unsolicited email 1

[Cevilian]

Hi,
I am Qmail novice, need some help to understand the following:

Our server is not set to relay any unauthorized senders, but some how there seems to be ton of unsolicited mail originating from our server. This machine is a shared hosting server and I dont know where to start to find the culprit. There is no 'log' folder under the '/var/qmail'.

I do not know of any of the domains on this box running any massemail programs. How do I check if any such program is running under any of the domains?

Is there a way I can use the info in the below mail header to find the culprit? I see there is a time stamp when the mail was sent out.

BTW, exacom.net is not a domain on this box. xxxxxxxxxxx is the server host name and its ip.
***********************************************************
Return-Path: <anonymous@XXXXXXXXXXXXXXXX.com>
Received: from rly-ya06.mx.aol.com (rly-ya06.mail.aol.com [172.18.141.88]) by air-ya02.mail.aol.com (v107.10) with ESMTP id MAILINYA23-76f430fc9f83e5; Fri, 26 Aug 2005 22:03:57 -0400
Received: from XXXXXXXXXXXXXXXX (XXXXXXXXXXXXXXXX) by rly-ya06.mx.aol.com (v107.10) with ESMTP id MAILRELAYINYA65-76f430fc9f83e5; Fri, 26 Aug 2005 22:03:36 -0400
Received: (qmail 9786 invoked by uid 10053); 26 Aug 2005 21:00:12 -0500
To: <Undisclosed Recipients>
From: PoisedToSoar490@exacom.net
Subject: Alert gtagchmj
Message-ID: <4936.11765@exacom.net>
Date: Sat, 27-Aug-2005 01:48:03 GMT
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=RtPdeRg5U3
X-AOL-IP: 216.7.174.36
X-Mailer: Unknown (No Version)


--RtPdeRg5U3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

=3CBR=3EGlobal Triad=2C Inc=3A =28OTC=3A GTRD =2D Breaking News=29=3CBR= ...................................................
..................
************************************************************

Thank you,
Cevilian

 

[thedaver]

two things...

First, on a shared box, you might find that someone is using /var/qmail/bin/qmail-inject locally to originate mail against your installation.

Second, you may not have controlled relay or may have misread the logs...

Please post the output of "/var/qmail/bin/qmail-showctl"


D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Cevilian]

Hi thedaver,
Many thanks for your help in advance. Here is the output of our "qmail-showctl":
*********************************************************
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 1000.
subdirectory split: 23.
user ids: 2021, 2020, 2022, 0, 2023, 2520, 2521, 2522.
group ids: 2020, 2520.

badmailfrom: (Default.) Any MAIL FROM is allowed.

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is server.XXXXXXXXXXXX.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: (Default.) SMTP DATA limit is 0 bytes.

defaultdomain: (Default.) Default domain name is server.XXXXXXXXXXXX.com.

defaulthost: (Default.) Default host name is server.XXXXXXXXXXXX.com.

doublebouncehost: (Default.) 2B recipient host: server.XXXXXXXXXXXX.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is server.XXXXXXXXXXXX.com.

helohost: (Default.) SMTP client HELO host name is server.XXXXXXXXXXXX.com.

idhost: (Default.) Message-ID host name is server.XXXXXXXXXXXX.com.

localiphost: (Default.) Local IP address becomes server.XXXXXXXXXXXX.com.

locals:
Messages for localhost are delivered locally.

me: My name is server.XXXXXXXXXXXX.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: (Default.) Plus domain name is server.XXXXXXXXXXXX.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

rcpthosts:

SMTP clients may send messages to recipients at aaaaaaaaaaaaa.com.
SMTP clients may send messages to recipients at yyyyyyyyyyyyy.com.
.
.
.
.
.
.
.
.
.

.
.
.
*****************************************************
.so on...........all the domains hosted on this box
****************************************************

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 server.XXXXXXXXXXXX.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

Virtual domain: aaaaaaaaaaaaaaa.com:7
Virtual domain: bbbbbbbbbbbbbbb.com:10
Virtual domain: ccccccccccccccc.com:11
.
.
.
.
.
.
.
.
.
.
.
*****************************************************
.so on...........all the domains hosted on this box
****************************************************

servercert.pem: I have no idea what this file does.

clientcert.pem: I have no idea what this file does.

rsa512.pem: I have no idea what this file does.

smtpplugins: I have no idea what this file does.

dh512.pem: I have no idea what this file does.

dh1024.pem: I have no idea what this file does.

rejectnonexist: I have no idea what this file does.

 

[thedaver]

You need to take a look at your /var/log/maillog and/or /var/log/qmail/smtpd/current logs to get more information. You are not misconfigured according to your output above.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Cevilian]

I just checked the /var/log folder all files maillog, maillog.1, maillog.2,......maillog.4 files are all of size 0.

There is no folder named qmail under /var/log

Does it mean our server does not log qmail? how do I enable Qmail logging?

Thank you,
Anil

 

[BIS]

Are you sure this is vanilla qmail? Not Plesk for example?

 

[thedaver]

Yeah, I think you need to speak with the provider of your shared box. We're going to go around in circles trying to diagnose a non-standard installation.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Cevilian]

I finally found the logs but they are in a different folder and the logs I am interested are already deleted (4day log rotation).

The logs were under the plesk folder "/usr/local/psa/var/log".

Is it possible to limit qmail to block emails sent out to more than say 10 recepients including cc and bcc?

Does spam assasin screen/filter outgoing emails?

Do you know of any resource where I can get some good filter code for Spamassasin? Immo, google in the mean time.

Thanks for all your help guys, this forum rocks!

 

[BIS]

Cevilian,

As I thought, this is NOT a standard qmail install, and we will have great trouble trying to help you. You really should contact Plesk.

 

[thedaver]

Tell ya what, I agree with BIS (again) that this is not supportable through this board.

I will offer this link to help you set expectations about what a properly configured qmail is capable of supporting/supressing. You need to work with your provider to find the source of your issues and how to remediate the issue(s).

http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Cevilian]

Here is what i found though,
Upon one more look into the headers I found this:
(qmail 9786 invoked by uid 10053) and a grep for the uid 10053 in etc/passwd yielded: /home/httpd/vhosts/XXXXXXX.com:/bin/false.

immo try to further investigate this.

thank you