Spammers keep using my server (HELP - SOS)

[matrixx1]

I host sites and email via a root server from 1and1.com that is running Plesk Parallel 9.0.1 on Linux 2.6.23.16-20080211a. Spammers keep hacking my server and sending spam to everyone on my server and the world. My server is now blacklisted and does a poor job of blocking received spam. This has been a recurrent problem and 1and1 offers no support since it's an unmanaged server. Any tips and suggested software to add would be much appreciated it.

Plesk Mail Configuration:
authorization is required: SMTP

DomainKeys spam protection: Verify incoming mail

SPF spam protection: Only create Received
SPF local rules: include:spf.trusted-forwarder.org

Names for POP3/IMAP mail accounts: Only use of full POP3/IMAP mail accounts names is allowed

Thanks,
Paul

 

[smah]

I also read your thread in the apache forum and I'm not sure this is really a sendmail or apache problem. First, what makes you think that you've been 'hacked'? In the other thread, you mention that your mail server is not an open relay - please confirm using mxtoolbox- run the lookup, then the diagnostic

http://www.mxtoolbox.com/

What else is running besides apache & the mail server? Are you running a CMS, bulletin board, or unsecured contact forms? My gut tells me that it's probably something else.

 

[matrixx1]

Thanks smah. This is probably more of a qmail issue. Went to the website and smtp diagnostics verified it is not an open relay.

The only scripts I can think of that may be exploited are nms formmail and mail.php.

All my users get tons and tons of Russian spam. I also get spam sent to me with spoof addresses from domains on my server that contain viruses. Also, if I check the mail queue, it's filled with spam messages. I got lucky by calling 1and1 in the middle of the night one day and got a tech who was a little more open to helping me (I guess he was bored). He said spammers were definitely using my server and could see them in real time. He did something (not sure what) to stop them but it didn't last long.

 

[RhythmAce]

If your smtp server is authenticating then they may be using a vulnerability in a mail script on your server. For example, some CMS programs such as phpnuke and the like have security leaks out the wazoo. Hackers not only look for vulnerabilities in mail scripts but mysql server as well. Scripts do not use the smtp port, they access sendmail directly from the command mode. Sendmail is most often setup to relay mail from a localhost or localdomain without authentication. You need to make sure this is not how they are getting in. One way of telling is that in the header information it will say that the mail is from apache@localhost.localdomain. As you can see there are quite a few ways for hackers to get in and do the things you say. One way of narrowing it down would be to know how they are getting in. First look at your logs. You will be able to see who is doing what on your system. Whether it's apache's access and error logs or your mail log, something is bound to show up. If you see anything that you are not sure about, copy and paste a segment of it here and we will take a look. Another way of checking is to do a web search for "open relay test". You should get a list of sites that will try to sendmail through your server using the most common methods used by spammers. Once we find and correct the problem, you need to try to get your good name back. Here is an address with info on how to go about doing that. There is a box where you can enter the ip of your server and you will get a list of all the black lists you are on. Mind you, you do not need to be an open relay to be black listed. It can be something as stupid as the hostname of the machine your server is running on. Anyway, have a look and you should find everything you need to get back in their good graces.

http://www.iinet.com/support/answer.php?id=83

Keep in touch and let us know how things are coming along.

 

[RhythmAce]

Sorry for stepping on your post smah. We must have answered this about the same time but I went to get a cup of joe in the middle of my reply and got called away. When I came back, I submitted my reply and went to work on other things. When I checked this thread this morning, it looks like I went over the same things you guys already talked about. I didn't go over the issue of receiving spam because receiving all the spam in the world won't get a server black listed so I wanted to address that issue first. Once the server is secure, you can use Procmail and SpamAssassin to deal with incoming spam and junk mail. There is also an anti virus program called clamav which can be setup to check your file system and mail for viruses. All these are open source.

 

[matrixx1]

Thanks RhythmAce! Will do everything you suggested. I actually have SpamAssassin installed on the server (with the "score" set to 7). To make matters worse, now emails I send to other users are marked as spam even though my email address is on the white list AND the user Outlook has my email addy configured as not spam. Go figure?