Find the answer to your Linux question:
Results 1 to 8 of 8
I noticed the mail queue was full of about 1500 emails with centralbank.org this morning. I suspect someone cracked one of the email addresses passwords and then used authenticated SMTP ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2009
    Posts
    4

    Spam - Sent from my server ?


    I noticed the mail queue was full of about 1500 emails with centralbank.org this morning.

    I suspect someone cracked one of the email addresses passwords and then used authenticated SMTP to send spam.

    I flushed the queue.

    Suggestions?

  2. #2
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    what is the mail server ..sendmail..exim ..qmail ?
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  3. #3
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,864
    Make sure relaying is turned off - use force if necessary.

    If it's a compromised account, then change all the passwords for something unguessable, and give access back to people as they complain. Anyone who has a weak password is guilty of wasting your time and computer resources, and should pay the penalty (beer and/or pizza is usually enough).

    If you only supply outgoing email services to people inside your lan, then you can limit relaying by IP address - which is the best of solutions. If they need email from an external source, then giving them a webmail front end with SSL only access might be a solution.

    And if you want more specific help, as davidanand suggests, telling us a little about your mail server and its config would be useful.
    Linux user #126863 - see http://linuxcounter.net/

  4. #4
    Just Joined!
    Join Date
    Feb 2009
    Posts
    4
    I have plesk on Fedora.

    It has qmail and horde.

    I cracked one of the headers today and it said horde in there. Maybe there is a vulnerability.

    I changed all the passwords in that domain for mail accounts. It seem to me they were sending from one specific domain.

    I turned off all relaying whatsoever. I had it open for authenticated smtp

  5. #5
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    Hi,

    What does the header say ....where does the mail originate ..?
    if is been a cgi script located in your server remove the script ..

    Be sure you enable spf for the domain .. and RBL

    frequently check the ip's connect to your server
    netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    will let you know the ip s and the no of connections they make ...
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  6. #6
    Just Joined!
    Join Date
    Feb 2009
    Posts
    4
    The connections at this moment (there has been no spam in the queue for more than 24 hours now)

    Are the following. 2 of which result in redhat or fedora project servers.

    1 127.0.0.1
    1 128.61.111.10
    1 209.132.176.69
    3 66.35.62.166
    23 0.0.0.0
    230

  7. #7
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    hi,

    1 127.0.0.1
    1 128.61.111.10
    1 209.132.176.69
    3 66.35.62.166
    23 0.0.0.0

    i could see no one is making that much connection to server that is why
    there is no spam in the queue.

    Be sure you have closed the relay ..
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  8. #8
    Banned
    Join Date
    Dec 2002
    Location
    Texas
    Posts
    242
    Any chance they are simply reject messages that can't route back?
    If you get a bunch of "user unknown" errors due to an email bomb
    from a fake/flooded domain, it could just be all the auto reply emails
    backing up in your queue? Check out the bodies and headers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •