Hello,

Using Qmail on a RH9 / PSA6 box

I had a problem with an exploited script on a clients site that seems to have been used to send spam - locked down the client and used qmHandle to remove 132000 emails from the queue - this leaves 48000 in the :-

[root@srv01 bin]# ./qmail-qstat
messages in queue: 45
messages in queue but not yet preprocessed: 48081

Does anyone have any ideas on how I can correct this or what I should do?

Any step by step instructions would be a great help.

Thanks in advance.

You can install qmail-remove then have it look for a specific phrase that appears in the spam mails, but not in any legitimate mail. If you take this route make sure you manually stop qmail first with: service qmail stop. Otherwise you'll mess up your queue.

For instance, I use qmail-remove every day to zap all of the bounces that hit my email addresses that have auto-responders set up. That one looks like:

qmail-remove -r -q /var/qmail/queue/ -p MAILER-DAEMON@hostname -i -v

which pulls the matches against the Sender of the server. So as soon as you identify some bit of text that appears only in the spam mail (check for a X-Sender in the headers since you mentioned that it was a script) just substitute that where MAILER-DAEMON@hostname part. Be careful to get something that only appears in the spam mail though.

Relatively safe since the mail isn't actually deleted. Just moved. So you can reverse the process on an individual email if you need to.

Messages in local queue: 0
Messages in remote queue: 19918
[root@plesk6 qmHandle-1.2.0]# ./qmail-qstat
-bash: ./qmail-qstat: No such file or dir

I am having a similar problem with my server im not sure if this is the same problem but i cant seem to stop this if anyone has seen somthing like this please reply

Sounds like you're probably running an open relay that has been discovered Mr Myerz. So that'll have to be dealt with first. If you plug in your domain over on DNSreport.com they will try to test for open relays, among other things. There are lots of other relay checkers out there. Another decent one is maintained by ORDB.org.

In Plesk go to Server > Mail to check the settings. Make sure that "Open" is not selected there. Personally, I always use Authorization is required and tick of POP3 with a lock time of 20 minutes. That seems to work well for everyone.

Next, in the same general area have a look at your White List. Plesk ships with a default of 127.0.0.1/8, which is wrong. It leaves you with an open relay no matter what you set anywhere else. If you have the /8 subnet mask there, remove that one and replace it with 127.0.0.1/32. The /32 subnet mask will still allow scripts to send mail from the server, but will close your relay for you.

Once you've got that closed you can use something like qmail-remove (mentioned above) or qmHandle to clean up your mail queue and get things back to normal.

Hello Sqire,

Sounds like great info and I appreciate it. I too am having an odd issue. I have a queue that seems to fluctaute from 8K to 7K and back up. I have a plesk 7.0.3 that has a white list of 127.0.0.0/8 (not the .1) would it still be a good idea to change this to /32, and will that prevent any users from using that box as an outgoing server? Thanks

(sorry for my ignorance)

Donovon

I made both the changes in plesk and wiped the entire queue

Messages in local queue: 0
Messages in remote queue: 1531
[root@plesk6 qmHandle-1.2.0]#

In less than a couple of hours

the link in the above post also stated that my open relay was still open and plesk says its closed.

Also i the default ip was set to 0 but i set it to 32 and deleted the old one.

Donovon: I'm not sure on the 127.0.0.0 bit as I haven't had to configure a brand new server for a few months now. That doesn't sound right to me though. 127.0.0.1 is always going to be the localhost, unless they've done something funky that I'm not aware of. Maybe NightHawk will stop by to add a comment. He's much more up to date with what plesk are doing with new setups.

Just to clarify, it's the /8 subnet mask that opens up the relay. No matter what else you do, that alone will leave you open to the spammers taking over your server.

FWIW, I always tweak qmail a bit because I don't like the default setting of it trying to deliver any email for a full week before trying to bounce it. This default setting means that any double bounces are going to keep trying for 2 full weeks before they finally disappear.

