• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Major QMail Spam Issues

W

willgorman

Guest
This evening one of my customers emailed me saying it took 3 days to deliver an email... I investigated what was happening:

running qmail-qstat, I saw that messages in queue were around 8000+

In the plesk admin, I had relaying turned on with authorization required (pop3 lock 20min & SMTP)

I disabled relaying to see if I could get the queue back down to normal, and do research on what caused the problem.

Even after disabling relay completely, I was able to send SMTP emails from my home outlook account to the server. I see this in the logs:

Apr 22 00:03:30 air44 qmail-queue: dwlib[5924]: scan: the message(drweb.tmp.syvUvH) sent by [email protected] to [email protected] should be passed without checks, because contains uncheckable addresses
Apr 22 00:03:30 air44 qmail: 1145682210.136352 new msg 5284285
Apr 22 00:03:30 air44 qmail: 1145682210.136474 info msg 5284285: bytes 756 from <[email protected]> qp 5925 uid 2020

I verified that I could send SMTP from another server also without any type of auth and I get the same exact logging, and my queue grows.

I see that the xinet.d smtp_psa file is still disable = no, and my server args are:
/var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

I'm still receiving spam, and I'm really at a loss here... Please help!
 
Nobody Spam

PHP Nobody logging is fairly easy to enable, just follow the instructions outlined on this site:

http://www.webhostgear.com/232_print.html

although we suggest using an updated script that is more secure:

#!/usr/bin/perl

use strict;
use Env qw(REMOTE_ADDR SERVER_NAME SCRIPT_NAME PWD);
my $date = `date`;
my $arg;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = ((getpwuid($uid))[0,2,3,4,5,6,7]);
if(defined $REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
 
qmHandle - a tool for the qmail queue

To manage your mail queue, download qmHandle:
http://sourceforge.net/projects/qmhandle

Install it on /root

You may get help using command:
# /root/qmHandle
qmHandle v1.2.0
Copyright 1998-2003 Michele Beltrame

Available parameters:
-a : try to send queued messages now (qmail must be running)
-l : list message queues
-L : list local message queue
-R : list remote message queue
-s : show some statistics
-mN : display message number N
-dN : delete message number N
-Stext : delete all messages that have/contain text as Subject
-D : delete all messages in the queue (local and remote)
-V : print program version

Additional (optional) parameters:
-c : display colored output
-N : list message numbers only
(to be used either with -l, -L or -R)

Now, i am writing few tips how to use it.

#/root/qmHandle/ -s
Messages in local queue: 0
Messages in remote queue: 484

It means 484 messages in your SMTP queue.

You can list message queues using:
#/root/qmHandle -l

After a while this will showu you the result, now if you can see all the messages in queue you can find our the spam emails. After finding it you may chosse first few character of mail subject, an example is:

2868937 (9, R)
Return-path:
From: [email protected]
To: [email protected]
Subject: failure notice
Date: 22 Apr 2006 05:51:32 +0000
Size: 3161 bytes

Now, to delete all mails with subject "failure" you may use command:

#/root/qmHandle -Sfailure

This will delete all emails with the Subject failure from SMTP queue. Now if any body is doing SPAM with subject "PayPal verfication" you may run this command:

#/root/qmHandle -SPayPal

So, this will immediately clear your mail queue and delete all the messages instantly and you can then again check the qmail queue status.
 
(Assuming Linux)

It is more than likely the e-mails are being submitted locally from a web worm. Run "ps -fu apache", and look for any processes that have a PPID of 1. If there is ANY, then someone is running a process that was executed from a vulnerable web application.

You can see where the executable of any process is located by doing "readlink /proc/<pid>/exe". If this is the case then it would be a good idea to identify the domain, gather as much information as possible, try to correlate the STIME to activity in the Apache access_log.

I typically use The Coroner's Toolkit to dump process memory (pcat program). I posted a patch to allow tct to compile under 2.6 kernels here.
 
