Home / server / Questions / 208954
Accepted
Lothar_Grimpsenbacher
Asked: 2010-12-04 13:31:04 +0800 CST

Is someone using my mail?

  • 772

I found a whole bunch of this in my maillog (after my site went down from excessive resource usage):

Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: [email protected]
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: [email protected]
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: hook_dir = '/var/qmail//handlers/before-queue'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: recipient[3] = '[email protected]'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: handlers dir = '/var/qmail//handlers/before-queue/recipient/[email protected]'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: starter: submitter[24525] exited normally

Which looks like someone is using my system to send spam. What do you folks think and how would you go about tracking down their entry point and/or blocking them?

email spam email-server

2 Answers

  1. Best Answer

    Perhaps your email software is configured to allow relaying - it is an open relay?

    http://www.palomine.net/qmail/relaying.html

    Relaying

    Relaying allows any person anywhere on the Internet to send email with any "from" email address to your server and have your server deliver it to any number of recipients anywhere in the internet with any "to" address.

    You should really restrict this to reject all mail other than two distinct patterns:

    • mail from the outside, with a "to" address that includes your domain name and where the part before the at symbol matches a defined person within your organisation. In the case of a web-server this might be no-one if the web-server has no need to accept incoming email. Often an organisation will have separate email servers to handle email for it's members.

    • mail from authenticated users with a from address that includes your domain name. In this case the to address can be anything. The senders are normally sending from IP-addresses within your local network but it can be useful to allow trusted people to use your email server - in that case they must be authenticated before allowing email transmission.

    If you do this, you wont be propagating SPAM for spammers (and risk getting blacklisted) but it will have no effect on your legitimate activities.

    Testing

    Before and after changing the configuration of your email server, test it. Use an unrelated Internet access point (3G, Internet cafe, home) to try to send email through your mail server, try various combinations of to and from addresses e.g.

     From                  To                  Expect
 genuine@mydomain      [email protected]  allowed
 [email protected]         [email protected]     rejected
 fakester@mydomain     [email protected]     rejected
 genuine@mydomain      [email protected]     allowed only if authenticated

    But most web-servers don't need to send mail outside the server, other than maybe to webmasters/administrators. SO they can be locked down tighter.

    • 7

  2. Just like RedGrittyBrick's response it sounds like an open relay but I don't know.

    One thing you can do is try a public relay test service like this one: http://www.abuse.net/relay.html

    They will automatically run all sorts of mail sending tests and tell you the results in realtime. If your SMTP server accepted the mail for delivery then you should look at the config.

    Another theory is that some hacker installed a backdoor or is using an exploit for whatever software you have installed to send mail using a script. Which, since the script is on the server they would be able to bypass relay limitations since the mail is coming from the server and not from the internet. What you could try is kill the web server service and see if it still sending mail, and that way you would know if it is really a script backdoor or something else more malicious.

    • 1