Logwatch for our server seems to show that only our users are accessing the server via FTP etc.

As shown below Service ftp is known users, but Service smtp lists several hundred IPs. I've copied only the first 6 into this post.

Does this mean we are being used by spammers? If so, how can this be stopped?

----------
Connections:
Service ftp:
67.113.225.67: 1 Time(s)
138.217.54.240: 10 Time(s)
Service smtp:
4.3.195.52: 1 Time(s)
4.4.172.62: 1 Time(s)
4.5.94.212: 1 Time(s)
4.5.117.24: 1 Time(s)
4.7.47.187: 2 Time(s)
4.7.166.242: 1 Time(s)
----------

Hi...

(1) How many POP3 accounts exist on your server, are users using your outgoing SMTP services?

(2) Have you reviewed your mail log/s or done a queue stat to see mail being processed?

Its common to have a lot more SMTP log data than FTP as each time a user sends an email their IP will be logged. 100+ emails/connections from the same IP address may be a red flag though.

qmail-qstat showed 97,000 emails yesterday which I cleared. A few hours later there were 7000 in the queue. Just now there were only 565.

The server only has 4 'clients', all of us friends running 1 or more sites. There is no way this many emails are being sent.

It seems clear we're being hijacked by spammers - yes? Any advice on how to stop this would be appreciated. We don't have open relay. And I can't keep logging in to run qmailclear.sh

It sounds to me like your running an open relay OR that you have a insecure PHP or CGI script someone is exploiting to spam through your server.

Check your Plesk Server Admin, under 'Mail' - whats your configuration for relaying?

The mail setting is "authorization is required" with SMTP checked.

I've not indicated a maximum letter size or POP3 lock time and haven't enabled MAPS spam protection because I'm not sure what to enter for MAPS zones.

I've checked "only use of full POP3/IMAP mail account names is allowed.

We have a number of CGI scripts running, mainly for a printer friendly option on websites and for page counters.

Thanks again... your help is appreciated.

Firstly, open a shell to your server and monitor your mail server logs using:

tail -f /var/log/messages /var/log/secure /usr/local/psa/var/log/maillog

Second, use sbl-xbl.spamhaus.org as your MAPS/RBL.

Third, I recommend these modifications:

a. Maximum Letter Size = 20000 kbyes
b. Relaying = Authorization is required, SMTP.

You should also check your "White List" under "Server Wide Preferences" and make sure you only have 127.0.0.0 / 8 listed.

Once you have completed the above visit http://www.abuse.net/relay.html and run a test against your server. It should confirm you are NOT running an open relay. On Relay test 7 is may issue a false positive with QMAIL but ignore this.

If the above test shows your mailserver is NOT configured as an open relay then I recommend you investigate the PHP/CGI scripts as these may be the problem. You can run a ps -aux from the command line to see if a particular script is pulling server resources and/or possibly the cause of the spam.

Let me know how things go.

Actually, I would not have 127.0.0.1/8 whitelisted. This too will effectively have your server running an open relay, no matter what other authorization you have configured. Beyond that it's completely unneeded.

Remove that and change it to 127.0.0.1/32 instead. That will allow scripts on the server to send mail, but will close the hole that /8 leaves open for spammers to use.

If your whitelist has the default 127.0.0.1/8 and you change that to 127.0.0.1/32 you'll probably see the mail volume take a drastic downward turn immediately.

Hi,

I have a mixed opinion on Squire's comments. My suggest is research the issue yourself... decide what suits your situation best.

127.0.0.1 is a closed IP block - it doesn't matter if you do a /8, /24 or /32 ...

m.

Thanks for all this information.

I've done all the things advised by md3v. The maillog shows unauthorised connections still getting through but the volume is way down. Over the past few hours it's never been more than a hundred at any time.

A couple of things:

1. sbl-xbl.spamhaus.org - I don't really understand this. I've entered it as MAPS/RBL but should I be able to connect to this site? I get an error message when I try to do so.

