0

how to defend my mailserver using by spammer to send email to etc yahoomail , gmail , etc

my mail server now blocked by gmail. already setting to block of all that but still attacked by spammers

below log mail:-

Jun 24 03:29:26 abcd sendmail[13373]: q5NHV7Jm001938: to=<cornchopsunshady@yahoo.com>, ctladdr=<xxx@abcd.com> (525/528), delay=02:58:10, xdelay=00:00:02, mailer=esmtp, pri=3212216, relay=mta7.am0.yahoodns.net. [67.195.168.230], dsn=431, stat=Deferred: 452 Too many recipients

I really appreciate for the advice and assistance .

Edited for log mail : 

Jun 24 03:29:06 abcd sendmail[13371]: q5NKT6s1013371: from='<www-data@crazyhorse.abcd.com>', size=2340, class=0, nrcpts=0,proto=ESMTP, daemon=MTA, relay=myISP.com
jun 24 03:29:06 abcd sendmail[13372]:q5NKT6wz013372: <www-data@abcd.com>.. User unknown
Jun 24 03:29:06 abcd sendmail[13372]:q5NKT6wZ013372: from=<>, size=3324, class=0,nrcpts, proto=ESMTP, daemon=MTA, relay=myISP.com
jun 24 03:29:10 abcd sendmail[13373]: grew WorkList for /var/spool/mqueue to 2000
jun 24 03:29:12 abcd sendmail[13373]: grew Worklist for /var/spool/mqueue to 3000
jun 24 03:29:17 abcd sendmail[13375]:q5NKTFYr013375:<hrdqvqza@abcd.com>... user unknown
jun 24 03:29:18 abcd sendmail[13375]: q5NKTFYr013375: from=<escribikr@docomo.ne.jp>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=00l-4b7f8b4a.static.optonline.net [75.127.139.74]
jun 24 03:29:19 abcd sendmail[13373]: q5NHU5sL001777: to=<cha_010@yahoo.com>,<cha_cha3023@yahoo.com>,<cha_she69@yahoo.com>,<chaaldridge@yahoo.com>,<chaasper@yahoo.com>,ctladdr=<baak@abcd.com> (525/528), delay=02:59:06, xdelay=0 0:00:07, mailer=esmtp, pri=3212216,relay=mta7.am0.yahoodbs.net. [67.195.168.230], dsn=2.0.0, stat=sent (ok dirdel 4/1)

.. and etc ...

fike
  • 31
  • 3
  • 7
  • You should have more in your logs than that. Search for `q5NHV7Jm001938` and add all of it to your question. – Ladadadada Jun 28 '12 at 08:19
  • Is sendmail accessible to the outside world, is sendmail configured to relay all mail, or is relaying locked down? – EightBitTony Jun 28 '12 at 08:42
  • Dear Ladadadada & EigtBitTony , thankyou for your response , here I have edited the maillog , maybe these more explained – fike Jun 28 '12 at 09:48

4 Answers4

5

There are 3 options. I'll list them in order of seriousness.

  • Your server is configured reasonably securely, but you're allowing known authenticated users to relay mail through this server from external addresses, and one or more user accounts have had their passwords compromised. You need to gain control of these accounts in the short term, and review if and how you allow authenticated users to use your service in the longer term.

  • Your server is configured in an insecure manner that allows anonymous email relaying. This is really bad, but trivial to fix.

  • Your server is hacked. This is the worst option. See Lucas' answer.

The answer to which one of these is your problem is contained in your logs.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • 2
    Or #4. You're running a web service which sends smtp mail and the web service is being abused (or, some other hosted service which in turn sends smtp mail). – EightBitTony Jun 28 '12 at 09:47
  • Dear Dj & EigtBitTony , I have edited the maillog , If U see the spam starting with these : 'from=' , is there any corelation with it ? – fike Jun 28 '12 at 10:02
3

If your server is being used to send spam, then it probably got hacked or is set up insecure.

You will need to format the system and reinstall from scratch (if the former is true) AND secure it! So find out how they got in. If you are not able to do this on your own, I suggest getting a professional involved.

Refer to: How do I deal with a compromised server?

Community
  • 1
Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
  • thank you for your response , now I am still figuring out whether my server has been hacked or something else – fike Jun 28 '12 at 09:59
1

It seems as though this kind of spam that your server is sending is relayed through the web server that you run on the machine. Do you by any chance run a webmail interface like SquirrelMail? If so it is quite probable that at least one account is compromised and is used to send spam. In the case of SquirrelMail I would look at all the *.conf files in the data/ directory where it keeps user specific configuration. I would:

grep -l escribikr@docomo.ne.jp *.pref

and then locate compromised accounts. For other webmail systems I would do similar searches. Also I would study qtool.pl in order to start erasing spams from the queue.

adamo
  • 6,867
  • 3
  • 29
  • 58
  • thx adamo , I am using a SquirrelMail, n then I am checking user pref , and nothing found .. – fike Jun 29 '12 at 04:27
  • By mistake I wrote *.conf in the grep command. It should have been *.pref. I corrected this in the answer above. – adamo Jun 29 '12 at 06:46
  • right , i have checked in any user pref , but still nothing found – fike Jul 02 '12 at 05:06
  • Start checking the contents for the .pref files for unusual content then. – adamo Jul 02 '12 at 07:15
  • Dear Adamo , I just caught, there is spam being sent through my email server. from 41.138.190.198(SquirrelMail authenticated user myuser)by mail.abc.com with HTTP;Wed, 4 Jul 2012 14:47:39 . n then I cek the pref of myuser , the name changed to : sgtjason88@gmail.com . What I wonder when I chek to my email log there are a several connection to myuser , before they have connected and then relay to my email server through myuser autentication. What kind of spam that attack my mail server ? what should I do. – fike Jul 04 '12 at 10:15
  • "myuser" has a guessable password and therefore they tried several known ones before succeeding to login into SquirrelMail and then start spamming. You should try and enforce stronger passwords as a first step and start reading security.stackexchange.com for more ideas and questions. – adamo Jul 04 '12 at 10:54
1

I found the problem stems from my e-mail server vulnerabilities. So I moved to zimbra and activate all the features imaginable. And now I can sleep soundly.

Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
fike
  • 31
  • 3
  • 7
  • 1
    I'm glad you feel on top of things now, but you have to be aware that security is a process, not something you just switch on and forget about. No matter what system you run, you need to make sure it's patched up to date in order to remain secure (and there's more to that than just turning on automatic updates and assuming all is well). Even if you go to a hosted email service, you need to make sure your users' passwords are secure or they can still be exploited to some degree. – Rob Moir Nov 13 '12 at 16:59