"Daily SMTP Relay Limit Reached" 1

[coglethorpe]

I'm running a host on GoDaddy, and I received a "Daily SMTP Relay Limit Reached" email from them.

Something has found a way into my SMTP port, but I cannot find a way to fend it off. I have qmail shut down and the queues cleaned out. As far as I can tell, the remote hosts file only includes sites on that server.

But somehow something is sending "webcard" virus emails from a site in Brazil. Thousands of them.

Anyone experience this anywhere? All help is appreciated.

 

[thedaver]

I speculate that you have a website with a script or something else that got compromised.

You may also have an account with a default or (easily) guessed password that is allowing unrestricted access to email services.

I recommend you speak to GoDaddy for more information, this is their platform to support, IMHO.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[coglethorpe]

Thanks for your help. How do I find a compromised script? My access logs don't show anything like that.

I'll check over my passwords...

Is there anything I can do to monitor the system closer? The qmail logs don't indicate what process is sending the mails...

It is GoDaddy's system, but it's also websites I've created. It's my setup that likely caused this issue, so I'm trying to solve it on my own. Thanks to anyone who has any insights.

 

[thedaver]

OK, here's the thing:

qmail logs WILL show information IF qmail is the actual SMTP MTA being used to send the mail.

However, if you have been compromised either through abuse of existing scripts (web) or through the injection of one or more unknown scripts, then you would NOT LIKELY see evidence in the qmail logs of the outgoing mail.

What you should be looking for are unusual files in /tmp or in your CGI or web content folders. I cannot reasonably coach you remotely here but either you have a compromised account/password or a compromised web page/cgi that is being used against you.

Try changing all passwords and taking down all your web content for a day or two and see if you've controlled the problem.

Otherwise I can offer consulting service through contacting me on my website.



D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[coglethorpe]

Whatever it is, is certainly going through qmail. For what it's worth, to whoever it's worth:

From maillog, I get:

Jan 17 00:00:00 MyServerName qmail: 1169017200.010266 starting delivery 2878986: msg 136355402 to remote webcard@terra.com.br
Jan 17 00:00:00 MyServerName qmail: 1169017200.010352 status: local 0/10 remote 19/20
Jan 17 00:00:00 MyServerName qmail: 1169017200.010812 starting delivery 2878987: msg 136355356 to remote webcard@terra.com.br
Jan 17 00:00:00 MyServerName qmail: 1169017200.010884 status: local 0/10 remote 20/20

From smtp_pendings.log, I get things like this:

1168955183.982555 info msg 136099982: bytes 5566 from <> qp 26598 uid 2522
1168955183.982555 extra 136099982 0 3 0

and this:

1169036204.153439 starting delivery 2960965: msg 136575524 to remote someuser@somedomain.com.br
1169036206.555718 starting delivery 2960972: msg 136575502 to remote someuser@somedomain.com.br

Thousands and thousands of lines like that in each log. The emails are all a HTML "webcard" that has a nifty link to a virus. Nice, eh?

I'm changing passwords and checking over my files now. Thanks to anyone who can offer any more insight!