# Quick Help Stop Spam!!!!!!

## cheops05

I have my own gentoo server

My mailserver is being used to send out spam I think here is a look at the log /var/log/qmail/qmail-send/current

```

@400000004210ac392ef37284 status: local 0/10 remote 0/20

@400000004210ac392f23b9e4 starting delivery 1: msg 465312 to remote star0719@ms26.hinet.net

@400000004210ac392f34676c status: local 0/10 remote 1/20

@400000004210ac3a10b13f2c starting delivery 2: msg 465319 to remote star0719@ms36.hinet.net

@400000004210ac3a10c23304 status: local 0/10 remote 2/20

@400000004210ac3a2c60503c starting delivery 3: msg 465325 to remote star0719@ms52.hinet.net

@400000004210ac3a2c7147fc status: local 0/10 remote 3/20

@400000004210ac3a2d226ba4 starting delivery 4: msg 465330 to remote star0719@ms68.hinet.net

@400000004210ac3a2d33868c status: local 0/10 remote 4/20

@400000004210ac3a2d620cb4 starting delivery 5: msg 465334 to remote star0719@ms77.hinet.net

@400000004210ac3a2d73b43c status: local 0/10 remote 5/20

@400000004210ac3b0939138c starting delivery 6: msg 465352 to remote star0807@ms17.hinet.net

@400000004210ac3b09499234 status: local 0/10 remote 6/20

@400000004210ac3b172a4a4c starting delivery 7: msg 465360 to remote star0807@ms26.hinet.net

@400000004210ac3b173ab184 status: local 0/10 remote 7/20

@400000004210ac3b2c6ef63c starting delivery 8: msg 465367 to remote star0807@ms41.hinet.net

@400000004210ac3b2c7fea14 status: local 0/10 remote 8/20

@400000004210ac3c12beca3c delivery 1: deferral: Connected_to_168.95.5.26_but_sender_was_rejected./Remote_host_said:_451_<6gracelin@16.hinet.net>..._Sender_domain_must_exist/

@400000004210ac3c12cb5914 status: local 0/10 remote 7/20

@400000004210ac3c1f4f8a84 starting delivery 9: msg 465372 to remote star0807@ms56.hinet.net

@400000004210ac3c1f6014e4 status: local 0/10 remote 8/20

@400000004210ac3c1fb04054 delivery 3: deferral: Connected_to_168.95.5.52_but_sender_was_rejected./Remote_host_said:_451_<1gracelin@11.hinet.net>..._Sender_domain_must_exist/

@400000004210ac3c1fbe0f7c status: local 0/10 remote 7/20

@400000004210ac3c2c94c5ec starting delivery 10: msg 465396 to remote star0815@ms10.hinet.net

@400000004210ac3c2ca5e0d4 status: local 0/10 remote 8/20

@400000004210ac3c2d84948c starting delivery 11: msg 465407 to remote star0815@ms32.hinet.net

@400000004210ac3c2d964f9c status: local 0/10 remote 9/20

@40000 to remote star1005@ms37.hinet.net

@400000004210ac3f0198591c status: local 0/10 remote 11/20

@400000004210ac3f0330a874 starting delivery 19: msg 465464 to remote star1005@ms64.hinet.net

@400000004210ac3f03411f4c status: local 0/10 remote 12/20

@400000004210ac3f0d337e64 starting delivery 20: msg 465463 to remote ucsu@pchome.com.tw

@400000004210ac3f0d44cc14 status: local 0/10 remote 13/20

@400000004210ac3f15d6d7dc starting delivery 21: msg 465469 to remote star1005@ms79.hinet.net

@400000004210ac3f15e71804 status: local 0/10 remote 14/20

@400000004210ac400ba4e754 starting delivery 22: msg 465482 to remote star100@ms1.hinet.net

```

I use qmail for my mta

the spammer seems to be very aggressive its filling up the log file at a rate of 5000 lines a min

according to dns report I am not an open relay???

I dont underatand what is going on and how this can happen are there any solutions to stop this activity I dont want to shut down the server

