Spam Problem

[artfuldrone]

We run a Plesk box on Fedora Core 2.

Just recently we're reaching our SMTP limit of 1000 a day for the last two weeks. This is causing massive qeues and angry customers.

Steps I've done to help the problem:
1. Set global mail to reject
2. Asked our small community of customers to use their ISP's SMTP server
3. Change the default IP and mask from 127.0.0.1/8 to 127.0.0.1/32
4. Added sbl-xbl.spamhaus.org to MAPS

Relaying is on authorization required, SMTP, POP3 = 20 minutes.

I'm looking through the maillog and it's just fulled with connection died. I'm guessing this is spam trying to get through from looking at the times (many within seconds).

Aug 16 19:13:39 www qmail: 1155712419.357965 starting delivery 104578: msg 6620044 to remote debbie.countiss@amgen.com
Aug 16 19:13:39 www qmail: 1155712419.357988 status: local 0/10 remote 20/20
Aug 16 19:13:39 www qmail: 1155712419.365248 delivery 104481: deferral: Connected_to_64.202.189.86_but_connection_died._(#4.4.2)/
Aug 16 19:13:39 www qmail: 1155712419.365305 status: local 0/10 remote 19/20
Aug 16 19:13:39 www qmail: 1155712419.365328 starting delivery 104579: msg 6620044 to remote dianil@fowlerwhite.com
Aug 16 19:13:39 www qmail: 1155712419.365349 status: local 0/10 remote 20/20
Aug 16 19:13:39 www qmail: 1155712419.365694 delivery 104513: deferral: Connected_to_64.202.189.86_but_connection_died._(#4.4.2)/

Here's what I get at abuse.net:
Connecting to mail.combo.ws for anonymous test ...

<<< 220 ******************
>>> HELO www.abuse.net
<<< 250 www.combo.ws
Relay test 1
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 2
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 3
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 4
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mail.combo.ws>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 5
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@[68.178.207.98]>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 6
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mail.combo.ws>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@mail.combo.ws>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 7
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mail.combo.ws>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@[68.178.207.98]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 8
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mail.combo.ws>
<<< 250 ok
>>> RCPT TO:<"securitytest@abuse.net">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 9
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mail.combo.ws>
<<< 250 ok
>>> RCPT TO:<"securitytest%abuse.net">
<<< 250 ok
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.

THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.
You cannot tell if it is really an open relay without sending a test message; this anonymous user test DID NOT send a test message.

Can someone please help me? We're at the point of losing cusomters over this spam problem. People need their email on time!

 

[atomicturtle]

First, turn off poplocking. A lot of users will come from common proxy pools (AOL for example), which turns your system into an open relay for a whole ISP. Second is to isolate the source of spam, the two areas are:

1) the mail server (qmail), which would consist of a spammer exploiting your poplocking status, a compromised account of one of your users, or an easily guessed smtp_auth password.
2) the web server, the spammer is exploiting a vulnerable application, or a users account, to send mail through the web server itself.

Start by looking through your logs, and taking an inventory of the types of applications you're using. The likely culprit is a web app, however Ive seen more and more smtp_auth abuse through either easily guessed username/password pairs (what we call "joe accounts", example: webmaster/password), or one of your users desktop systems has been compromised.

 

[artfuldrone]

Poplocking is now off.

Our user emails are far apart in the maillog. Majority of the maillog is within seconds of each other, which looks to me like spam. We have spamassassin on all of our client accounts so that adds a couple of lines to indentify the user is a client, and obviously being able to see the client's username.

I'm sure a client hasn't been exploited.

Here are some quotes taken from another thread.

Originally posted by optize
Figured it out

There were 2 files in /etc/xinetd.d which wanted to use smtp. Sendmail and qmail. It decided it would use sendmail and allow everyone to spam through it.
--

Originally posted by phoenixisp
Check to see if you have sendmail installed, if so, that's your problem. The path to sendmail is /usr/sbin/sendmail.

What should be there is a symlink to /etc/alternatives/mta which in turn should point to /var/qmail/bin/sendmail.
--

I DO have sendmail under /usr/sbin/sendmail but being a newbie to Linux I'm unable to understand how to try these fixes.

Can you help?

 

[miranda2006]

same problem

Hi All,

I have the same problem.
Each day I receive a message that the relays are used.

Getting desparate here

Is there a way to delete all messages in que to be send?
I think my problem is that I wanted to empty a mailbox with over 50.000 spam emails. I used mailwasher to delete (not bounce) the messages and I think this is using up the relays.

I already deleted the email, reset the server, everything.

Changed white list to 32 etc...

So my question is :Is there a way to delete all messages in que to be send?

I use Linux / plesk7.5 reloaded.

Thank you in advance.

 

[artfuldrone]

Re: same problem

Originally posted by miranda2006
So my question is :Is there a way to delete all messages in que to be send?

I use Linux / plesk7.5 reloaded.

Thank you in advance.

qmHandler does the job for me.

./qmHandler -h for help.

 

[jas8522]

qmHandle and qmail-scanner

Hey,

We had some major mail issues in the past, and with the help of qmHandle (like artfuldrone suggested) and qmail-scanner we were able to keep everything flowing smoothly.

I'm surprised ART didn't mention something about it, but I've found his qmail-scanner package using a newer version of spamassassin and clamav to be very helpful at keeping the spam to a minimum. Although this is really for incoming spam, not if you're server is spamming.

It's very common that you're not actually spamming, but that incoming spam is being rejected because it's going to addresses that don't exist! Then your server sends back a failure notice to another address that usually does not exist, so it sits in queue until it times out. Using qmHandle, try running:
'qmHandle -s' to see how many messages are in queue then:
'qmHandle -Sfailure'

If that command clears out nearly all of the messages in the queue, then that is indeed your issue! Grab qmail-scanner and clamav from ART's distro and you're on the right track

Jordan

 

[atomicturtle]

there is a qmhandle rpm in the archive as well

 

[marcosacramento]

Anyone solved that problem?
I'm having the same here.
I have been through all the steps and nothing.
Also the 1000limit...

Regards,

Marco Sacramento