Topic: Newbie and spam worries

[Mark]

Some weeks ago I set up SME 5.6. I am very pleased as I am very green with Linux and server admin, and the whole experience has been excellent.

In the past few days, the server began issuing Delivery Status Notifications of failed deliveries. The email bouncing uses a bogus "from" address, typically some goofy user name at my domain, and a large "to" list. It appears that only three of the target recipients are bouncing.

I am not familiar with this, so  I have blocked all mail related ports until I understand what is happening. Perhaps someone can help these questions:

Should I consider this server compromised?

Is there a concise resource I can read to acquaint myself with
a) mail spam techniques and how to prevent my domain from being abused
b) get a better handle on how SME is dealing with "open relay" and related  issues

TIA,

 - Mark

[Bill Talcott]

Some spammer probably just made up a random username at your domain. If they send out a bunch of spam with that fake return address, any bounces will try to go to the fake address. Most likely it's just someone using a fake name in your domain, and has absolutely nothing to do with your mail server.

Without modifications, your SME will only allow local clients (PCs on the LAN) to send mail. If someone is actually sending mail from your server, then you've made modifications improperly, or they actually "hacked" your server to get admin access and change the settings (highly unlikely).

[Mark]

Thanks for the response, Bill. I have noticed that you post frequently and your advise is quite useful. Thanks, again.

Is there an RFC or org page that I review to better understand how to detect if my server is being misused?

I don't mean to sound paranoid, I just want to be certain I am not contributing to the spam problems we all suffer from.

[Bill Talcott]

Mark wrote:
>
> Thanks for the response, Bill. I have noticed that you post
> frequently and your advise is quite useful. Thanks, again.
>
> Is there an RFC or org page that I review to better
> understand how to detect if my server is being misused?
>
> I don't mean to sound paranoid, I just want to be certain I
> am not contributing to the spam problems we all suffer from.

The best way is probably to check your log files. They'll tell you everything that's happening on your server. If you see strange IP addresses using your SMTP server, you should probably look into it.

Linux itself is pretty secure. SME tends to use the more secure programs as well (like qmail instead of sendmail). And the limitations built into the SME system prevent a lot of problems that other distros might have. Even if there's a problem with the firewall, many services are set to only accept connections from local IPs, and stuff like that.

About the only way to be assisting spammers is to create a Server-Only installation (designed to be placed behind a firewall on an already-secured LAN) and give it a public IP on the internet. So long as you install the Updates as they're released, you really shouldn't need to worry about too much. The most common security issue is probably weak passwords or the users themselves...