Bouncing spam sent 'from localhost' on my server (Qmail)
My server seems to be abused for a rather elaborate way of relaying spam despite being a closed-relay server. The trick is that messages are sent using the victim's address as sender and a random address at a dead domain that has its MX set to 127.0.0.1 (like blackplanet.com). This way my server doesn't block the relay, and bounces the message to the "sender" with the "although I'm listed as best preference etc" errormessage. I guess the point is that the receiver of the bounce is supposed to be curious enough to read through the entire bounce message and get to the original dating site advertisement. While these are only bounces, it still got me listed on CBL which is quite a nasty problem because this server hosts mail for several clients who can now no longer reach Hotmail/Live/Gmail.
Now the scary thing is that these mails are all sent by invoking qmail locally on my server, the mails actually originate from 127.0.0.1 (not the bogus domains), so somebody can run the qmail process which is how the mails end up on my server in the first place.
I have the qmail patch that lists the user who invoked qmail in the headers. This appears to be the qmail user. Also, I had a watcher dump a netstat --program each time "mail from 127.0.0.1" appeared in my maillog. The process connecting FROM 127.0.0.1 TO 127.0.0.1:smtp was listed as "-". I also searched through all the vhost-logs of the site this server hosts, and the global apache log, to check for suspicious requests at the times the spam messages were sent but there were none. (It's a small server). :)
Now this morning I spent over an hour writing this forum post including lots of extra info, seeing the "autosaved" flash up all the time, and then when posting it I got a blank screen and then found that the "autosave" only saved the first line, so I'm going to stick to the most important bit of this post first and maybe later when I gather enough courage I will add all the details again in case somone wants to help track down this problem. For now I'd really like to know:
1. As hot fix to get me off the black lists: (This really is urgent!) Is there a way to tell qmail to supress this specific bounce message? (The "although I'm listed as best preference.." error). It's a useless error anyway, as it will only occur in situations where I screw up or when serious hacking it taking place. No normal user should ever need to see it. If I could prevent this bounce from being sent, it would stop my server from distributing garbage. I'd still need to figure out how or why someone is invoking qmail from my server but that's slightly less urgent.
2. Is there any way to get more information about how qmail was invoked (by what user, script or progress) when the header reports qmail runs as "qmail user" and netstat lists the owning process as "-"?
In case anyone wants to help me hunting down the actual problem, I'll include the details in this thread I spent so much time on this morning, and then select all+copy before I send. ;) For now I just hope someone can answer at least one of the above 2 questions.