Results 1 to 8 of 8
I noticed the mail queue was full of about 1500 emails with centralbank.org this morning.
I suspect someone cracked one of the email addresses passwords and then used authenticated SMTP ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-19-2009 #1Just Joined!
- Join Date
- Feb 2009
- Posts
- 4
Spam - Sent from my server ?
I noticed the mail queue was full of about 1500 emails with centralbank.org this morning.
I suspect someone cracked one of the email addresses passwords and then used authenticated SMTP to send spam.
I flushed the queue.
Suggestions?
- 02-20-2009 #2Linux Newbie
- Join Date
- Apr 2008
- Location
- India
- Posts
- 170
what is the mail server ..sendmail..exim ..qmail ?
Regards
David.s
davidanands.co.cc
-->Success is the list of failures ...!!!
- 02-20-2009 #3Super Moderator
- Join Date
- Aug 2005
- Location
- Nottingham, England
- Posts
- 3,620
Make sure relaying is turned off - use force if necessary.
If it's a compromised account, then change all the passwords for something unguessable, and give access back to people as they complain. Anyone who has a weak password is guilty of wasting your time and computer resources, and should pay the penalty (beer and/or pizza is usually enough).
If you only supply outgoing email services to people inside your lan, then you can limit relaying by IP address - which is the best of solutions. If they need email from an external source, then giving them a webmail front end with SSL only access might be a solution.
And if you want more specific help, as davidanand suggests, telling us a little about your mail server and its config would be useful.Linux user #126863 - see http://linuxcounter.net/
- 02-20-2009 #4Just Joined!
- Join Date
- Feb 2009
- Posts
- 4
I have plesk on Fedora.
It has qmail and horde.
I cracked one of the headers today and it said horde in there. Maybe there is a vulnerability.
I changed all the passwords in that domain for mail accounts. It seem to me they were sending from one specific domain.
I turned off all relaying whatsoever. I had it open for authenticated smtp
- 02-21-2009 #5Linux Newbie
- Join Date
- Apr 2008
- Location
- India
- Posts
- 170
Hi,
What does the header say ....where does the mail originate ..?
if is been a cgi script located in your server remove the script ..
Be sure you enable spf for the domain .. and RBL
frequently check the ip's connect to your server
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
will let you know the ip s and the no of connections they make ...Regards
David.s
davidanands.co.cc
-->Success is the list of failures ...!!!
- 02-23-2009 #6Just Joined!
- Join Date
- Feb 2009
- Posts
- 4
The connections at this moment (there has been no spam in the queue for more than 24 hours now)
Are the following. 2 of which result in redhat or fedora project servers.
1 127.0.0.1
1 128.61.111.10
1 209.132.176.69
3 66.35.62.166
23 0.0.0.0
230
- 02-23-2009 #7Linux Newbie
- Join Date
- Apr 2008
- Location
- India
- Posts
- 170
hi,
1 127.0.0.1
1 128.61.111.10
1 209.132.176.69
3 66.35.62.166
23 0.0.0.0
i could see no one is making that much connection to server that is why
there is no spam in the queue.
Be sure you have closed the relay ..Regards
David.s
davidanands.co.cc
-->Success is the list of failures ...!!!
- 02-23-2009 #8Banned
- Join Date
- Dec 2002
- Location
- Texas
- Posts
- 242
Any chance they are simply reject messages that can't route back?
If you get a bunch of "user unknown" errors due to an email bomb
from a fake/flooded domain, it could just be all the auto reply emails
backing up in your queue? Check out the bodies and headers.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
