1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Major QMail Spam Issues

Discussion in 'Plesk for Linux - 8.x and Older' started by willgorman, Apr 21, 2006.

  1. willgorman

    willgorman Guest

    0
     
    This evening one of my customers emailed me saying it took 3 days to deliver an email... I investigated what was happening:

    running qmail-qstat, I saw that messages in queue were around 8000+

    In the plesk admin, I had relaying turned on with authorization required (pop3 lock 20min & SMTP)

    I disabled relaying to see if I could get the queue back down to normal, and do research on what caused the problem.

    Even after disabling relay completely, I was able to send SMTP emails from my home outlook account to the server. I see this in the logs:

    Apr 22 00:03:30 air44 qmail-queue: dwlib[5924]: scan: the message(drweb.tmp.syvUvH) sent by aaa@bbb.com to ccc@ddd.com should be passed without checks, because contains uncheckable addresses
    Apr 22 00:03:30 air44 qmail: 1145682210.136352 new msg 5284285
    Apr 22 00:03:30 air44 qmail: 1145682210.136474 info msg 5284285: bytes 756 from <aaa@bbb.com> qp 5925 uid 2020

    I verified that I could send SMTP from another server also without any type of auth and I get the same exact logging, and my queue grows.

    I see that the xinet.d smtp_psa file is still disable = no, and my server args are:
    /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

    I'm still receiving spam, and I'm really at a loss here... Please help!
     
  2. arazas

    arazas Guest

    0
     
    Nobody Spam

    PHP Nobody logging is fairly easy to enable, just follow the instructions outlined on this site:

    http://www.webhostgear.com/232_print.html

    although we suggest using an updated script that is more secure:

    #!/usr/bin/perl

    use strict;
    use Env qw(REMOTE_ADDR SERVER_NAME SCRIPT_NAME PWD);
    my $date = `date`;
    my $arg;
    chomp $date;
    open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
    my $uid = $>;
    my @info = ((getpwuid($uid))[0,2,3,4,5,6,7]);
    if(defined $REMOTE_ADDR) {
    print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
    }
    else {

    print INFO "$date - $PWD - @info\n";

    }
    my $mailprog = '/usr/sbin/sendmail.hidden';
    foreach (@ARGV) {
    $arg="$arg" . " $_";
    }

    open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
    while (<STDIN> ) {
    print MAIL;
    }
    close (INFO);
    close (MAIL);
     
  3. arazas

    arazas Guest

    0
     
    qmHandle - a tool for the qmail queue

    To manage your mail queue, download qmHandle:
    http://sourceforge.net/projects/qmhandle

    Install it on /root

    You may get help using command:
    # /root/qmHandle
    qmHandle v1.2.0
    Copyright 1998-2003 Michele Beltrame

    Available parameters:
    -a : try to send queued messages now (qmail must be running)
    -l : list message queues
    -L : list local message queue
    -R : list remote message queue
    -s : show some statistics
    -mN : display message number N
    -dN : delete message number N
    -Stext : delete all messages that have/contain text as Subject
    -D : delete all messages in the queue (local and remote)
    -V : print program version

    Additional (optional) parameters:
    -c : display colored output
    -N : list message numbers only
    (to be used either with -l, -L or -R)

    Now, i am writing few tips how to use it.

    #/root/qmHandle/ -s
    Messages in local queue: 0
    Messages in remote queue: 484

    It means 484 messages in your SMTP queue.

    You can list message queues using:
    #/root/qmHandle -l

    After a while this will showu you the result, now if you can see all the messages in queue you can find our the spam emails. After finding it you may chosse first few character of mail subject, an example is:

    2868937 (9, R)
    Return-path:
    From: MAILER-DAEMON@your.servername.com
    To: any@innocent.com
    Subject: failure notice
    Date: 22 Apr 2006 05:51:32 +0000
    Size: 3161 bytes

    Now, to delete all mails with subject "failure" you may use command:

    #/root/qmHandle -Sfailure

    This will delete all emails with the Subject failure from SMTP queue. Now if any body is doing SPAM with subject "PayPal verfication" you may run this command:

    #/root/qmHandle -SPayPal

    So, this will immediately clear your mail queue and delete all the messages instantly and you can then again check the qmail queue status.
     
  4. wagnerch

    wagnerch Guest

    0
     
    (Assuming Linux)

    It is more than likely the e-mails are being submitted locally from a web worm. Run "ps -fu apache", and look for any processes that have a PPID of 1. If there is ANY, then someone is running a process that was executed from a vulnerable web application.

    You can see where the executable of any process is located by doing "readlink /proc/<pid>/exe". If this is the case then it would be a good idea to identify the domain, gather as much information as possible, try to correlate the STIME to activity in the Apache access_log.