Thanks everyone for their suggestions so far. I installed qmHandle, and have started purging messages out of my queue (2000 so far based on two regex searches). I modified qmHandle so that I could delete based on From and To also... I'll post that after I add the documentation.

I verified that the spam mail is coming from SMTP. Vulnerable Web Forms was my first guess, so I ruled that out by following previous posts.

I enabled MAPS zones based on earlier forum messages, and that seems to help a bit.

I can still send arbitrary SMTP emails to my smtp service, which scares me. If anyone has any ideas or suggestions on why this might be happening, I'd really appreciate it!
 
Another tip is to go into the Domain's mail settings and make sure it is setup to REJECT unknown users. The default is to send a bounce message, which basically means your server could be used to send spam. I don't recall what they call the technique, it is sort of a redirected attack where they forge the From address and send it to a bogus account on your domain and the bounce delivers the spam.
 
Hi willgorman,

<I modified qmHandle so that I could delete based on <From and To also... I'll post that after I add the <documentation.

Would you please post your modification on qmHandle that adds From and To?

Thanks,

Belinda
 
@ alexhubner

Yes you're right!

(Sorry my english is pretty bad...)

I have testet my server and can relay to everyone i need! Huh

I have no relaying enabled, only my private IP and "localhost" is in the Whitelist, no scripts on my domains, (ok, only pleskscripts are there) i reject all "User that have no Mailaccount".

S*it!!!

My DNS is also without an error and so on.

But when i do a [not from my private IP, it's whitelisted ;)] telnet my.domain 25 ... rcpt to: "anyuser%myaccount.gmx.de" it is relaying . Arrgh... Panik :(


The other test i've done:

perion: # telnet relay-test.mail-abuse.org
Trying 16x.xxx.xxx.xxx...
Connected to relay-test.mail-abuse.org.
Escape character is '^]'.
Connecting to xxx.xxx.xxx.xxx ...

....

:Relay test: #Test 11
mail from: <[email protected]>
250 ok
rcpt to: <"nobody%mail-abuse.org">
250 ok
QUIT
221 my.dom.de
Tested host banner: 220 my.dom.de ESMTP
System appeared to accept 1 relay attempts
Connection closed by foreign host.

Arrrggghhh!
There is NO User "spamtest" on my domain!
I've searchig the hole server at all for this name!
None! Not in binarys, not in textfiles

Searching by google... oh, qmails percenthack
put in this file my domain: my.dom.de, restarting qmail, but anyway the same thing:

...
Tested host banner: 220 my.dom.de ESMTP
System appeared to accept 1 relay attempts
Connection closed by foreign host.

Need Urgent Help! @plesk
 
Re: @ alexhubner

Originally posted by fhsoft
Need Urgent Help! @plesk

It seems that I have the same problem (at least the same indications)

did you solve it?
 
No, simple because nobody seams to know or care about it, specially at SWSoft. That's sad and since last time I've tried to solve it, I'm slowing moving away from Plesk.

Good luck!
 
Yeah...SWSofts support sucks, unless you want to pay $500+ a year for it. And their forums here are very lacking when it comes to any support whatsoever. Not to mention that there aren't any other support forums, even user support forums, out there for Plesk.

I am on 1and1 and unfortunately they only use Plesk, so as long as I stay with 1and1, I am stuck with Plesk.

What's even more unfortunate is that their Level 1 service (at 1and1) gives you the "textbook" answer which don't actually help at all. It took me several days to get things resolved last time I had a problem.
 
Spam even with closed relay

Hi,

I have same kind of problems.

Have found that if I stop any emails forwarding unkown@ to an account the spam stops but this is a nightmare as I have many many email addresses, I sign up with these so I can easily junk any ones that get heavily spammed and I can know who sold my email address by looking at it.

Does anyone know what is the cause of this problem and if it can be resolved?

I also have a one and one server and yes their support is not support but then if you want Rackspace you have to pay through the nose - wish I could afford it!

Any help gratefully received as this is a massive problem for me that I need to resolve

Paul
 
Back
Top