RequestedDeletion,DanB35

My server is ok, not a openrelay....

[Stefano]

you are welcome, as usual.. take some time to learn how SME works and it will be the best investment for the future