Scammers using my mail server

Question

A scammer is using my mail server to send his scams, is there any way I can block him?

I'm using Exim4 and Dovecot on a Debian Stable distrib.

Here is the mail delivery I'm receiving:

------ This is a copy of the message, including all the headers. ------

Return-path: <mnml@free.fr>
Received: from [210.83.81.189] (helo=User)
        by server.hotconference.com with esmtpa (Exim 4.69)
        (envelope-from <mnml@free.fr>)
        id 1Mh7A5-0008Lz-Vo; Fri, 28 Aug 2009 15:31:03 -0400
Reply-To: <westernunionmoneytransfer147@gmail.com>
From: "Mr. Frank Bell"<mnml@free.fr>
Subject: Western Union Payment Center®
Date: Fri, 28 Aug 2009 12:30:54 -0700
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY bgcolor=#FFFFFF leftmargin=5 topin=5 rightmargin=5 bottommargin=5>
<FONT size=2 color=#000000 face="Arial">
<DIV>
&nbsp;</DIV>
<DIV>
Attn: Beneficiary,</DIV>
<DIV>
&nbsp;</DIV>
<DIV>
There is an issue with the WESTERN UNION MONEY TRANSFER NIGERIA in the amount of $500.000.00 USD directed in cash credited to file KTU/9023118308/03, at the owner of this email address. The INTERNATIONAL MONETARY FUND contacted us for your compensation a couple of hours ago due to your allocated security code.</DIV>
<DIV>
They said that they choose to send it to an email address instead of a name. We are unable to complete a transfer directed at an email address, so we require some more information in order to complete this transfer.</DIV>
<DIV>
&nbsp;</DIV>
<DIV>
FULL NAME:</DIV>
<DIV>
FULL CONTACT ADDRESS:</DIV>
<DIV>
MOBILE PHONE NUMBER:</DIV>
<DIV>
OCCUPATION:</DIV>
<DIV>
MARITAL STATUS AND AGE:</DIV>
<DIV>
&nbsp;</DIV>
<DIV>
In order to resolve this problem, please email via Western Union Solicitors Fund Verification Department: westernunionmoneytransfer147@gmail.com</DIV>
<DIV>
As soon as this information is received, and you have complied with the requirements of our payment of the western union charges which is $420, payment will be made to your nominated bank account or at the counter directly from The Western Union Transferring Bank.</DIV>
<DIV>
Note: That this is directly from the Management of Western Union Money Transfer NIGERIA Head Office and our Motto is (To Serve You Better).</DIV>
<DIV>
Also note that you would be responsible for any payment that is needed for the transfer of your funds into your nominated bank account or at the counter directly from the Western Union Transferring Bank.</DIV>
<DIV>
THE MANAGEMENT OF WESTERN UNION MONEY TRANSFER, DISPATCHED THIS DAY.</DIV>
<DIV>
&nbsp;</DIV>
<DIV>
Call this number for verification +2348032263275</DIV>
<DIV>
Sincerely,</DIV>
<DIV>
Mr. Frank Bell.</DIV>
</FONT>
</BODY></HTML>

And this:

Return-Path: <>
Delivered-To: online.fr-mnml@free.fr
Received: (qmail 5451 invoked from network); 14 Sep 2009 13:46:51 -0000
Received: from mx24-g26.free.fr (HELO server.hotconference.com) (212.27.42.86)
  by mrelay6-g25.free.fr with SMTP; 14 Sep 2009 13:46:51 -0000
Received: from server.hotconference.com ([12.68.137.174])
    by mx2-g20.free.fr (MXproxy) for mnml@free.fr ;
    Mon, 14 Sep 2009 15:46:51 +0200 (CEST)
X-ProXaD-SC: state=HAM score=10
Received: from mailnull by server.hotconference.com with local (Exim 4.69)
    id 1MnBtK-0001Qr-Le
    for mnml@free.fr; Mon, 14 Sep 2009 09:46:50 -0400
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@server.hotconference.com>
To: mnml@free.fr
Subject: Warning: message 1Mh72E-0007Zk-0r delayed 384 hours
Message-Id: <E1MnBtK-0001Qr-Le@server.hotconference.com>
Date: Mon, 14 Sep 2009 09:46:50 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.hotconference.com
X-AntiAbuse: Original Domain - free.fr
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - 
X-Source: 
X-Source-Args: 
X-Source-Dir: 


This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 384 hours on the queue on server.hotconference.com.

The message identifier is:     1Mh72E-0007Zk-0r
The subject of the message is: Western Union Payment Center®
The date of the message is:    Fri, 28 Aug 2009 12:22:46 -0700

The addresses to which the message has not yet been delivered are:

  abhrussell@alltel.net
  abhi_9489@yahoo.co.in
  abhisekrath67@yahoo.co.in
  abhishek_bhm@yahoo.co.in
  abfm@sbcglobal.net
  abercrombie8guy6@aol.com
  aberlanassoc@aol.com
  abertom@aol.com
  abhunn@aol.com
  abi2win@aol.com
  aberash1111@yahoo.com
  abercrombie_amber14@yahoo.com
  abercrombieguy212@yahoo.com
  abey012000@yahoo.com
  abh1morepitch@yahoo.com
  abhijeet_kute@yahoo.com
  abhilashajune@yahoo.com
  abhimanyujamwal@yahoo.com
  abhisekmitra@yahoo.com
  abhishek_kapoor880@yahoo.com
  abidi_abdo@yahoo.com

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.

Answer 1

Unless 210.83.81.189 belongs to you, I see no evidence here that anybody is using your server to send email.

Update: Ok, based on your edit of 14 September, it is possible that your server is being used to send spam, or it might not be. The only way to tell would be to look at your outgoing mail queue and your mail logs to see if mail is being sent that shouldn't have been.

Answer 2

First, check your logs on your mail server. if the headers are being forged then you aren't actually having your mail server as a go-between. Your mail logs on the server should tell you where the mail is coming in from and going out to. Be aware if your system is hacked, though, logs could be faked or altered.

Second, find sites that will test whether your system is an open relay.

Third, check and doublecheck that your system is configured to relay mail only for your authorized IPs.

Fourth, run rootkit checkers to check your system for anomalies. Programs like rkhunter and chkrootkit.

Fifth, look for tutorials on hardening your mail server that is specific to your mail server software and re-check the configuration.

Sixth, look at your routers for information on odd connections to and from your network, anything suspicious. If you can break it down by protocol you'll get a picture of what's going on in your network independent of a potentially compromised system.

If your system is compromised, you should strongly consider reinstalling the operating system, as if it's been hacked there's NO WAY you can be certain that binaries haven't been replaced and in turn are hiding other malware. Even your executables used to detect activity could have been altered (PS hiding specific processes, for example).

Also if your system is compromised as an open relay there's a chance you're already being blocked by other mail servers and lists. You can look on some of the open lists to see if your domain is listed.

Answer 3

Still doesn't seem like you've been compromised -- 210.83.81.189 is sending you an e-mail with a forged return path and reply-to. The only reason this is going to your mail server is because it's addressed to you.

Check the server logs to see if the mail server is actually sending scam mails out to other computers, and then report back.