    I typically use The Coroner's Toolkit to dump process memory (pcat program). I posted a patch to allow tct to compile under 2.6 kernels here.
     
  5. willgorman

    willgorman Guest

    0
     
    Thanks everyone for their suggestions so far. I installed qmHandle, and have started purging messages out of my queue (2000 so far based on two regex searches). I modified qmHandle so that I could delete based on From and To also... I'll post that after I add the documentation.

    I verified that the spam mail is coming from SMTP. Vulnerable Web Forms was my first guess, so I ruled that out by following previous posts.

    I enabled MAPS zones based on earlier forum messages, and that seems to help a bit.

    I can still send arbitrary SMTP emails to my smtp service, which scares me. If anyone has any ideas or suggestions on why this might be happening, I'd really appreciate it!
     
  6. wagnerch

    wagnerch Guest

    0
     
    Another tip is to go into the Domain's mail settings and make sure it is setup to REJECT unknown users. The default is to send a bounce message, which basically means your server could be used to send spam. I don't recall what they call the technique, it is sort of a redirected attack where they forge the From address and send it to a bogus account on your domain and the bounce delivers the spam.
     
  7. belinda

    belinda Guest

    0
     
    Hi willgorman,

    <I modified qmHandle so that I could delete based on <From and To also... I'll post that after I add the <documentation.

    Would you please post your modification on qmHandle that adds From and To?

    Thanks,

    Belinda
     
  8. alexhubner

    alexhubner Guest

    0
     
  9. fhsoft

    fhsoft Guest

    0
     
    @ alexhubner

    Yes you're right!

    (Sorry my english is pretty bad...)

    I have testet my server and can relay to everyone i need! Huh

    I have no relaying enabled, only my private IP and "localhost" is in the Whitelist, no scripts on my domains, (ok, only pleskscripts are there) i reject all "User that have no Mailaccount".

    S*it!!!

    My DNS is also without an error and so on.

    But when i do a [not from my private IP, it's whitelisted ;)] telnet my.domain 25 ... rcpt to: "anyuser%myaccount.gmx.de" it is relaying . Arrgh... Panik :(


    The other test i've done:

    perion: # telnet relay-test.mail-abuse.org
    Trying 16x.xxx.xxx.xxx...
    Connected to relay-test.mail-abuse.org.
    Escape character is '^]'.
    Connecting to xxx.xxx.xxx.xxx ...

    ....

    :Relay test: #Test 11
    mail from: <spamtest@my.dom.de>
    250 ok
    rcpt to: <"nobody%mail-abuse.org">
    250 ok
    QUIT
    221 my.dom.de
    Tested host banner: 220 my.dom.de ESMTP
    System appeared to accept 1 relay attempts
    Connection closed by foreign host.

    Arrrggghhh!
    There is NO User "spamtest" on my domain!
    I've searchig the hole server at all for this name!
    None! Not in binarys, not in textfiles

    Searching by google... oh, qmails percenthack
    put in this file my domain: my.dom.de, restarting qmail, but anyway the same thing:

    ...
    Tested host banner: 220 my.dom.de ESMTP
    System appeared to accept 1 relay attempts
    Connection closed by foreign host.

    Need Urgent Help! @plesk
     
  10. reichemi

    reichemi Guest

    0
     
    Re: @ alexhubner

    It seems that I have the same problem (at least the same indications)

    did you solve it?
     
  11. alexhubner

    alexhubner Guest

    0
     
    No, simple because nobody seams to know or care about it, specially at SWSoft. That's sad and since last time I've tried to solve it, I'm slowing moving away from Plesk.

    Good luck!
     
  12. elderban

    elderban Guest

    0
     
    Yeah...SWSofts support sucks, unless you want to pay $500+ a year for it. And their forums here are very lacking when it comes to any support whatsoever. Not to mention that there aren't any other support forums, even user support forums, out there for Plesk.

    I am on 1and1 and unfortunately they only use Plesk, so as long as I stay with 1and1, I am stuck with Plesk.

    What's even more unfortunate is that their Level 1 service (at 1and1) gives you the "textbook" answer which don't actually help at all. It took me several days to get things resolved last time I had a problem.
     
  13. Tofuwarrior

    Tofuwarrior Guest

    0
     
    Spam even with closed relay

    Hi,

    I have same kind of problems.

    Have found that if I stop any emails forwarding unkown@ to an account the spam stops but this is a nightmare as I have many many email addresses, I sign up with these so I can easily junk any ones that get heavily spammed and I can know who sold my email address by looking at it.

    Does anyone know what is the cause of this problem and if it can be resolved?

    I also have a one and one server and yes their support is not support but then if you want Rackspace you have to pay through the nose - wish I could afford it!

    Any help gratefully received as this is a massive problem for me that I need to resolve

    Paul
     
  14. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
Loading...