Spam Email
May 15, 2005 Posted by KP
Someone sent out lots of spams from my server yesterday, my ISP responded so fast that they disconnected my server immediately after they received the complaint.
They reconnected the server after I told them I would stop postfix and disable mail command to make sure no any emails will be sent out before the problems were fixed.
Actually I didn’t manage postfix to work well, I even can’t send emails from my desktop myself. Sending/receiving emails works well on the server side. Since it’s not necessary for me to use the SMTP from my desktop, I kept the current configuration till now. That’s why I haven’t mentioned email configuration on this Blog so far.
I guess the spams were sent with a web script, because:
1. My postfix doesn’t allow relays from desktop.
2. The sender was specified as “www@myhost.com” according to the
complaint email.
The spam email entry in the maillog looks like:
May 14 14:55:03 pang postfix/smtp[46011]: EC0C595C90: to=<xxx@xxx.com>,
relay=mail2.iecc.com[208.31.42.98], delay=724, status=sent (250 ok 1116100192
qp 2255)
The server looks clean to me, odds are it wasn’t hacked. I use phpBB, vBulletin and Awstats on this server, currently I’m still trying to find out how the spammer did it.
Related Posts:
- SMTP May Not Be Necessary
- Email Blocked by BellSouth
- Email Problem Follow-up
- How to Stop a Cron Job or Email Notification
- Contact Form Abused Through BCC Field
Filed Under: Security
May 16th, 2005 at 2:18 pm
First thing to do is check the authenticaiton and logs, e.g. /var/log*, to see if anything else weird went on around that time. In particular, try to make sure no one logged on to your machine other than you or someone else authorized. Next, see if they accessed your mail server via Web scripts. Can you send mail through those scripts? Check the http logs to see if they line up. Next make sure you don’t have an open relay via postfix. Easy way is to, from another network, telnet to your machine and try to send an email directly via SMTP, e.g.:
telnet machine 25
helo malism.com
mail from:
rcpt to:
data
Subject: test relay
test relay
.
That’s a start. I use qmail.
May 17th, 2005 at 1:30 am
Many thanks for your suggestions! I have tested open relay with your telnet method, the server doesn’t allow open relay - only accept local email address for “rcpt to”.
The spammer very likely used a web script. I’ve never done Apache log rotation on this server, did a manual rotation on another server though, and was about to process this one. The log files contained 5 months data - too big to check them :-(. I deleted all of them when I performed a backup yesterday. I’m gonna check the new log files to see if there are any possible clues.