Between the spammers, which use non-existent sending addresses, to people just typing in the wrong address that stuff can really clog up a queue. So I always create a file to control that at /var/qmail/control/queuelifetime and put a value of 129600 (the number of seconds in 36 hours) in there.

That way all of the spam, etc gets a maximum lifetime of 72 hours even for double bounces. Then it poofs off into space. Anything that can't be delivered in a day and a half going each way should be either bounced or deleted anyway IMO.

Is there a way to just block this from going through or is it part of the relay

Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:11:37 -0000
Size: 3058 bytes

442726 (22, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:12:33 -0000
Size: 3032 bytes

442638 (3, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <Ã
ý¤k¤H·R¤W§A>
To: "aa-111"
Subject: ©ºªA¤k¤Hªº§Q¾¹
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2412 bytes

442661 (3, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <Ã
ý¤k¤H·R¤W§A>
To: "abaad.bbs"
Subject: ¦Ã´ÃÃ
òÃÃ
äjªº¤èªk
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2429 bytes

442707 (3, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:10:04 -0000
Size: 3063 bytes

442639 (4, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¤pÃ
«>
To: "aban.bbs"
Subject: ¤k¤H»Ã
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2420 bytes

442662 (4, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:08:38 -0000
Size: 3030 bytes

442708 (4, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:10:05 -0000
Size: 3066 bytes

442617 (5, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¨Rªw§l»Qáà ¤pÃu>
To: "aa.kk"
Subject: ©]©]¬K®dªº¯µ±KÃ
ý¤k¤H·R¦º§A
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2424 bytes

442686 (5, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:09:28 -0000
Size: 3056 bytes

442618 (6, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¤p·R>
To: "aa_7148aa"
Subject: ¨k¤HÃ
äjÃ
òèú®®¤k¤HÃ
ý¦o·kÃ
oÃøÂ@#!@
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2423 bytes

442641 (6, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¨Rªw§l»Qáà ¤pÃu>
To: "aa.jiholiaw"
Subject: ¤k¤HÃ
ý¦o²]¤ô¥ÃÃÃ
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2433 bytes

442687 (6, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:09:17 -0000
Size: 3074 bytes

442710 (6, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¤pÃ
«>
To: "ababa"
Subject: ©]©]¬K®dªº¯µ±KÃ
ý¤k¤H·R¦º§A
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2418 bytes

442733 (6, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:10:35 -0000
Size: 3058 bytes

442688 (7, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:09:24 -0000
Size: 3056 bytes

442642 (7, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <Ã
ý¤k¤H·R¤W§A>
To: "aa-henry"
Subject: ¨k¤HÃ
äjÃ
òèú®®¤k¤HÃ
ý¦o·kÃ
oÃøÂ@#!@
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2434 bytes

442711 (7, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:10:02 -0000
Size: 3052 bytes

442620 (8, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¿Ã±K·R¤H>
To: "aa.0527"
Subject: ©]©]¬K®dªº¯µ±KÃ
ý¤k¤H·R¦º§A
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2422 bytes

442666 (8, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <¤pÃ
«>
To: "ababcd.bbs"
Subject: §Ã±¡¤ôÃ
ý¥L²]¿º·kÃ
oÃøÂ@#!@
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2428 bytes

442735 (8, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <Ã
ý¤k¤H·R¤W§A>
To: "aba.hsiao"
Subject: ¨k¤HÃ
äjÃ
òèú®®¤k¤HÃ
ý¦o·kÃ
oÃøÂ@#!@
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2437 bytes

442689 (8, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:11:33 -0000
Size: 2979 bytes

442644 (9, R)
Return-path:
From: MAILER-DAEMON@plain.rackshack.net
To: hhh.jjj@msa.hinet.net
Subject: failure notice
Date: 13 Jul 2005 20:06:53 -0000
Size: 3116 bytes

442621 (9, R)
Return-path: hhh.jjj@msa.hinet.net
From: "" <Ã
ý¤k¤H·R¤W§A>
To: "aa.bbs"
Subject: ¦Ã´ÃÃ
òÃÃ
äjªº¤èªk
Date: Wed, 13 Jul 05 15:17:51 Â¥xÂ¥_¼Ã·Ã®Ã¶¡
Size: 2418 bytes

sure someone is not using your server to send spam? probably not a Good customer, instead a bad user intrussion.

