Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: stavi on September 18, 2020, 09:41:35 AM
-
Hello colleagues,
My sme email server has been spam blacklisted.
The network has 250 pc and 330 users (xp, w7, w10, outlook 2007, 2010, 2016 etc).
How do I find a spammer (spammers)?
Is it also possible that the spam is not coming out of the internal network, but through the domain?
I checked the mail log analyzer. Sender Statistic.
Total 12k line ...
my sender statistic log file here:
http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar (http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar)
rar pwd: koozali.org
What period is this? one day, one week, or all the time?
I don't see a user who has sent thousands of emails to this. How is this possible?
I need to ask for help to get started.
many thanks
-
Hello,
I believe the Sender Statistics Report is cumulative, unless you've manually deleted mail log files.
You may want to review the logs at /var/log/qmail and /var/log/qpsmtpd to track down the source of your outbound messages. Perhaps the source of the problem is not the SME server, but a compromised client workstation.
I wish you luck for a quick resolution.
Hello colleagues,
My sme email server has been spam blacklisted.
The network has 250 pc and 330 users (xp, w7, w10, outlook 2007, 2010, 2016 etc).
How do I find a spammer (spammers)?
Is it also possible that the spam is not coming out of the internal network, but through the domain?
I checked the mail log analyzer. Sender Statistic.
Total 12k line ...
my sender statistic log file here:
http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar (http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar)
rar pwd: koozali.org
What period is this? one day, one week, or all the time?
I don't see a user who has sent thousands of emails to this. How is this possible?
I need to ask for help to get started.
many thanks
-
1st please read my signature.
3. Don't ask for support on Unsupported versions of software
That includes Windows.....
These are unsupported: XP, W7
Using them means it may be harder to find an issue or get a fix. They may well be compromised. Please upgrade immediately and save yourself a lot of issues (I do not use Windows at all - but the principle remains). I should imagine that XP is unlikely to have up to date antivirus etc....
Next, please spend some time reading the wiki thoroughly - there is a lot of information in there on how to look for errors, logs etc etc.
https://wiki.contribs.org/Email_Statistics
https://wiki.contribs.org/Mail_log_file_analysis
https://wiki.contribs.org/Log_Files
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04
https://wiki.contribs.org/Email
Next, has your server been compromised? It could have been hacked and an attacker could use the mail server directly or run something list a list server (I have seen that happen)?
Or has a local user been compromised?
General logs:
/var/log/messages*
Look for logins in:
/var/log/secure
/var/log/sshd/current
Outgoing mail
Look in:
/var/log/sqpsmtpd/*
/var/log/qmail/*
The length of time the logs are kept for varies. See 'KeepLogFiles'