Big Issue on Qmail Server - Being used by spammers

[Prasad Vadke]

Hi,

I am facing a very big issue since long time. I have a server running RHEL4 with Plesk 9.5.2 which is running Qmail as a mailserver. I have a valid mailbox created on the server & i configure the valid email account in my outlook express & send an email using smtp authentication & it works fine. Now say if i change my email address i.e mail from address as anything & in smtp authentication i use my valid email id & valid password & send email, it authenticates the qmail smtp server against my valid email id/password & sends the email with any from address & qmail server accepts it since it sees that the smtp authentication is done but it does not checks whether the mail from email address & authentication is the same.

thousands of clients are using the qmail server & it happens like some of the computers are infected & the viruses in that computer sends the email via outlook but they set the from address as anything & authenticates the qmail server using the valid email account & the qmail server also accepts & send it.

Is there any setting in Qmail that it should check that whenever a client is sending the email the mail from address & the authenticated email address is the same. If it finds the authentication email id & mail from email id as different, it should straightway reject it. Please help on this.

 

[IgorG]

You can use DomainKeys spam protection system to sign outgoing e-mail messages.

 

[MarkF]

Hi,

DomainKeys will not resolve this issue.

I am having the same problem.

Postfix has the ability to work-around this by using sender-restrictions but Qmail doesnt have this feature.

I am running Plesk 8.6 (linux) and it seems that I cannot use postfix!

Is there anything else I can do to solve this problem?

 

[IgorG]

Why you still use this very old Plesk version? Why you can't perform upgrade to latest version?

 

[Prasad Vadke]

Hello,

I am using the very latest verion of plesk i.e 9.5.2

Domain keys or DKIM will just insert signatures in the email going out via the smtp & the same signatures needs to be published in DNS. This is done just for dkim or domain keys authentication. The problem which we are facing is related to smtp relay security in qmail server.

Most of the modern mail servers comeup with an option to reject if the auth & the email address doesnot matches e.g Icewarp merak Mailserver which i am using in Windows Servers & it just works fantastic. No spam & enhanced security. I am waiting for Icewarp merak Mailserver support to come in Linux & shall change the mailserver immediately once plesk announces the support of this mail server on plesk. However would appreciate if anyone can give solution on this problem with Qmail Server running with Plesk.

 

[IgorG]

I can suggest you just change password for such mailboxes of switch to Postfix - http://kb.odin.com/en/5801

 

[MarkF]

We are using Plesk 8.6 because we are using CMail and Expand 2.2.4.

We have not ugraded Plesk on Cmail because there is a problem with Expand and Plesk 9 (the mail menu does not work).

Is there another way around this?

 

[mrfisho]

I have the same problem. using the [email protected] to send. How do I stop this ? thoushands of emails being sent.

seems to be the return path is [email protected] is there a way to stop that annonymous accepting the emails and just rejecting them ?

 

[Email Marketing]

Hi,

I am facing a very big issue since long time. I have a server running RHEL4 with Plesk 9.5.2 which is running Qmail as a mailserver. I have a valid mailbox created on the server & i configure the valid email account in my outlook express & send an email using smtp authentication & it works fine. Now say if i change my email address i.e mail from address as anything & in smtp authentication i use my valid email id & valid password & send email, it authenticates the qmail smtp server against my valid email id/password & sends the email with any from address & qmail server accepts it since it sees that the smtp authentication is done but it does not checks whether the mail from email address & authentication is the same.

thousands of clients are using the qmail server & it happens like some of the computers are infected & the viruses in that computer sends the email via outlook but they set the from address as anything & authenticates the qmail server using the valid email account & the qmail server also accepts & send it.

Is there any setting in Qmail that it should check that whenever a client is sending the email the mail from address & the authenticated email address is the same. If it finds the authentication email id & mail from email id as different, it should straightway reject it. Please help on this.

All These people are totally absolutely wrong plain and simple. You really can't stop someone from changing the way there email is viewed when sending with qmail I believe. But this is not the problem. The problem is your users. Also first thing is first make sure you qmail server requires authentication to even send mail in the first place or require APOP login to send mail. This is where the user must login to the popserver before he is aloud to send email.

Next you must implement FBL's for all the domains so you can actually track what email is getting marked as SPAM. FBL's are Feed Back Loops that you request through all postmasters. Some are:

http://postmaster.aol.com
http://postmaster.yahoo.com
etc...

Now what these FBL's do is when a user clicks the spam button on a received email then the FBL will in return notify you that a user has clicked the spam button and they should offer you the header of the original email. The only people I believe that do not are msn. By the header you can track where the original email came from usually can track who it was sent to and the originating IP. But you must do administrative work to catch this. You must sift through accounts watch the way bandwidth is used by the email server. Track the account using the most bandwidth and start from there. It's most likely a user or client and it's highly unlikely it's a virus. That virus sending emails thing can happen but those viruses would have already had your email servers totally absolutely black listed and your qmail servers emails would not make it to anyones inbox.

 

[Prasad Vadke]

Dear Email marketing,

it seems you just post to forum's thread by searching here around. Do you have actual experience on this problem which we all are facing?? have you personally tested by changing email address in outlook & using valid email id/password in smtp authentication & sending email via qmail

We have seen infected computers outlook express generating thousands of messages & sending emails via qmail which in turn causes a huge queue


we have thoushands of email ids which are connected to server & few who are infected can cause lots of problem. If qmail qould have checked that the email address & the authentication is done of same email address then there was no question of posting a thread here & other people who are facing this problem are replying to it.

 

[atomicturtle]

This is not a perfect solution, but qmail-scanner does allow you to scan outbound messages from the server using spamassassin.

 

[Prasad Vadke]

hi,

its not like it should do that however there should be an option to do that if someone required. Most of the mailservers have it.

i think there is a patch here http://blog.endersys.com/2009/12/qmail-from-address-and-smtp-auth-username-check-patch/

however not sure how to install it

 

[64bithost.com]

Plesk 8.6 -> Plesk 9.x

Hi,

DomainKeys will not resolve this issue.

I am having the same problem.

Postfix has the ability to work-around this by using sender-restrictions but Qmail doesnt have this feature.

I am running Plesk 8.6 (linux) and it seems that I cannot use postfix!

Is there anything else I can do to solve this problem?

Please upgrade to PLESK 9.x (current version) and then see if you are still having the same problem