Can´t stop an spammer...

[SalvadorS]

Hello,

I found an spammer in our Plesk 10.4.4 MU 56 qmail server.

I stop qmail, clean the queue, suspend the domain also delete de mailbox!!! but the spammer still send mail. It seems the spammer is logged in the past and can send mail also if qmail is stopped (mails don´t leave the server) or the mailbox is deleted...

See this log:

Received: (qmail 15541 invoked from network); 24 Sep 2013 17:28:00 +0200
Received: from boothness.shave.volia.net (HELO nxbwctlpm) (93.73.84.170)
by dv4.digival.org with ESMTPA; 24 Sep 2013 17:28:00 +0200
To: <[email protected]>
Date: Tue, 24 Sep 2013 07:18:57 -0700
Subject: T H *E BES `T* P :OR~N; S I =T E)S$
From: "Ls" <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-5"

As you can see the hour is correct, 17.28 but the login:

root@dv4:/var/log# grep 93.73.84.170 mail.info
Sep 24 16:24:33 dv4 /var/qmail/bin/relaylock[9755]: /var/qmail/bin/relaylock: mail from 93.73.84.170:50863 (boothness.shave.volia.net)
Sep 24 16:24:33 dv4 smtp_auth: SMTP connect from boothness.shave.volia.net [93.73.84.170]
Sep 24 16:24:33 dv4 smtp_auth: SMTP user [email protected] : logged in from boothness.shave.volia.net [93.73.84.170]

One hour before...

How can we "unlog" this. The mailbox is deleted, the domain is suspended and qmail restarted but it does not works... The spammer is still logged and sending mails

UPDATE: The only thing I can do is check the headers of the mails and block the IPs of the logged connections. Two different IPs blocked and then spam stops... But this is not a correct solution...

How can I kill the logged connections?

 

[SalvadorS]

Hello,

Nobody got an answer? In a server with postfix we restart postfix and all the connections are closed. Why with qmail not?

Regards

 

[DickenW]

Check the following:

1/ Do you have a file called dnsquery in /etc/cron.daily ?
2/ Do you have a directory called /var/spool/named ?

 

[SalvadorS]

Check the following:

1/ Do you have a file called dnsquery in /etc/cron.daily ?
2/ Do you have a directory called /var/spool/named ?

No and No...

Thanks

 

[DickenW]

Okay - I asked that because our 10.4.4 server was hacked and used to send 300k+ SPAM messages from local - i.e. not by relaying, and those files were involved. You have probably been hacked also so without knowing the specific cause, you should alter your plesk and ssh passwords, and lockdown the IP addresses that are allowed to use ssh and plesk to ones you know.

 

[SalvadorS]

Thanks for your reply DickenW

I think the server is not hacked. It is clearly an "user" logged to one mailbox but once it is logged you can´t unlog it. If you change the password of the mailbox and block the IPs of the login the user can´t login again (password incorrect)

 

[GunFood]

Have you tried to mchk (/usr/local/psa/admin/sbin/mchk in Plesk 11, don't know the filename in Plesk 10 but should be the same) to renew the credential database for the allowed user mailboxes?

The Plesk KB article: http://kb.parallels.com/de/944/?show_at=en

Which services did you restart? smtp is controlled by xinetd service:
xinetd based services:
smtp_psa: on
smtps_psa: on

Regards

 

[Faris Raouf]

Just to add to this thread:
If a spammer is logged in using a valid username and password, changing the password, deleting the mailbox and even restarting qmail is not sufficient to stop them continuing to send spam via the connection they are currently using (it will only prevent new attempts to auth)

You need to manually kill, at the command line, the qmail-* processes. This is because once logged in, restarting qmail will not restart a running process that is currently serving the spammer.

Similarly, depending on your firewall configuration, adding the IP of the spammer will often not block an existing connection - it will only block new connection attempts. It kind of depends on your firewall and things, but it is something to keep in mind.