Qmail sending from unauthorized domains

[amandler]

Friends -- looking at my qmail queue, I see many messages originating from domains other than those on my server. I ran a maillog report using Lire, and find over 2,000 messages per day being sent from Yahoo.com. I fear my server is spamming, but I don't understand how these messages are originating, nor do I know what to do to track them down.

I do have a rcpthosts file, and a mail relay test from http://www.abuse.net/cgi-bin/relaytest shows I am not a relay.

I've checked for any rogue processes running, but see only qmail sending. Any ideas about how to troubleshoot this would be much appreciated.

From Lire report of sending domains:
yahoo.com 2161 1.6 1.6
sent 1977 1.5 91.5
failure 177 0.1 8.2
deferred 7 0.0 0.3

 

[cmaxwell]

Are you absolutely sure that these messages are not bounces to non-existent addresses on your server? If you have a look in the mail queue you'll find out what the original message was and if it's a bounce. You can do this via SSH as follows:

cd /var/qmail/queue/mess
grep '[email protected]' */*

This will list all of the messages in the queue, you will get a list of the directories and the message filenames which are something like this:

1/123456789

Load that file in a text editor to see what the original message was:

more 1/123456789

Disclaimer: this will show you other folk's messages so there is user privacy to consider, although as the system administrator it's your job to a certain extent to do this if it is necessary.

 

[amandler]

Thanks for the reply. I understand how to look at messages in the queue, but I don't really understand how to tell from the maillog where the message originated (and therefore be able to tell which message in the queue to look at). The mail report seems to indicate that many messages from the domains yahoo.com and hotmail.com are being sent out from my server, but it's not clear to me how to determine from the log entries where a message originated. I believe the bounce messages are all from "[email protected]", so I don't think they are being reported as yahoo.com.

 

[cmaxwell]

Grab one of the yahoo.com addresses (for example) that you see, and then run through the instructions I provided in the previous message using that address. That will identify the message in the queue which relates to that address.

You will see the whole message, including the body and headers. If it's a bounce you will see the original message at the bottom and the bounce message generated by your mail server at the top.

If it is not a bounce and looks like a normal email and it's being sent to a yahoo.com address from your server, then this would suggest the server may have been compromised in some way and this should be investigated.

Let me know how you get on and I can provide further guidance based on what you find.

 

[amandler]

Thanks so much. I am not making myself clear. I don't know WHICH yahoo.com address, if any, is being sent FROM by computer, so I can't "grab one" as you say. I only have a report, generated by a qmail reporting utility, that says 2,000 messages were sent from the domain yahoo.com. It doesn't list individual messages. If I grep maillog for yahoo.com, I of course see thousands of messages, but I am not able to identify which, if any, originated from my server and which originated outside and are being delivered by my server. Is there a way to determine this in the log? If I could, then I could follow your suggestion and examine the individual messages. And to reiterate, bounces all show up as coming from "[email protected]" so they would NOT be reported as coming from yahoo.com, I don't think. I grepped the message queue, as you suggested, for yahoo.com, and did find some bounces, but also many messages from yahoo.com, however, I can't tell if those messages are simply being received and delivered by my server, or if they originated on my server, which is the concern.

I guess my question in short is: is there a way to determine from the maillog or anywhere else where a specific message was generated?

Many thanks!

 

[cmaxwell]

If you take a look at the maillog, you will see it says "to local" or "to remote" depending on the direction that a message was being delivered.

If you want to see all the messages coming from the server to yahoo.com, you can run this command on the command line:

grep 'yahoo.com' /usr/local/psa/var/log/maillog | grep 'to remote'

This will give you a list of all the yahoo.com addresses that your server has sent mail to in the current log file (probably rotated daily).

If you take some of the email addresses listed there and follow the previous instructions you should be able to find the message content to see what is being sent and why.

Possible reasons for a lot of messages being sent remotely:

1. Bounce messages
2. A catchall forwarding to a yahoo.com address
3. One of your users has had their mail account hijacked
4. The server has been compromised

Once you have determined the addresses that your server has been sending to, you can eliminate 1 and 2 in that list or hopefully identify the problem. 3 and 4 are more difficult to work on... let's wait and see what you find from looking at the maillog and trying to examine some of the outgoing messages as per the previous instructions.

 

[cmaxwell]

Similarly, you can also get a list of yahoo.com addresses that have been sending mail to the server by using this command:

grep 'from=' /usr/local/psa/var/log/maillog | grep 'yahoo.com'

Hope this helps.