Qmail spam relay

[johnwwweissberg]

My maillog files are extremely full. I suspect that my server (RedHat 9, Plesk 7, Qmail plus Dr Web virus scanner) is being used as a spam relay.

I have confirmed that /var/qmail/control/rcpthosts contains only domains on my server.

In spite of the relay being closed with RCPTHOSTS, my maillog contains many lines like:

Oct 13 07:50:57 u15164061 qmail: 1097653857.769672 starting delivery 38105: msg
29449617 to remote ancckpsgx@netking.com
Oct 13 07:50:57 u15164061 qmail: 1097653857.769983 status: local 0/10 remote 17/
20

Normally, this mail should have been rejected since the domain is not in RCPTHOSTS.

What can I check to see how exactly it is that these messages are getting into the system?

 

[Donboy]

Maybe a legitimate user on your system is relaying? I know you can allow your users to relay if they authentiate with POP3 or with SMTP auth. First be sure it's not a legitimate user who is relaying.

Second, you may want to check the contents of your tcp.smtp file. This also controls relaying by setting the RELAYCLIENT environment variable based on the connecting IP.

I think the log file you are showing is your qmail-send log. I think you want to check your qmail-smtpd log file to see what IP these messages are originating from.

Also, how are you sure it's spam that is being relayed?

 

[Trekkie]

FYI: POP3 is not encrypted so spammer could have captured username and password to authenticate with your email server. Follow Donboy's suggestion and block at their IP address.

G.L.

T.k.