Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: cipandales on March 31, 2011, 07:45:20 PM

Title: Qmail queue full of spam and stopped
Post by: cipandales on March 31, 2011, 07:45:20 PM

Hello !

My server suddenly had stopped receiving and sending mail.
I installed qmHandle and i saw that in the mail queue are thousands of spam mails.
I deleted all with qmHandle -D command.
After a while (a few hours), it happened again.
Meanwhile, i checked for viruses all of my pc's from inside network and there are all clean (i think).

I use this  server as a gateway, with one external ip (which point to my domain) and 15 pc's.
I asked my isp to monitor my ip and he told me that there are not suspicious activity on it (no flood, no big trafic).

I don't know how much more I can do. Is there any chance to see which ip from internal network sends this spam (if this is the problem, of course) ?

Please help me !
It is urgent....

Thank you !

Title: Re: Qmail queue full of spam and stopped
Post by: CharlieBrady on March 31, 2011, 08:09:51 PM

Quote from: cipandales on March 31, 2011, 07:45:20 PM

I deleted all with qmHandle -D command.

When you did that, you lost a lot of information which would have told you where your problem was coming from.

Study your qpsmtpd log files - you might be able to tell from there what IP address or addresses was used to inject the spam. You should also study your httpd access logs - there may have been malicious use of your system's webmail. You may need to lock some accounts, and have the users change passwords, if that has been the case.

Until you identify and fix the source of your spam, you should shut down qmail on your system, so that it sends no email. Obviously your users will be unhappy when you do that. They'll be more unhappy if your system gets blacklisted.

sv d /service/qmail

Title: Re: Qmail queue full of spam and stopped
Post by: cipandales on March 31, 2011, 08:53:53 PM

I checked /var/log/qpsmtpd/ and there is an ip that repeats itself a lot of times:

011-03-31 17:42:00.379492500 4769 hosts_allow plugin (pre-connection): Too many connections from 192.168.0.179: 6 > 5Denying connection.

Is it possible for this ip to belong to the computer with problems ?

How can i block the acces of this computer (ip) to the server (there are many computers in the network so it takes time to discover which is that computer) ?

Thank you !

Title: Re: Qmail queue full of spam and stopped
Post by: CharlieBrady on March 31, 2011, 10:28:40 PM

Quote from: cipandales on March 31, 2011, 08:53:53 PM

Is it possible for this ip to belong to the computer with problems ?

Of course it is possible. It's also likely.

Quote

How can i block the acces of this computer (ip) to the server (there are many computers in the network so it takes time to discover which is that computer) ?

There's no really simple way to block it. You need to shut down qmail (you've done that already, right?) and then find it and fix it.

Title: Re: Qmail queue full of spam and stopped
Post by: Knuddi on April 01, 2011, 09:24:28 PM

You might have some luck in identifying the spamming client by looking at the /var/lib/dhcp/dhcpd.leases file. Here, if you are luck, the IP address corresponds to a name you recognize.

Title: Re: Qmail queue full of spam and stopped
Post by: cipandales on April 22, 2011, 08:58:55 PM

Thank you all for your advices.

It was an infected pc from my network that was sending spam emails.
It's ip i founded in /var/log/qpsmtpd/.

It was a rootkit or so.