Those are all bounces, so by default they'll keep trying to send for a week before qmail finally dumps them. You can use something like qmHandle to toast them all. In one of my posts above I give the qmHandle line to run to do that. Just change MAILER-DAEMON@hostname to MAILER-DAEMON@plain

Off the subject, but it looks like you need to set your hostname too. At least for qmail. You've got one of the default ones in there. There are posts around here explaning how to change the hostname. For qmail (only) that is located at /var/qmail/control/me

Two things you can try to do to stop further spam and spam bounces from this person.

First, since the above all use the same domain in the address, you could add those to your blacklist in the control panel at Server > Mail > Blacklist. That's if you don't need to get any mail from msa.hinet.net. You also may want to take a good look at a few of the actual spam bounces. You've got the id number, so you can just do something like locate 442621 to see where it's located.

To view the actual email mess it'll be the one that's in the path /var/qmail/queue/mess/ path. Look below the first set of headers to find the headers of the original message. In that you should be able to find the IP number of the original sender. Then back in the control panel you can ban by the IP number too, in case they stop using msa.hinet.net as the fake sending address. FWIW, that will also tell you if the mail is coming from some script on your server or arriving from off of the server, which is a good detail to know.

HTH

You guys are bad @#!@#!@#! i blocked it and that seemed to do the trick. Thanks for the help Squire.

Although i cant seem to send email to yahoo accounts all other like hotmail seem to work fine.

What error message are you getting in your maillog (tail -f /usr/local/psa/var/log/maillog) when trying to send an email to yahoo Mr Myerz?

Also, just to check quickly, are your firewall rules allowing DNS Zone Transfers on port 53? Having that blocked will keep some mail servers to automatically reject mail since they can't confirm it's being sent from a legit domain. If memory serves, I believe that Yahoo may be one that checks that.

Anyone know how to stop completely the double bounce feature ?

I'm dealing whit a spam problem currently then looking to stop completly doublebounce under qmail/plesk and don't find a way....?

I'm not aware of a way to stop the double bounces x007. I've never really needed to though.

One thing you can do is to set the /var/qmail/control/queuelifetime to be less than the 7 days it is by default. Which ends up being 14 days actually. 7 out (if you have an autoresponder that is getting hammered by spammers) and 7 more on the bounce. That'll clean 'em out considerly more quickly and keep them from stacking up.

Another thing you can do is use qmail-remove to manually snatch all of the double bounces out of the queue daily or whatever time frame you need. You can configure a little line to match the MAILER-DAEMON that sends the bounces.

For instance, if your server name was server1.domain.com the qmail-remove line would look like:



That'll zap the bounces right outta there.

One warning... Make 100% sure that you've stopped qmail (service qmail stop) before running the above. If you don't your queue is going to get corrupted.

I have set up a cron whit qmail-remote but its a pain a bit & need to shutdown qmail before running it, and this not prevent the sending back of the bounced email. But this will clear the queue for sure.

Correct me if i'm wrong, but i think Plesk have a big flaw this side, if i'm not wrong, anyone whit some script/knowledge can send email to a plesk server whit a bad recipient & random return adresse then the server bounce it to those random adresse, Is this usable by spammer ? I think YES !

Assume i send email to a non-existant email adresse on your server, but as return address on the email i put the email i want to spam, what will append ?

Your server will receive the email, then bounce it to the return email (where i want to spam)... Does i'm paranoid or is this right ? If this right, Then spam can be send massivly that way via the "bounced" email.. Using the server as some kind of "relay" that way..

May be i'm wrong but no one can give me an awnser on that.. Its some time i try to have an awnser to that.

What you think about that ?