2. I'd like some advice on settings for the Plesk firewall. What connections can I ban without affecting our useability?

3. I ran ps -aux - CPU % for everything was 0.0 or 0.1, except for mysql

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

mysql 2041 13.7 0.7 185404 7480 ? S Mar01 8360:34 /usr/libexec/mys

Any thoughts?

4. I ran a test on www.abuse.net. Relay 7 was okay, but Relay 9 gave a positive which I think is a false one. Sound okay?

Thanks again for the advice - much appreciated.

Hi,

1. Visit www.spamhaus.org for info about the service.
2. Use APF firewall, its easy to setup and configure.
3. Did you identify any unknown scripts which could be causing the problem/s?
4. Ok.
5. After talking with a collegue - I do recommend you change you White List to 127.0.0.1/32

m.

There are a variety of listings like this:


qmailr 8166 0.0 0.0 3420 952 ? S 13:11 0:00 qmail-remote skyl
qmailr 8240 0.0 0.0 3416 948 ? S 13:11 0:00 qmail-remote alta


I presume these and others are scripts allowing remote access to qmail? What would you suggest?

I agree that /8 should be a closed internal loop in theory md3v. Unfortunately it doesn't work out quite that way in practice.

I've been wondering for years now why these Plesk servers are sent out the door with /8 as a default. Most don't know to change it and it would sure nip a lot of spam problems off at the source if the default configuration was /32.

mfarnsworth: If you think you may have a rogue script somewhere on the server sending out mail, see if you can capture a few of those while they're in the queue. Read them and see if you can spot any text or header lines that are common to each of those emails.

If you can spot a phrase that is common to each of the questionable emails (check the X-Mailer in case it's an unsecure version of formmail) you can then probably find the script with a grep statement. Just cd into /home/httpd/vhosts and run:

[php]for i in * ; do grep -r 'phrase with spaces'.* ${i}/httpdocs ; done[/php]

where the phrase with spaces bit is the common phrase you found.

Hi mfarnsworth,

Spammers are using some php script on your server to route spam thrue your server. You should locate the script and fix it.

Good luck

Ok - thanks for that, BUT: how do you know? How could I have discovered that for myself?

I've removed a variety of PHP and CGI forms which allow feedback from website visitors. Anyone know of a secure script to allow feedback?

My plesk default mail whitelist setting was 127.0.0.0/8 . Can I delete that now that I have put in 127.0.0.1/32 ?

Yes, you should delete it -- only have 127.0.0.0/32 in your whitelist.

Much of the spam seems to have been stopped by getting the closed relay right, but this log extract gives an example of the ongoing problem:

-----

Apr 22 19:59:51 howard qmail: 1114163991.034129 starting delivery 4316: msg 5898460 to remote ygxb@bevivek.com
Apr 22 19:59:51 howard qmail: 1114163991.034145 status: local 0/10 remote 6/20
Apr 22 19:59:51 howard qmail: 1114163991.042370 starting delivery 4317: msg 5898503 to remote ajmcvhzzvpu@ajansses.net
Apr 22 19:59:51 howard qmail: 1114163991.042439 status: local 0/10 remote 7/20
Apr 22 19:59:51 howard qmail: 1114163991.051091 delivery 4316: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Apr 22 19:59:51 howard qmail: 1114163991.051165 status: local 0/10 remote 6/20
Apr 22 19:59:51 howard qmail: 1114163991.976650 delivery 4315: failure: Connected_to_144.140.80.14_but_sender_was_rejected./Remote_host_said:_550_Sender_address_is_invalid/

-----

I am still unable to locate any script that is being used by spammers.

I'm now fairly desperate to find a solution to this and would be prepared to consider paying an experienced operator to assist.

Any ideas anyone...??

The script that I've seen being used the most is called formmail mfarnsworth. The old version from Matt's Script Archive (Perl/CGI) is a likely culprit if someone has that old version on a site you're hosting. I'd start by looking for that.

