Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: Tillebeck on May 08, 2008, 05:08:30 PM
-
Hi
I got a call that our server is sending SPAM. I is either a
- web apllication on the server
- a client PC (winxp) on the network...
better try to monitor it.
I installed the qmHandle and stopped the qmail
service qmail stopNow emails are slowly builing up in the queue.
But how do I see from who or to who theese emails are for?
Doing the qmHandle-s, qmHandle-l, qmHandle-L all return:
Total messages: 55
Messages with local recipients: 0
Messages with remote recipients: 0
Messages with bounces: 0
Messages in preprocess: 55
Any way to find out witch web application (if any) is sending out mails?
Thanks,
Anders
-
This is not the correct way to stop qmail! Because hang
SME server is a little different compared with other linux distributions.
You have an entirelly wiki page about qmHandle:
http://wiki.contribs.org/Qmhandle_mail_queue_manager
To begin a quick investigation, rename your ibays html folder to htmlb.
Also rename the /opt/xxx folders if your have some scripts under /opt dir.
Wait a few hours and look If you have a lot of emails into queue. If yes, then your sites are ok, restore the name of your html dirs.
So, the problem is a machine in your local network.
Authenticate smtp for local network:
http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.
http://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients
-
Hi Normando
Thanks for your reply.
Web app. sending mail:
Renaming the html folders should definetely show me if any app is sending mails. Thanks for that tip. I will do that after a short notice to the users.
qmHandle
I had seen the wiki for the qmHandle. The problem is that each command for listing output returns the same result. I do not know if this is normal or it is a sign that the server has been infected. Or maybe that I stopped the qmail the wrong way.
- thanks for pointing that out by the way. I do see now that the wiki also gives away how to stop and start the qmail the proper way:
sv d /service/qmail (this will stop qmail)
sv u /service/qmail (this will start qmail again)
The qmHandle wiki page gives some commands for listing mails and for deleting mails. I want to list the mails. At least three of these four commands should list mails I believe:
qmHandle -l : list message queues
qmHandle -L : list local message queue
qmHandle -R : list remote message queue
qmHandle -s : show some statistics
...but I get the same result for all four commands as shown in the code block here below. I guess it is the statistics result I get from them all four. That cannot be correct, can it? I am confused:
[root@ronja ~]# qmHandle -L
Total messages: 569
Messages with local recipients: 0
Messages with remote recipients: 0
Messages with bounces: 0
Messages in preprocess: 569
[root@ronja ~]#
This next command should list all the messages in the queue counting the number of messages with the same subject. When executed the command is accepted but there is no result. Here is the command executed and the empty result:
[root@ronja ~]# qmHandle -l|grep Subject|sort| uniq -c|sort -n
[root@ronja ~]#
I really really really would like to know how to find out who the mails are from and who the recipients are. Can I look into a folder somewhere and have a look at the queue? Is qmHandle acting strange (or maybe my server is acting strange)?
Email settings for users
Thanks for the tip with setting up the smtp authentication and unauthenticated mail relay for local networks. I have not done it before since I have quite a few applications sending out mail. Will they still be able to send mails? Or shall those applications then also connect to localhost with a user/password? I do see some big advantages in this. Then each web application can have there own user. Then any future compromized application will be easy to stop sending spam just by disappling there sme user
I really hope for a reply on how to examine the mail queue.
BR. Anders
Thanks for any help provided.
-
one more question...
...instead of remaning all the html folders to html_something. Wouldn't it give same result just to kill the web server?
-- anders
-
Confusion is complete. But problem is solved.
After a reboot of the server the qmHandle works as a charm and makes nice lists of mails in the queue when running the commands listed in my previous posts
The problem can have been caused by one of these two reasons:
- I did not stop the qmail using the correct SME command (i just did a service stop)
- I did not restart the entire server after installing the qmHandle (the wiki said that a reconfigure and reboot was not required)
Problem is solved. Now it is time for analyzing the queue.
BR. Anders
-
You have the same results because you was stop qmail in the wrong way, so, restart your server complete. Then delete your queue.
Remember, before delete your queue (qmHandle -D) stop qmail, then start it again with the correct command.
Of course, you can stop e-smith-httpd service with "sv d httpd-e-smith". Use "sv u httpd-e-smith" to start again, or "sv t httpd-e-smith" to restart.
I was have the same issue, with 41000 message in the queue every day! And I was found an infected worksation. When implement smtp authentication, the problem was fixed.
It is important to made some captcha image verification if you have a web application to send email, to avoid bot spam. Also you can modify you application to use an user and password to authenticate with your localhost smtp.
A question: I was looked your command prompt [root@ronja ~]#
You are the same man from http://ronja.twibright.com/ ?
-
Captcha are beeing used - or similar. So if a web app are the sender then it must have been hacked or compromized in some way. I guess it is a workstation though... But we'll see.
Ronja is my daughter. since I bought that specific server I got to name it. And I name servers like most people choose passwords ;-) But about a year ago I actually did read about the Ronja project from Twibright. Super cool to build your own data link - or just shoot some birds from the sky.
Btw. I started a new thread on how to delete SPAM mails before it is send out from the server. Feel free to join in:
http://forums.contribs.org/index.php?topic=40965
Cheers, Anders
-
or just shoot some birds from the sky.
:lol: :lol: :lol:
-
This is not the correct way to stop qmail!
No, that will do fine. That will do the same as "sv u /service/qmail".
-
I really really really would like to know how to find out who the mails are from and who the recipients are.
You can find out who they *claim* to be from (the sender address of spam and virus messages is always forged), and who they are to, via:
/var/qmail/bin/qmail-qread
-
Any way to find out witch web application (if any) is sending out mails?
