• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

spammers using qmail

D

devindull

Guest
When doing ps aux I see a lot of relaying of spam on our qmail server that was installed with Plesk. However, under the plesk mail settings, we have Relaying set to Authorization Required and a check in SMTP. How can we stop the relaying from going on without killing out SMTP server? Many of our website users use their SMTP.domain.tld for their sending mail.
 
The source of your problem could be in webforms, spammers are using them to put their code into outgoing mail headers and send spam. Please visit http://www.fight-spam.org for a simple solution.
 
We run very SQL intense websites. PHPMYADMIN is a must to use, the one built with Plesk. How can we alter the script to allow it to work? Your script has a bug not letting it as your website says.... Any other ideas?
 
Well.. that is not really a bug.. I will add more details on this soon. If you are using phpMyAdmin from Plesk, this means that you use Plesk's webserver and php (running on port 8443). But if you set this script in php that work with main apache - Plesk would not be affected and phpMyAdmin from it would work as it should. :)
 
settings

Hi There:

My server was recently used to send out spam exactly the way you described (bcc headers)
and I would definitely like to test your anti-spam.php script.

I am using
psa v7.0.4_build041224.12 os_FedoraCore 1
OS Linux 2.4.22-1.2199.4.legacy.nptl

Regarding the original setup:
Since the directory /usr/local/lib/php/ does not exist on my server, should I create it or should I place the script some other (better for psa) place on the server?

Thanks
Stephane
 
How much is alot? Is there a backup in the mail queue (/var/qmail/bin/qmail-qstat) ? There is a few worms out in the wild that exploit vulnerabilities in many popular web applications (such as phpBB2, PostNuke, Mambo...), and these vulnerabilities allow remote code execution as the apache user. The worms automatically pull down code that runs daemons as the apache user (they typically mask themselves as httpd -- so less experienced admins do not notice them), and those daemons are used to pull down more code that ultimately feeds spam mail right into your mail queue.

I would dump an output of "ps -fu apache", if the PPID column is NOT the same then you may have this particular problem. Everything running as apache should have the same PPID (parent process id), because they are all forked from the same parent process. If you have processes running with PPID of 1 then that is a problem, because normally the parent httpd is running as root and it would have a PPID of 1 (and only 1 httpd, normally). Dump the output, and we can atleast try to eliminate that.
 
what you are referencing regarding apache is an easy fix of disables in the php.ini and some other minor security precautions. however, im still having problems getting these spammers from spamming from our box. life goes on i guess, hopefully plesk 8.0 will be better for security and vuln issues like this.
 
Uhm, whatever. I must ask why did you post at all, since you are already totally familiar with the problem (of course the problem you failed to describe, and then go off on a rant about phpMyAdmin)? Clearly someone of your great skill and expertise could have coded a solution to fix whatever your perceived problem is without our help.

Have a nice day.
 
dont get so heated. i fixed an old standing problem that this person was referencing as apache a long time ago, this isnt what i am refering to needing help on thank you very much. i wanted to make that distinction as I just did. Now, my problem is QMAIL sends out a lot of spam through what I assumed as relaying, but when I disable relaying, or password protect it, this still happens, therefore it's script related. HOWEVER, I cannot just disable PHPs ability to send emails as many of our websites rely on this system. I am asking for an optional fix.

Now, to solve the Apache problem, all one must do is open the php.ini in the apache/conf/ directory, search for the disabled_features = line, and add these:

disable_functions = phpinfo,shell_exec,passthru,exec,system,proc_get_status,proc_nice,proc_open,proc_terminate,proc_close

I also recommend doing "whereis wget" and going to that directory of its location, you must chown root wget. Most script kiddies use that to import their scripts into your /tmp/ directory to execute.

If you have problems w/ a lot of stuff in that regard, also, create a crontabed process running the following:
#!/bin/sh
killall -9 cgi
killall -9 mech
rm /tmp/cgi
rm /tmp/udp.pl
rm /var/tmp/udp.pl
rm /tmp/*bnc*
rm /var/tmp/*bnc*
rm /tmp/*giga*
rm /var/tmp/*giga*
rm /tmp/*mech*
rm /var/tmp/*mech*
rm /tmp/*.php
rm /var/tmp/*.php
rm /tmp/*.pl
rm /var/tmp/*.pl
rm /tmp/*.htm
rm /var/tmp/*.htm
rm /tmp/*.html
rm /var/tmp/*.html
rm /tmp/*.txt
rm /var/tmp/*.txt
rm /tmp/*.c
rm /var/tmp/*.c
rm /tmp/*.tgz
rm /var/tmp/*.tgz
rm /tmp/*.tar
rm /var/tmp/*.tar
rm /tmp/*.gz
rm /var/tmp/*.gz

Most "hackers" are Turkish people wanting to create Emech DOS bots and so forth. Quite easy to solve that by doing those steps, the FIRST step should do it, but the other two are smooth precautions.

NOW, about my PROBLEM again, I'd love a solution to stop QMAIL spamming without disabling PHPs mailer option. Ideas?
 
Your just outright stupid, dude. Get a clue, install modsecurity. A crontab that kills that is dumb, jeezus.

Reimage your server, hire an expert -- stop trying to act like one.


For the record, I don't have a problem with that "stuff" -- because a) I am not an idiot like you, and b) I check for vulnerable packages as they come out and b1tch slap my users, and c) I am proactive -- unlike you which has gotten you into this mess.
 
man you are quite arrogant, modsecurity has issues when you try to install it onto plesk 7.5 on this freebsd branch from what Ive read. Quite frankly you annoy me, I'm seeking help on something and you're acting like the god expert. Now stop this thread usage and let someone help me thanks.
 
The thread clearly shows who is arrogant. If I am not mistaken this started as me offerring help and advice, and you snapping back with (paraphrased) "your stupid, you should turn off all of the features that everyone needs in php". Your "security through obscurity" is a joke, and I feel sorry for anyone that may mistake your advice as good.

Clearly modsecurity is so flawed as a FreeBSD package that they pulled it into the ports collection, but I forgot you are an expert and must know something the rest of the world doesn't. The only thing that is ever mentioned about modsecurity with respect to FreeBSD is an off-by-one vulnerability. But clearly your lame *** cron job is a better solution, just let the hackers in, don't fix any of the scripts, eliminate every single feature that PHP has (infact maybe you should disable mod_php), and hope they never change their attack is a brilliant solution.

Your advice is just simply garbage, please throw away the trash.
 
I appreciate the honest pointing of my way around things. No way is secure anyway, mine just has cleared up what has been happening on a box of a friends, and I implemented it on my own so that I wouldn't have their issue. Seems to be working fine in both places. Now, I don't claim to be so expertish or I wouldn't be asking for suggestions. I don't know much about this ****, hence I'm here asking. Again, thanks for your point of view, now kindly stop responding to this thread as I hope someone out there can give me a warranted piece of advice to handle the QMAIL related spamming.
 
I doubt it is qmail, but whatever. Clearly qmail is at fault, I mean you said it after all.
 
Again, I'm not saying QMAIL is the exact reason, did I not reference scripts through Apache/PHP may be doing it? However I also noted I need an option that wasn't mod_security as there's a compatiblity issue. I tried it before.
 
Back
Top