Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: guest14620 on June 11, 2008, 01:33:06 AM
-
Hi all, I recently set up a virtual machine running SME server that is replacing our old Windows NT mail server. Essentially it's only running for my Dad's home business, and only has 3 mailboxes. I believe I've set it up as secure as I can (through the web interface) and the spam filtering was working fantastically, however a couple of weeks after setting it up, we are now receiving ALOT of automated replies saying our emails can't be delivered (emails that we didn't even send). I originally thought that it could've been someone spoofing our domain and having the bounce-back come to us, but I also noticed that the mail server runs super slow when exposed to the internet (when I close the ports and reboot it, it's fine), which leads me to believe that it's getting backed up with loads of spam to redirect. The server specs are very decent, and I've allocated about 256mb RAM to the virtual machine, which should be plenty. I'm not real experienced with Linux, but I am learning, and I do have a bit of experience administering our old mail server.
Is it possible that somehow our SME Server is being used as an open relay by spammers? I would've thought such options would be disabled by default. Additionally, how would I go about further securing our server (going above and beyond the web interface)?
Our server is running behind a firewall, with only the SMTP port (25) and POP3 port (110) forwarded to the SME server.
-
and I've allocated about 256mb RAM to the virtual machine, which should be plenty
First of all, this is barely enough memory and only meets the "minimum requirements" for a file/print/gateway server and will most likely not work well when you start using the email/spam features. Recommended is at least 512MB when you fire up the mail server and I wouldn't run anything less than 1 Gig myself. See: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter4#4.1._Minimum_Hardware_Requirements
Is it possible that somehow our SME Server is being used as an open relay by spammers?
If the server is set up stock then it is highly unlikely. I would first look at the clients connected to the network before suspecting SME.
-
Oh really, you might be surprised to note that the server admin where I work has actually been running a SME server (7.0) virtual machine with 64mb RAM allocated doing only mail tasks for the past year and a bit and has never had problems. Anyway, I upped the memory to about 512mb and have noticed a performance hit.
However, I noticed when I do a "ps aux | less" a number of instances of the qpsmtpd-forkserver processes running with remote hosts that I don't know, could this be causing the problem (I'm unfamiliar with what qpsmtpd-forkserver does, so feel free to enlighten me if I'm way off).
(http://img212.imageshack.us/img212/4875/94160199jr2.jpg)
-
I'm unfamiliar with what qpsmtpd-forkserver does ...
Google knows.
-
Google knows.
Thanks for that helpful tidbit. Maybe I should just go back to using Exchange.
-
butters1337,
1. I would suggest you to double check your email setting particularly Domains and email settings.
2. Use Address of Internet provider's mail server (smtp server) instead and see if that helps.
3.Install this contrib can help you troubleshoot your SME server email system :
http://wiki.contribs.org/Qmhandle_mail_queue_manager (http://wiki.contribs.org/Qmhandle_mail_queue_manager)
4. Also, check logfiles maybe you see anything suspicious
thomas
-
Thank you thomas. I'll check out that contrib and see if I can shed any more light as to what's going on. I've also notice that all the spam emails have been returning to one specific address, so I've tried locking the account to see if it has any affect on whether spam is still sent.
-
are you using the same wan(internet) ip address as the exchange email server was on
-
Yes, we only have the single static IP for our home office.
-
Yes, we only have the single static IP for our home office.
Than you have most likely been hit by a hacker as I do not see any notice of a firewall... running the setup I guess you are using is a very unsafe one, please install a firewall between your lan and your wan.
-
:S I don't understand, there is a firewall on our D-Link router, and I only have a select few ports open for our mail and web servers. GRC.com's ShieldsUP! test only identified several of the open ports, the rest it detected as stealthed. Disabling the user account that is sending the spam that is getting bounced back did not prove effective at all. What if this is just standard spoofing, how can I protect against that, does SME have any tools or contribs to combat this (eg. using the new SPF method)?
-
so butters, i am not email expert at all but i am learning the ropes.
questions
1. is your server sending the original spam.
2. is your server just receiving a bounce email
3. what do your lines on from and on subject have using webmail
4. how many emails are being bounced a day.
i made one bounce from an account setup for testing
the bounce email has this
my from has the line :MAILER-DAEMON@mysite.com
my subject has :failure notice
-
Than you have most likely been hit by a hacker as I do not see any notice of a firewall...
A firewall won't protect against hackers, unless there are open services. But anyway, the original report says the system is beind a firewall, and only ports 25 and 110 are accessible.
The original report also complains about bounce messages for messages which weren't sent from his server. That just indicates that a spammer is using his addresses on forged spam messages. They don't indicate unauthorised relaying, and there's nothing he can do about those.
If he were to report details of one of those bounce messages here, someone could interpret them for him, I'm sure.
-
i wrote a program that runs in windows, it is a console program, that will pop a email account and delete unwanted messages.
as i said, i am just learning email and started programming for it.
i figured most bounced emails where sent back to the email server from which they came, unless a you can spoof an wan ip address.
then, in that case i can understand how that could be.
does the name on the account have a common name for emails jwlliams@mysite.com.
ps.
if somebody had a program written in windows for the good of the whole, is there a way to upload it.