If you can read one of them while still in your queue you should be able to see if that's it because by default it'll identify itself in the X-Mailer line in the headers. Otherwise, if you can find a common phrase that is being used in all or many of the emails you can use the little grep routine I posted above to find if any files on your server contain that phrase.

If you have AIM/AOL or MSN Messenger available and want to chat directly feel free to PM the info me. I'll try to walk you though a few things you can do to identify who/what the spammer is as well as a few things I tweak to keep qmail running smoothly.

I had a problem where my email stopped working and also parts of Plesk to do with email. I traced this to a lack of storage on /var. The cause a qmail queue of 266,386 messages. Yep lovely server had bee hit by spammers.

It was my fault I am new to this and had left it as an open relay and hadn't noticed until a problem occurred.

I have followed many of the instructions in this thread but to no avail and could now do with some advice from experts.

I have changed white list entry to 127.0.0.1/32 and chosen at this time to close the relay completely. I have also changed my firewall to not let in anyone other than myself to http so they should not be able to access html forms.

My problem is that I have cleared out the queue using qmHandle but despite all these steps as soon as I turn on qmail the spam floods in. As far as I can tell these are coming from external as I have switched off http and even tried removing 127.0.0.1/32 from the white list. My logs however still show smtp accesses.

It seems that no matter what I do it makes no difference the only thing that stops it is stooping qmail.

It seems like any changes I make to qmail in plesk are being ignored completely!!!

I am at my wits end here any suggestions?

My thoughts are that the Plesk implementation of qmail is not as robust as it could be. I upgraded to Plesk Reloaded 7.5.2 and a lot of my problems now seem to have gone away.

I am still receiving many attempts to log onto smtp but the messages are now being refused by rcpthosts.

What is wierd however is that I expect the messages to refused by smtp_auth but this does not seem to be happening.

This in itself is wierd as it refuses to let me send from outlook express if I haven't got authentication set correctly bit doesn't seem to stop relay test etc. or other smtp external connections on the basis of authentication. I would expect authentication to happen first before checking rcpthosts.

I have also purchased qmail manager from 4PSA to allow me to maintain qmail from within plesk. It seems like this should be part of the core product.

Should also have mentioned that relay tests fail my server on allowing % or @ signs thru any ideas on this.

ie. [email="bob%dillan.co.uk@guitar.co.uk"]bob%dillan.co.uk@guitar.co.uk[/email] or [email="bob@dillan.co.uk@guitar.co.uk"]bob@dillan.co.uk@guitar.co.uk[/email]

Are you ticking off both POP3 and SMTP when you require authorization Jim?

I don't know if it's still the case, but long ago and far away if you chose both of those they effectively cancelled each other out and left you with an open relay.

Personally I set mine with POP3 authorization with a lock time of 20 minutes, and the only thing in my Whitelist is 127.0.0.1/32. I've never had any problems with those settings.

Squire, thanks for reply.

Nope only got SMTP checked.

White list has 127.0.0.1/32 and my home_machine/32.

This is what is confusing me as although the relay seems to now have effectively stopped, not everything is acting as I would necessarily expect and therefore I am not always getting the answer from the open relay check sites that I would wish for.

Part of this is explained I think by a site I found, but now can't find again, that explained how one version of smtp_auth is implemented with qmail without altering qmail_smtpd.

http://www.suspectclass.com/~sgifford/smtp...mtp_auth.README

Maybe this is why the reason for refusal etc is not necessarily smtp_auth based.

hmm... It's a good question and one I don't have an answer to honestly. I've always used the POP3 Lock option myself and never had a problem either with an open relay or a false positive on the various open relay checkers.

I wonder if you would get the same error reports if you switch from SMTP Auth to POP3 Lock?

Squire I'll give that a go. In fact if I set to 20 minutes as you suggest this I would hope would leave the link open all the time as my client checks more often than this, which I need as mail gets sent instantly.

Hi,

Since I removed the defaul plesk whitelist address and changed it to 127.0.0.1 / 32 none of the mail scripts will send mail to email addresses on my domain. If I change the recipient address to my own isp supplied address it works fine.

Please can you offer some help.