Hi, I spammer is using my qmail based server to send out tens of thoushands of phising emails. The only solution I found so far is to detect the queue growing and flush the email queue. Any way to detect who this is and find the way they are doing it. I don't allow any shell access to my server and any of my client to execute any scripts so I am not sure how they are doing this. Thanks, Sherif
If you are saying that somebody is sending smap from your mail server, then you need to configure your server not to relay mail, except a) from a specific range of IP addresses and/or b) from authenticathed users. Don't waste your time on tricks like watching the queue grow - do it right. J.D.
agreed. flushing the queue = BAD idea. That would be like your mail carrier just shoving all of your mail in the trash rather than drive down your street... you'd be pissed off. You could get sued, lose clients, etc... Avoid this if at all possible (and it's always possible). NEVER EVER EVER delete emails. disable mail relaying and that should stop it. you should be able to override mail relay blocking on a per-account basis - this is the best way to do it and be VERY careful how you use per-account relay overrides. On the same note, if you're allowing relays, it's just a matter of time before you get blacklisted with the major open relay databases out there, and if you end up blacklisted, your growing mail queue will be the least of your worries. VG p.s. also, check your smtp logs very carefully. you may find that your abuse is occurring from one IP address, or even 2 or 3 at most, and blocking these IP addresses at the firewall will eliminate the undue stress on your machine and protect you from being D.O.S'ed. Still, you should couple this with closing your relays... never rely on just one approach.
Here's a page that you can use to test if your mail server is vulnerable to unauthorized mail relay: http://www.abuse.net/relay.html Unfortunately, many admins have no idea how to deal with this and spammers happily use their servers and get away with it too. J.D.
Hi, I checked for an open relay and on was found. Guys I am pretty sure that this is some sort of script hacking using the internal qmail send process to send mail and not through an open relay. Anyone know qmail enough to know how I can get more information in case it happens again ? Thanks, Sherif
Is this "one" or "none"? I'm assuming none. When you are saying that "spammer is using my qmail based server to send out tens of thoushands of phising emails", do you mean that your server physically sends out smap mail (i.e. it's being sent from your IP address) or just that a ton of spam mail was sent out from some other IP address, with your domain name in them? If it's the first case, it's either their server is configured as an open relay or there's a bug in the mail server that allows the hackers to bypass open relay restrictions. Check your mail server logs. If there's not much in there, ask your sysadmin to bump up the amount of info they log. You basically need full SMTP log, minus the message itself, in order to troubleshoot this. J.D.