3

I found a whole bunch of this in my maillog (after my site went down from excessive resource usage):

Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: from=anonymous@mysite.com
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: to=travelforu@mail.ru
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: hook_dir = '/var/qmail//handlers/before-queue'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: recipient[3] = 'travelforu@mail.ru'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: handlers dir = '/var/qmail//handlers/before-queue/recipient/travelforu@mail.ru'
Dec  3 05:24:23 mysite qmail-queue-handlers[24524]: starter: submitter[24525] exited normally

Which looks like someone is using my system to send spam. What do you folks think and how would you go about tracking down their entry point and/or blocking them?

Lothar_Grimpsenbacher
  • 1,647
  • 3
  • 18
  • 27

2 Answers2

7

Perhaps your email software is configured to allow relaying - it is an open relay?

http://www.palomine.net/qmail/relaying.html

Relaying

Relaying allows any person anywhere on the Internet to send email with any "from" email address to your server and have your server deliver it to any number of recipients anywhere in the internet with any "to" address.

You should really restrict this to reject all mail other than two distinct patterns:

  • mail from the outside, with a "to" address that includes your domain name and where the part before the at symbol matches a defined person within your organisation. In the case of a web-server this might be no-one if the web-server has no need to accept incoming email. Often an organisation will have separate email servers to handle email for it's members.

  • mail from authenticated users with a from address that includes your domain name. In this case the to address can be anything. The senders are normally sending from IP-addresses within your local network but it can be useful to allow trusted people to use your email server - in that case they must be authenticated before allowing email transmission.

If you do this, you wont be propagating SPAM for spammers (and risk getting blacklisted) but it will have no effect on your legitimate activities.

Testing

Before and after changing the configuration of your email server, test it. Use an unrelated Internet access point (3G, Internet cafe, home) to try to send email through your mail server, try various combinations of to and from addresses e.g.

 From                  To                  Expect
 genuine@mydomain      other@www.mydomain  allowed
 evil@spam.com         spam@victim.com     rejected
 fakester@mydomain     spam@victim.com     rejected
 genuine@mydomain      pal@example.com     allowed only if authenticated

But most web-servers don't need to send mail outside the server, other than maybe to webmasters/administrators. SO they can be locked down tighter.

RedGrittyBrick
  • 3,792
  • 1
  • 16
  • 21
  • Indeed it was so I just turned relaying off but could you tell me what effect this might have on the mail addresses used by our domain? Or on mail sent by our website? – Lothar_Grimpsenbacher Dec 04 '10 at 00:47
  • 1
    And now I still see more of these messages in the log even with relaying turned off. Ack! – Lothar_Grimpsenbacher Dec 04 '10 at 00:56
  • See edits to answer above – RedGrittyBrick Dec 04 '10 at 10:57
  • If you need more detailed help, please post details of your configuration. – RedGrittyBrick Dec 04 '10 at 11:06
  • OT @RedGrittyBrick: I have found no other way to contact you - any chance to edit [this answer](http://serverfault.com/a/191142/69936) to move MobaXTerm up since it's actually [open source](http://download.mobatek.net/sources/)? PS: would be great to indicate some way to contact you in your profile. – Dan Dascalescu Feb 23 '14 at 00:13
  • @Dan: Looks like [Wikipedia:Comparison of SSH clients](http://en.wikipedia.org/wiki/Comparison_of_SSH_clients) covers this subject pretty well. Since I'm not given an edit option for an answer to a frozen Q here, I'll leave it at that. – RedGrittyBrick Feb 23 '14 at 12:34
1

Just like RedGrittyBrick's response it sounds like an open relay but I don't know.

One thing you can do is try a public relay test service like this one: http://www.abuse.net/relay.html

They will automatically run all sorts of mail sending tests and tell you the results in realtime. If your SMTP server accepted the mail for delivery then you should look at the config.

Another theory is that some hacker installed a backdoor or is using an exploit for whatever software you have installed to send mail using a script. Which, since the script is on the server they would be able to bypass relay limitations since the mail is coming from the server and not from the internet. What you could try is kill the web server service and see if it still sending mail, and that way you would know if it is really a script backdoor or something else more malicious.

Natalie Adams
  • 745
  • 1
  • 6
  • 15