Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: Rien on December 22, 2006, 05:28:39 PM
-
Hi all,
According to www.GRC.com, ports 25 (SMTP) and 110 (POP3) are stealth, but I got the following alert:
[ALRT] mlkserver.focus.demon.nl : mail in = 375 (max=20)
mlkserver.focus.demon.nl :Fri Dec 22 01:12:19 2006
During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.
(Possible reasons : do you receive spam ? a mailbomb ? mailing-lists ?)
One line per recipient host. Information on each line:
* sbytes is the number of bytes successfully delivered to this host.
* mess is the number of messages sent to this host (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this host.
Maillog
sbytes mess tries xdelay host
3243 1 1 0.26 000host.com
4405 1 1 0.22 004.com
7968 2 2 0.52 006.com
6081 2 2 0.45 007addict.com
4624 1 1 0.20 007sluts.com
3433 1 1 0.30 0101-long-distance.com
4748 1 1 0.25 0113.com
9399 3 3 0.85 01191.com
2709 1 1 0.19 0-12.com
. . .
. . .
21182 1 1 1.15 z-upit.dk
2820 1 1 0.31 zurich.com
2590 1 1 0.26 zybermail.com
10512 2 2 0.68 zzbandb.com
End of Report
What is wrong?
-
... but I got the following alert:
Are you asking in the right forum? This "alert" has nothing to do with unmodified SME server.
-
Hi Charlie,
Well, the alert is from SME7Admin, that is a contrib. But my question has little to do with SME7admin.
I'm afraid that my server is hacked to spread SPAM, but I can't imagine how. My mail ports (25 and 110) are all closed (stealth) and I retrieve mail using fetchmail/maildrop.
In my mailclient I can't see any of these mail.
In "mail log file analysis", the report "List outgoing messages and recipients" is empty.
How can I detect if my mailserver is used for the purpose of spreading SPAM?
-
I'm afraid that my server is hacked to spread SPAM, but I can't imagine how.
Quite possibly via a web application. Do you have any PHP applications installed? Most of them are insecure at one time or another.
How can I detect if my mailserver is used for the purpose of spreading SPAM?
Examine the qmail logs.
-
mlkserver.focus.demon.nl :Fri Dec 22 01:12:19 2006
During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.
Looking at the time reported (01:12), this is most likely the time of the system's log rotation. I believe it is a known bug in sme7admin that it creates that (wrong) warning for log rotations (we have these warnings also at 01:12 during log rotation). My french is not good but here is the link http://bugs.contribs.org/show_bug.cgi?id=1051
Michael
-
If I'm interpreting the qmail log correctly, there is mail send via my server. All adresses are not known by me.
I've Joomla! installed (PHP-based CMS). I'll check the Joomla forums.
QMail log:
2006-12-22 20:20:15.725137500 new msg 9246244
2006-12-22 20:20:15.725145500 info msg 9246244: bytes 14401 from <ikvtangible@vodw.com> qp 9101 uid 400
2006-12-22 20:20:15.733540500 starting delivery 581: msg 9246244 to local a1aaa1azzzz1zaaaaa@mlkserver.focus.demon.nl
2006-12-22 20:20:15.733550500 status: local 2/10 remote 0/20
2006-12-22 20:20:15.733555500 delivery 580: success: forward:_qp_9101/did_0+0+1/
2006-12-22 20:20:15.733560500 status: local 1/10 remote 0/20
2006-12-22 20:20:15.733565500 end msg 9246242
2006-12-22 20:20:15.746942500 delivery 581: failure: Recipient_unknown/
2006-12-22 20:20:15.746951500 status: local 0/10 remote 0/20
2006-12-22 20:20:15.759890500 bounce msg 9246244 qp 9105
2006-12-22 20:20:15.759899500 end msg 9246244
2006-12-22 20:20:15.760646500 new msg 9246243
2006-12-22 20:20:15.760824500 info msg 9246243: bytes 14938 from <> qp 9105 uid 406
2006-12-22 20:20:15.768050500 starting delivery 582: msg 9246243 to remote ikvtangible@vodw.com
2006-12-22 20:20:15.768257500 status: local 0/10 remote 1/20
2006-12-22 20:20:16.173623500 delivery 582: success: 194.159.73.194_accepted_message./Remote_host_said:_250_OK_id=1GxpwF-0000in-V1/
2006-12-22 20:20:16.173633500 status: local 0/10 remote 0/20
2006-12-22 20:20:16.173638500 end msg 9246243
-
Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!
Also could you please use a more descriptive subject. Thanks.
-
I've Joomla! installed (PHP-based CMS).
You should disable it until you are certain that it's not a problem.
-
During the last 5 minutes, 375 incoming e-mails were detected, you had set the alert limit to 20 incoming e-mails.
You are receiving spam! Not sending.
I also noticed that from time to time sme7admin sends out bogus reports.
-
Just to be sure,
In Joomla! the setting of "PHP Register Globals" was "On". I turned it "Off". I also set the properties of the Joomla! files to 644 and the Joomla! directories to 755.
I also set:
Maximum number of incoming e-mails : 15
Maximum number of outgoing e-mails : 15
Thanks,
-
I'm getting the same message every night at 01.12.
I'm using joomla and sme7admin too.
I never discover if this is spam, an error or just a bug of a program i installed :-(
-
Had the same problem with sme7admin and i just disabled it and guess what... no problems.
And the message you're getting is for incoming mail not outgoing so you're not sending spam. You're receiving something.
And i got the same message. Somtimes even from sme7admin itself. (I set the limit to low and it warned me over and over on logrotation.)
The problem was fixed when i turned of some notifications. (Had 600 mail warnings from sme7admin :roll: )