I noticed an extremely long outbound queue in my mail server today (20,000) so I had a look at some of the messages... one was from "[SMTP:headdresses@tamworthflorist.com]" This is not a client of mine, so how are they senidng an outbound message form my server?!?! There were many more messages like this. The body of the messages usually just contained a bit of text and a link to a website. Any help would be appreciated! thanks
There are two immediate options: Either you are running an open relay or they have found a way to control your server. If you are running an open relay, `netstat -an | grep 25` will show lots of connections on port 25. It's possible that there might just be one connection sending all the mail so if the number of people who are allowed to send mail through your system is small, make sure that all the IP addresses shown are for legitimate users. Alternatively, check the documentation for your mail server and verify in your config that your server is not an open relay. Unfortunately, the numbers of ways to control someone's server enough to send out email is fairly large. A renote file inclusion vulnerability in a PHP script would be enough. Even a local file inclusion vulnerability combined with an arbitrary file upload could do it. The next step would be to try and figure out which application is telling your mail server to send the email. If you're on Linux, you should have a program called `pstree` which will show you a list of all the programs running on your system in a tree formation with parents linked to children. This should allow you to see which program is the parent of the sendmail process that is injecting all this mail. The parent might be a custom shell script or a php script or compiled C program; you won't know until you see it what it will be. From there, you can trace it back to its origin and that should tell you how the mail is being sent. Once you know how it's being sent, you can shut it down.
Thanks for the info. I am running windows server 2003 and mailenable for my mail server software. The command you provided din't work for me ( I tried just typing "netstat - " in CMD prompt and got some info but im not sure how to read it.
Sorry... I don't know enough about Windows to help you there. Google might have a Linux -> Windows command equivalent table but I don't know of one.
If you are using MailEnable, check options here - open ME Administrator - go to Servers->Localhost->Connectors - right click to SMTP -> Properties -> Relay tab What about the current setting for relay?
Enable Mail Relay is checked... and then the two boxes below are also checked. "Allow relay for local sender address" is not checked and neither is "POP before SMTP authentication"
a bit confused. You mentioned so, they are checked or not? Anyway, you might want to enable "POP before SMTP authentication", disable "Allow relay for local sender address"
Allow relay for local sender is already disabled. I can try enabling the pop before SMTP but what does this do? Will any of my clients have to adjust their e-mail settings in outlook etc if I do this? Thanks
"POP before SMTP" requires an extra step to make sure that account is on your server. And yes, your clients will need to update their email client setting, if they did not do that before
With his access to the mail administration program, I believe he has the highest login level, not on shared hosting environment
Do you have a contact form on your website? If you do, a lot of times spammers will hijack your form and sending the right headers they can send out emails to people using your mailserver.
Hello, once you fixed your mail server configuration, you can check its reliability here: http://www.test-smtp.com/ Hope this helps. Regards