Help - Search - Members - Calendar
Full Version: Spam ?
The Planet Forums > Control Panels > Plesk
webman
Oct 3 2002, 05:52 AM
Hi,

I was watching top today and notice lots of qmail, so I took a look in the mail log and found that lots of mail was being sent. After seeing some of the email addresses I turned off the SMTP relaying (however I do need this on with Auth).

I have a couple of questions, first is this spam ?

------------------------------
3 04:39:19 plesk qmail: 1033634359.968821 new msg 278959
Oct 3 04:39:19 plesk qmail: 1033634359.968838 info msg 278959: bytes 2219 from <> qp 23307 uid 2522
Oct 3 04:39:19 plesk qmail: 1033634359.974715 starting delivery 7264: msg 278959 to remote thepornplaygroundishereforyou@papertime.com
Oct 3 04:39:19 plesk qmail: 1033634359.974844 status: local 0/10 remote 2/20
Oct 3 04:39:19 plesk qmail: 1033634359.979238 delivery 7264: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

------------------------------------


I had the SMTP off altogether at this stage but the email was still trying to send. I am getting lots of these in the log. They never have a 'from' address.


Also there are always IP addresses in the maillog for POP3 but I never see any IP addresses for SMTP, so I can't put the bad guy in my IP blacklist. How do I find the senders IP address ?

Also I added 127.0.0.1/24 to my IP White List ... I beleive this helps somehow ?

I've been trying to look at the qmail-qstat but I just get a bash even when I run it from the correct directory ? How do I find the mail queue ?

That's alot of questions, any answers are appreciated.

Thanks,
Stephen icon_smile.gif
Squire
Oct 3 2002, 07:20 AM
[QUOTE]Originally posted by webman


I had the SMTP off altogether at this stage but the email was still trying to send. I am getting lots of these in the log. They never have a 'from' address. [/QUOTE]

You may still have a ton of mail sitting in the queue waiting to be sent, or resent. The best way to see/delete those are to install qmHandle and/or qmail-remove. Here's a previous thread on the RS forums which discusses those and links over to a thread on the Plesk forums with more info: http://forum.rackshack.net/showthread.php?...&highlight=spam

[QUOTE]Also there are always IP addresses in the maillog for POP3 but I never see any IP addresses for SMTP, so I can't put the bad guy in my IP blacklist. How do I find the senders IP address ?[/QUOTE]

You can find those ip's for smtp connections by tailing /var/log/secure You may want to have two instances of SSH running so that you can compare the times between that and maillog

[QUOTE] [/QUOTE]
Also I added 127.0.0.1/24 to my IP White List ... I beleive this helps somehow ? [/B][/QUOTE]

It will help, if that's the problem you're experiencing. You definitely don't want to allow more than /24 or it will leave you wide open to the spammers. There are several holes people can sneak in to use your server as a spam sender. The thread linked above discusses some of those.

[QUOTE]I've been trying to look at the qmail-qstat but I just get a bash even when I run it from the correct directory ? How do I find the mail queue ?[/QUOTE]

qmHandle or qmail-remove will get ya to the mail queue and answer that one too. icon_biggrin.gif

Squire
webman
Oct 3 2002, 08:31 AM
That was just about every question answered, thank you it is a big help.

I found an IP address in my secure log file that matching much of the sending through in the maillog. This IP seems to be sending every (or conecting secure smtp) minutes for the last few days.

