Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: Rudi on July 24, 2014, 01:46:09 PM
-
Hi,
my server runs with SME9, all updates installed ..
i have allowed only SSMTP.
now i remember on older versions qmail did not accept mails from anywhere just because there is a certain domain on the server ..
in this new server i have the problem that i host the website of the domain "www.oerv.at" but not the mails ..
still i found now 90.000 mails on the Server qmail ist trying to distribute .. all of the from "beth_hutchinson@oerv.at"
Of course i killed the domain for now but :
1. Qmhandle mail queue manager is not ported yet so i do not know hot to get rid of the 90.000 mails!?
2. how can i prevent this from happening again!?
best
Rudi
-
qmail isn't responsible for accepted emails from the outside: it's qpsmtpd (the SMTP server, qmail is just the MTA). I do not quite understand your issue, but if you have a doubt, you should open a bug so the issue is analyzed
-
hello daniel,
what i do not understand it that smtp accepts mails form users that do not exist on the server?
best
rudi
-
and how can i get rid of this 90.000 mails now fast?
-
what i do not understand it that smtp accepts mails form users that do not exist on the server?
Accepting mails from the outside from users which doesn't exist seems perfectly normal, if it's for a user which exists on your server
-
and how can i get rid of this 90.000 mails now fast?
a quick and (very) dirty way to get rid of all the mails in qmail queue:
rm -rf /var/qmail/queue
yum reinstall qmail
signal-event post-upgrade
signal-event reboot
But, you shouldn't do this before analyzing where those mails are comming from, and why your server did accept them
-
Rudi
Possibly a virus on an internal workstation so stop blaming the server without showing us log files that support your conclusions.
Please lodge a bug report so your security concerns can be properly analyzed & appropriate action taken if proven necessary.
This is the second time you have been asked to open a bug report, so please do so.
If there is something wrong with the relatively new sme 9.0, then it needs to be determined asap & proper troubleshooting via bugzilla is the only way to do this.
At this time it is best you do not delete mails or change settings, as this destroys vital evidence needed in bugzilla analysis.
Thank you
-
but in this case the server is alowing relaying!
they are from a non existing user to 90.000 different recipients!
PS: Thanks for the tip for cleaning up fast and dirty ..
but how can i fond out why the server is accepting this mails in the first place?
@Janet: i will post a bug report
i need to get rid of this messages so the server does not continue to send all this spam!
AND: there are no computers or workstations behind this server he is used as webserver only
AND: What logfile do you need?
-
@Janet: i will post a bug report
i need to get rid of this messages so the server does not continue to send all this spam!
AND: there are no computers or workstations behind this server he is used as webserver only
AND: What logfile do you need?
Just open the bug with a full description of your problem. You'll be guided as to which log files are needed to troubleshoot this. Waiting for this, you should just stop qmail to prevent spam being sent
-
Hi daniel,
thanks for the advice but: i cannot stop qmail because there are some 100 Users/Cleints on this machine that are working .. they need their Mails
best
rudi
-
bug is filed: http://bugs.contribs.org/show_bug.cgi?id=8497
-
but in this case the server is alowing relaying!
they are from a non existing user to 90.000 different recipients!
You should really look in to the log-files in /var/log/qpsmtpd, there you will be able to see the IP address of the computer(s) trying to send all these emails. You can easily block this IP address - see the section "Block incoming IP address" here: http://wiki.contribs.org/Firewall
-
I bet 50€c that something went wrong with the web site.. just guessing but..
-
stephano is a winner!
you are right!
i am trying to find the leak as i write this!
so if anyone has helpful ideas!?
-
you likely have a form to submit emails or a wide used/open source (php?) library that has been broken..
-
Hopefully you can find some information by looking through the httpd logfile in /var/log/httpd/access_log . You should be able to locate a suspiciously high activity for certain script files.
-
i have implemented tinymce on one installation and it seems like this was it:
oerv.at 109.228.28.29 - - [24/Jul/2014:08:58:38 +0200] "POST /control/assistenten/tiny_mce/plugins/searchreplace/js/config.php HTTP/1.1" 200 3963 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
some 1000s lines like this i found
-
search with Google, it knows (almost) everything
-
well it seems that tinyMCE had an exploit somewhere ..
but they put the lid on it ..