Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: jameswilson on August 24, 2010, 12:30:47 PM

Title: I think my sme is being used to send spam?
Post by: jameswilson on August 24, 2010, 12:30:47 PM

Im getting funny failed messages.
Im assuming one of the websites on it, or a user account has been compromised.
How can i tell where these mails are originating from?

ie user on smtps or website / ibay, and which one?

Ta
James

Title: Re: I think my sme is being used to send spam?
Post by: Stefano on August 24, 2010, 12:34:27 PM

first of all disconnect your SME from wan..
if one (I guess PHP) site has been compromised, you are likely spamming..

Title: Re: I think my sme is being used to send spam?
Post by: jameswilson on August 24, 2010, 12:37:11 PM

already done that.

Title: Re: I think my sme is being used to send spam?
Post by: Stefano on August 24, 2010, 12:38:58 PM

thank you ;-)

how do the site(s) send email? do you use some kind of auth?

I suggest you to create separate users, one for each site..

Title: Re: I think my sme is being used to send spam?
Post by: byte on August 24, 2010, 12:53:28 PM

Quote from: jameswilson on August 24, 2010, 12:30:47 PM

How can i tell where these mails are originating from?

Check the the /var/log/qmail, /var/log/qpsmtpd and /var/log/sqpsmtpd, this will show every mail transaction. Also change the password immediately of all users if you want to be on the safe side.

Can you tell us more ? is it a client workstation ? What version of SME Server are you using ?