You can find out whether the messages are being sent by a PC on the LAN or by a web application by carefully reading the full headers of any of the messages. If it is a web application sending the messages, you will see the uid of 'www' as the sender which injected the message. But you won't be able to tell which web application it is by that technique.
-
No, that will do fine. That will do the same as "sv u /service/qmail".
Can you explain me why exist inconsistences between explanations?
tias_
I'm sure you need to stop qmail BEFORE you flush the queue !
It has been said so many times in these forums, for the last three years or so, NOT to use the service command as it does not always do everything that is required in sme server. sme is a bit different to other Linux distros.
sme7.x uses supervised services which will automatically restart if they stop and uses the sv command
ie
to bring down
sv d /service/qmail
to bring up
sv u /service/qmail
to terminate (which forces a restart due to being a supervised service)
sv t /service/qmail
For any non supervised service use
/etc/init.d/servicename restart (or stop or start or status)
See the developer manual for more details
When I was tried stoping qmail with "service qmail stop" and then starting with "service qmail start" never run again, and I needed to reboot the server.
I think to make or expand a wiki page with the correct way to handle the services, one by one.
-
Ok. I start to realize that I asked the wrong question. I started this thread to figure out why I could not get qmHandle to list messages. It seems I just did not understand how qmail works and what qmHandle does.
Many post write that before using qmHandle the qmail should be stopped. This must be a thruth with modification. I guess it is correct that qmail shold be stopped before the queue is manipulated in any way. But for pure statistics and listings then qmail needs to run. Otherwise mails will stay in the "Preprocess queue" and not be sorted into either the "Local" or the "Remote" queue.
So this result is just fine since qmail had not been running while the mails had been build up in the queue
[root@ronja ~]# qmHandle -L
Total messages: 569
Messages with local recipients: 0
Messages with remote recipients: 0
Messages with bounces: 0
Messages in preprocess: 569
[root@ronja ~]#
The question I should have asked was:
How do I stop my server (qmail?) from sending mails from the local or remote queue?
As it is now when mails are processed by qmail and they end up in the local or remote queue then they are send out into the internet in a split second. I would like qmail not to send out mails but to run and to sort the mails into the to queues so gmHandle can list them. Also the command given by Charlie Brady that list who mails *claim* to be from:
/var/qmail/bin/qmail-qread(great command, Charlie, thanks for posting it)
BR. Anders
-
Can you explain me why exist inconsistences between explanations?
People used the "service" command so frequently that we added "/sbin/e-smith/service". "/sbin/e-smith/service" will do "the right thing". "/sbin/service" often does not. Just typing "service" will execute "/sbin/e-smith/service".
-
The question I should have asked was:
How do I stop my server (qmail?) from sending mails from the local or remote queue?
You stop it. If you want it to run, but not send mails remotely, you will need to bring down your WAN link.
But I'd ask what problem you are actually trying to solve. You should be able to work out yourself visually which messages have local recipients and which have remote recipients.
-
You should be able to work out yourself visually which messages have local recipients and which have remote recipients.
Yes, if I somehow could list those unsent emails. It seems from your post that it is trivial. I just doesn't know where to look for a list of unsent/unprocessed emails (the only Linux I ever worked with is the SME server... so I haven't got the same background knowledge as a typical linux server user).
All I can do is unplug WAN-cable and let qmail do its job and then use qmHandle or the /var/qmail/bin/qmail-qread to view the mails in the local or remote queue.
how can I see the unsent mails when qmail is stopped? Are they physically placed in a folder on the server as separate files? That would be great.
BR. Anders
-
Yes, if I somehow could list those unsent emails. It seems from your post that it is trivial.
/var/qmail/bin/qmail-qread
-
Well that brings me back to the same old problem.
See here:
I stop qmail, then I wait until there is a few new unsent mails. Since qmail has been stopped the mails will remain unprocessed and not end up in either the remote or the local queue. Therefore (at least on my system) neither qmHandle nor the qmail-qread will be able to list the mails.
[root@ronja ~]# sv d /service/qmail
[root@ronja ~]# qmHandle -l -c
Total messages: 5
Messages with local recipients: 0
Messages with remote recipients: 0
Messages with bounces: 0
Messages in preprocess: 5
[root@ronja ~]# /var/qmail/bin/qmail-qread
[root@ronja ~]#
- please notice that both local and remote queue are empty and all 5 mails are preprocessed.
If... I had cut the WAN connection and let qmail run (but not be able to send out the mails due to the WAN beeing disconnected) then mails would not be preprocessed but would build up in the remote and the local queue and both the qmHandle and the qmail-qread will be able to show me some nice results.
I just thought that there should be some way to read mails from the preprocessed queue, or?...
BR. Anders
-
I stop qmail, then I wait until there is a few new unsent mails. Since qmail has been stopped the mails will remain unprocessed and not end up in either the remote or the local queue. Therefore (at least on my system) neither qmHandle nor the qmail-qread will be able to list the mails.
Hmm, you are right - I didn't realise that qmail-qread didn't show unprocessed messages.
I just thought that there should be some way to read mails from the preprocessed queue, or?...
cd /var/qmail/queue/todo
Then view the first message:
cat ../mess/*/$(ls | head -1 | tail -1)
and the second:
cat ../mess/*/$(ls | head -2 | tail -1)
etc.
The sender and recipient addresses are embedded in the todo files, which you can see via:
cat $(ls | head -1 | tail -1)
cat $(ls | head -2 | tail -1)
etc.
-
Thanks, Charlie, that is great! I can see from and to now.
I started this thread to figure out who send spam on my local network. If it was a server or a client. We did find a virus infected windows maschine on the network that was sending out spam at a slow rate. So no virus /hacking on our SME Server.
BR. and thanks for all the help.
Anders