-
i figured most bounced emails where sent back to the email server from which they came...
You figured wrong. Bounce messages are sent back to the claimed sender of the message, not the server from which the message came. Since the sender address is forged on nearly all spam, that will be a different server that the one which produced it. In fact most SPAM is sent from 'servers' which don't receive email (i.e. from botnet zombies).
You'll probably help more people, or at least confuse fewer people, if you just post what you know, and not what you guess.
-
I appreciate all of your input on this. It seems to have stopped, and I don't think it's got to do with anything that I've done. I guess the botnet that was spoofing one of our email addresses has decided to move on (probably since the address has been added to most decent spam filters grrrr). All the messages we were receiving were bounce backs, and I couldn't seem to get any decent header info from the original email in the bounce-back, which is a real pain in the ass. So this issue doesn't really have anything to do with SME server at all, although I guess many mail server admins will experience similar issues throughout their administration roles.
-
should have used tcpdump on port 25 to see were it was comming from
-
Here's a wikipedia article on backscatter spam that may explain what you saw: http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29
One of my clients experienced a huge surge in backscatter of this sort a couple weeks ago, then it calmed down.
SME, by the way, does not send backscatter spam messages. Email to unrecognized addresses is either rejected during the smtp conversation or delivered to a specified local mailbox for processing.
-
So this issue doesn't really have anything to do with SME server at all, ...
Please edit the subject of this thread. Thanks.
-
removed offending message by myself
-
no knocking you or charlie but i don't think it was to nice saying that CharlieBrady was an ass every one on this site needs to play nice
i really can not see what he said is being an ass as he is a DEV on sme he does know what he is talking about
-
Charlie, are you a ass today or is that the way you always are.
I seriously suggest you watch you tone, you are talking to one of the core devs, who has excellent knowledge on SME Server and a lot off problems related to it.
Next time you decide to insult people again (in the forums, or anyone else) please consider how you would like it to be name-called. People in this forums most of the times are pretty willingly to help others and rarely, if not ever, have a need to revert to name calling. It also defeats the purpose of getting the help you desire...
I think Charlie is right in his replies to you, certainly as you have formulated you question and opinions on your problem way to strong (and made the wrong assumptoion), like Charlie said the frequency of the DNS lookups in your case are no-way near a denial-of-service attempt, stating so in the topic of your posts will raise panic and is bad publicity for this excellent product. Criticism is not bad, bud it should be based on evidence and proper facts, your assumption was seriously exaggerated and Charlie being concerned with his work asked you to make your topic title reflect the situation properly to not raise unneeded and unwanted havoc.
Behavior like this should result in some sort of disciplinary measures IMHO.
-
You'll probably help more people, or at least confuse fewer people, if you just post what you know, and not what you guess.
Who is left guessing and who is guessing wrong here? Please reread the topic from you rinitial post up to and including the explanation of what is a denial-of-service attack.
-
i felt insulted and decided to question ones attitude.
the remark was only in reference from this thread.
i have spent over 40 hours working to resolve the other issues i had that had nothing to do with this thread and have done as he suggested.
i purchased a in depth book on networking.
because somebody works hard and or is knowledgeable, does not entitle them to be rude, which i felt he was and i responded in kind.
-
I seriously suggest you watch you tone, you are talking to one of the core devs, who has excellent knowledge on SME Server and a lot off problems related to it.
Behavior like this should result in some sort of disciplinary measures IMHO.
thanks for backing me up there is no reason for being rude in these forums no reason what so ever the dev's spend a lot of there own time on SME away from family and friends and they do an a really good job you will never see i bad word come out on my mouth about anyone on this site SME rocks no to ways about it
there are nicer way of saying things rather than calling some one an ass if you think they are rude you can go about it other ways than being rude yourself
-
i felt insulted and decided to question ones attitude.
the remark was only in reference from this thread.
i have spent over 40 hours working to resolve the other issues i had that had nothing to do with this thread and have done as he suggested.
i purchased a in depth book on networking.
because somebody works hard and or is knowledgeable, does not entitle them to be rude, which i felt he was and i responded in kind.
If your goal is to get information, pointers and want to be helped in order to solve your problem I think you should drop the eye for an eye, tooth for a tooth policy and do not let frustration get in the way. Perhaps an apology to Charlie would be in place.
If you feel insulted say so, open it for discussion and if th eintent was to insult you give the poster an opportunity to apologize or clear up the misunderstanding.
-
i agree saying sorry to Charlie would be a good way to start
-
Charlie
I apologize to you for the use of the strong words i sent toward you.
i do not like the way you talked to me, specially when i was trying to give some kind of guidance to the poster.
i felt insulted the way you quoted me and made a remark to me that was uncalled for and in a single particular post.
i have seen many post here on this forum where people just speak their mind in harness, and that is what kind of a message i took it as and i figured i would fire back.
paul
-
Paul,
Thanks for taking the high road on this. I also appreciate the concern from everyone for keeping the forums clean. I know that Charlie often comes across as quite terse in his replies.
Whenever I see a person that writes code do this I try to think how I would say what they have to say in code and conclude that they may not mean it in the way that I may be taking it.
There are also people that do not suffer fools gladly. And I will be the first to say that I have given foolish and incorrect advice at times.