my /etc/tcprules.d/tcp.qmail.smtp is as follows

```

# to update the database after changing this file, run:

# tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp

#------------------------------------------------------

# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS

#

# If you set 'allow', this means that our mail server will allow

# the specified IP range to make a TCP connection to our server

#

# If you set 'deny', this means that our mail server will not allow

# the specified IP range to make a TCP connection to our server

#

# If you set RELAYCLIENT="", this means that the listed IP range is

# allowed to relay mail through our server

#

# If you dont set RELAYCLIENT="", this means that the listed IP range

# will not be able to relay mail through our server

#

# If you set RBLSMTPD="", this means that the listed IP ranges will

# not be checked against any of the RBL databases

#

# If you set RBLSMTPD="some text here", this means that an RBL lookup

# wont be performed, but the mail will be rejected with the specified

# text as a 4xx temp error message

#

# If you set RBLSMTPD="-some text here", this means that an RBL lookup

# wont be performed, but the mail will be rejected with the specified

# text as a 5xx perm error message

#

# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup

# will be performed. If the lookup is successful, then RBLSMTPD will

# return your custom error message (as specified in the -r parameter

# in smtpd supervise script)

#

#-----------------------------------------------------

# HERE ARE THE RULES! :

#-----------------------------------------------------

# BYPASS OPEN RELAY CHECKING FOR THESE IPS :

#

# These IPs are ones that we have setup so that they arent RBL checked.

# We have done this because these particular servers are RBL listed,

# and for whatever reason they can't/won't fix their open relay problem,

# and we still want to be able to receive mail from them.

#

# reminder text goes here for this entry so we know the story...

#111.111.111.111:allow,RBLSMTPD=""

# reminder text goes here for this entry so we know the story...

#222.222.222.222:allow,RBLSMTPD=""

#

#-----------------------------------------------------------------

# DONT ALLOW THESE IPS TO SEND MAIL TO US :

#

# mailXX.offermail.net connecting regularly and sending invalid

# format messages causing exit with status 256 (bare linefeed normally)

# entry added 15/12/2001

# after looking at the mail coming from these servers it was found to be spam

#216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."

#

# heaps of spam from replyto of *@freeamateurhotties.com dec2001

#64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

#154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

#209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

#216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

#

#-----------------------------------------------------------------

# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER

#

# Local class-c's from our LAN are allowed to relay,

# and we wont bother doing any RBL checking.

#123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""

#123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""

#

# Connections from localhost are allowed to relay

# (because the WebMail server runs on localhost),

# and obviously there is no point trying to perform an RBL check.

127.0.0.1:allow,RELAYCLIENT=""

#

#-----------------------------------------------------------------

# ALLOW EVERYONE ELSE TO SEND US MAIL

#

# Everyone else can make connections to our server,

# but not allowed to relay

# RBL lookups are performed

#:allow

# If you are using qmail-scanner, this line here is the correct one to use

# instead (comment out the above ':allow' line FIRST) and applies that script

# to any mail coming in that is not from a host allowed to relay. You can

# change the value of the variable to any other value you desire to use custom

# scripts for example.

#:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

#:allow,RELAYCLIENT="",RBLSMTPD=""

```

Please help 

cheops

----------

## georwell

What version of qmail?

What other software does this server run?

How many users?

Are all these users trusted?

Are these users "system" users?  (can they log on to the box)

You need to supply more info to get help.

----------

## cheops05

 *Quote:*   

> What version of qmail?

 

mail-mta/qmail-1.03-r15  -noauthcram -notlsbeforeauth (-selinux) +ssl 383 kB

 *Quote:*   

> What other software does this server run?

 

courier-imap - vpopmail

 *Quote:*   

> How many users?

 

 just me at the moment

 *Quote:*   

> Are all these users trusted?

 

yes

 *Quote:*   

> Are these users "system" users? (can they log on to the box)

 

like I say there is just myself and I am a system user

 *Quote:*   

> You need to supply more info to get help.

 

As far as I can tell I have setup my tcprules correctly?

I have no idea how this user is being able to send through my server when I dont have an open relay.

Any Ideas?

Cheops

----------

## pjj

Don´t let your smtp server being used without a valid login (don´t know how to do this)

----------

## cheops05

As far as I know it doesnt allow any except from localhost ie 127.0.0.1:allow etc.... in the tcp rules

----------

## RayDude

This may help. I have it set up on my email server. I use postfix.

For postfix its like this (in /etc/postfix/main.cf)

```

mynetworks = 192.168.0.0/24,127.0.0.0/8

```

This makes it so that only local machines can send email.

Now, if you have wireless and you're not secure, then some guy with a little help from some linux tools could hack your wireless network and still use your emailer.

Currently I'm running 64 bit wep (next to useless), I'm not broadcasting my network KEY (useless) and I used to prevent any MAC address that is not one of my wireless cards from connecting but my new d-link router doesn't support it. Although writing this post gave me an idea about how to fix that.

I hope this helps.

Raydude

----------

## georwell

Sorry I can't help anymore.  I am a sendmail man and don't know a thing about qmail.  Any qmail experts out there?

----------

## nobspangle

Personally I would block port 25 incomming and let my backup mx handle my mail till I worked out what I'd done wrong.