5 from=64.5.217.130
Oct 3 01:08:41 plesk xinetd[824]: START: smtp pid=10608 from=64.5.217.130
Oct 3 01:18:44 plesk xinetd[824]: START: smtp pid=10779 from=64.5.217.130
Oct 3 01:28:48 plesk xinetd[824]: START: smtp pid=11424 from=64.5.217.130
Oct 3 01:38:48 plesk xinetd[824]: START: smtp pid=11712 from=64.5.217.130
Oct 3 01:48:49 plesk xinetd[824]: START: smtp pid=11939 from=64.5.217.130
Oct 3 01:58:56 plesk xinetd[824]: START: smtp pid=12502 from=64.5.217.130
Oct 3 02:08:57 plesk xinetd[824]: START: smtp pid=12767 from=64.5.217.130
Oct 3 02:19:02 plesk xinetd[824]: START: smtp pid=12929 from=64.5.217.130
Oct 3 02:29:03 plesk xinetd[824]: START: smtp pid=13060 from=64.5.217.130
Oct 3 02:39:04 plesk xinetd[824]: START: smtp pid=13216 from=64.5.217.130
Oct 3 02:49:06 plesk xinetd[824]: START: smtp pid=13415 from=64.5.217.130
Oct 3 02:59:08 plesk xinetd[824]: START: smtp pid=13602 from=64.5.217.130
Oct 3 03:09:12 plesk xinetd[824]: START: smtp pid=14200 from=64.5.217.130
Oct 3 03:19:14 plesk xinetd[824]: START: smtp pid=14873 from=64.5.217.130
Oct 3 03:29:17 plesk xinetd[824]: START: smtp pid=15280 from=64.5.217.130
Oct 3 03:39:21 plesk xinetd[824]: START: smtp pid=15604 from=64.5.217.130
Oct 3 03:49:27 plesk xinetd[824]: START: smtp pid=16087 from=64.5.217.130
Oct 3 03:59:28 plesk xinetd[824]: START: smtp pid=16724 from=64.5.217.130
Oct 3 04:09:31 plesk xinetd[824]: START: smtp pid=19227 from=64.5.217.130
Oct 3 04:19:33 plesk xinetd[824]: START: smtp pid=22682 from=64.5.217.130
Oct 3 04:29:34 plesk xinetd[824]: START: smtp pid=23076 from=64.5.217.130
Oct 3 04:39:35 plesk xinetd[824]: START: smtp pid=23314 from=64.5.217.130
Oct 3 04:49:36 plesk xinetd[824]: START: smtp pid=23557 from=64.5.217.130
Oct 3 04:59:37 plesk xinetd[824]: START: smtp pid=23788 from=64.5.217.130
Oct 3 05:09:39 plesk xinetd[824]: START: smtp pid=23977 from=64.5.217.130
Oct 3 05:19:41 plesk xinetd[824]: START: smtp pid=24234 from=64.5.217.130
Oct 3 05:29:43 plesk xinetd[824]: START: smtp pid=24405 from=64.5.217.130
Oct 3 05:39:43 plesk xinetd[824]: START: smtp pid=24688 from=64.5.217.130
Oct 3 05:49:43 plesk xinetd[824]: START: smtp pid=24906 from=64.5.217.130
Oct 3 05:59:43 plesk xinetd[824]: START: smtp pid=25119 from=64.5.217.130
Oct 3 06:09:43 plesk xinetd[824]: START: smtp pid=25419 from=64.5.217.130
Oct 3 06:19:44 plesk xinetd[824]: START: smtp pid=25668 from=64.5.217.130
Oct 3 06:29:44 plesk xinetd[824]: START: smtp pid=26039 from=64.5.217.130
Oct 3 06:39:45 plesk xinetd[824]: START: smtp pid=26331 from=64.5.217.130
Oct 3 06:49:45 plesk xinetd[824]: START: smtp pid=26648 from=64.5.217.130
Oct 3 06:59:47 plesk xinetd[824]: START: smtp pid=26924 from=64.5.217.130
Oct 3 07:09:47 plesk xinetd[824]: START: smtp pid=27161 from=64.5.217.130
Oct 3 07:19:47 plesk xinetd[824]: START: smtp pid=27414 from=64.5.217.130
Oct 3 07:29:47 plesk xinetd[824]: START: smtp pid=27682 from=64.5.217.130
Oct 3 07:39:48 plesk xinetd[824]: START: smtp pid=27892 from=64.5.217.130
Oct 3 07:49:48 plesk xinetd[824]: START: smtp pid=28180 from=64.5.217.130
Oct 3 07:59:49 plesk xinetd[824]: START: smtp pid=28930 from=64.5.217.130
Oct 3 08:09:50 plesk xinetd[824]: START: smtp pid=29716 from=64.5.217.130
Oct 3 08:19:51 plesk xinetd[824]: START: smtp pid=30315 from=64.5.217.130
[root@plesk log]#




I blocked the IP and another very similar IP address yet they both kept sending every tne minutes. So I did a lookup for the IP address and it comes up as mail124.mailstamp.com so I added this to the blacklist in Plesk but no, he is still appearing in the secure log every ten minutes.

How do I stop him ? To I need to restart qmail to get the blacklist to take ?

Thanks,
Stephen
webman
Oct 3 2002, 09:05 AM
I've found out that this IP is a known bulk mailer. I have my relay now closed completely, plus have all his IP addresses and domain name in my black list in plesk yet he still appears every 5 minutes in my secure log.

If he appears in the secure log, does this mean that he is successfully sending through smtp or could it be him trying to log in ? I am getting "Unable to authorize SMTP" errors in my maillog ?

Stephen
micxz
Oct 28 2002, 03:29 AM
webman a thread you might like:

thread

Squire has something to say
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.