Maybe try adding a line like

```
*:deny,RELAYCLIENT=""
```

Which might deny all hosts, then your 127.0.0.1 line should allow localhost.

----------

## cheops05

i have put *:deny,RELAYCLIENT="" in and somehow they are still managing to get through it is like its ignoring the /etc/tcprules.d/tcp.qmail-smtp rules completely is there a way I can tell that these rules are being used? or could it be using something else.

thnaks for all your help on this.

Cheops

----------

## j-m

A quick fix:

```

emerge -Cav qmail

emerge postfix

```

IMNSHO qmail is dead. It is unuseable without those loads of third party patches, hard to setup and maintain with them. Why use it and waste time? I really don´t see any reason. YMMV but won´t convince me...  :Laughing: 

----------

## roymaster

 *j-m wrote:*   

> A quick fix:
> 
> ```
> 
> emerge -Cav qmail
> ...

 

hehe  :Smile: 

I've configured qmail using one tutorial. Yeah a lot of 3rd party addons but it works GREAT now.

Can you setup postfix with smtp authorisation, some clever spamassassin and clamav filter etc. quickly?

I haven't seen postfix in action yet so I don't know how difficult it is to configure  :Wink: 

But yeah maybe it's better than postfix, who knows. 

I don't wanna start flamewar here  :Wink: 

----------

## j-m

 *roymaster wrote:*   

> 
> 
> Can you setup postfix with smtp authorisation, some clever spamassassin and clamav filter etc. quickly?
> 
> I haven't seen postfix in action yet so I don't know how difficult it is to configure 
> ...

 

Sure. I have it working.  :Wink: 

 *roymaster wrote:*   

> 
> 
> I don't wanna start flamewar here 

 

Neither do I. Anyway, the wise thing would be to shutdown the MTA immediately and keep it down untill this issue is resolved. Or at least block outgoing SMTP on firewall and stop spreading the huge amount of spam.  :Exclamation: 

----------

## cheops05

Thanks but i dont want to start emerging postfix to fix my qmail, I have shut down the MTA but I could do with a little help trying to find out how these guys are sending spam through my smtp any help much appreciated, Surely there are some experience qmail people out there who can help much more than me anyway.

I just have no idea where to begin apart from /etc/init.d/svscan stop

 :Shocked: 

----------

## georwell

You can install MailScanner in about 5 minutes and it does anti-virus and spam filtering.  It works with any MTA.  Check it out if you want.  There is an ebuild on bugs.gentoo.org.

----------

## Rüpel

have you commented out those last 4 lines in /var/qmail/control/conf-smtpd ?

i'm running vpopmail and it's vchkpw here for authenticating SMTP users, don't know what you will use.

----------

## cheops05

yes i'm using vpopmail!!

does this mean It doesnt use the smtpd auth

----------

## Rüpel

something like this should be there:

```
# uncomment the next four lines to enable SMTP-AUTH

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

notice: no #'s at the beginning of each line.

----------

## cheops05

Okay I commented out these lines and restarted svscan and after 3-4 mins spam emails still flooded through my smtp server??

----------

## Rüpel

and you have /var/vpopmail/bin/vchkpw  as the CHECKPASSWORD command in /var/qmail/control/conf-smtpd?

any chance, this spam is comming from "inside"?

what is the content of your /var/qmail/control/rcpthosts? this file MUST NOT be empty.

----------

## cheops05

The current contents of /var/qmail/control/conf-smtpd file are all commented out? as you said to do

```

# This next block is for SMTP-AUTH

# This provides the LOGIN, PLAIN and CRAM-MD5 types

# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5

# and reads it's data from /etc/poppasswd

# see the manpage for cmd5checkpw for details on the passwords

# uncomment the next four lines to enable SMTP-AUTH

#QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

#[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

#QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

#QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

```

this line is still in

```

# this turns off the IDENT grab attempt on connecting

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

```

the contents of my /var/qmail/control/rcpthosts file are

adrians.name

vps.adrians.name

still no luck.

When you say coming from the inside do you mean something running on the server?

----------

## Rüpel

comment in, comment out. erm. i mean no #'s at the beginning. so this:

```
#QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

#[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

#QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

#QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

is wrong and this

```
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

is right.  :Rolling Eyes: 

sorry.

----------

## Rüpel

 *cheops05 wrote:*   

> When you say coming from the inside do you mean something running on the server?

 

yep. relaying is turned on for everything coming from 127.0.0.1. maybe a php-script gone crazy or something like that?

don't know how to debug that...  :Rolling Eyes: 

----------

## Cocktail

Have you tried shutting down your eth0 and resetting it to only allow outgoing traffic. If you still send spam you need to find the virus/adware/software that is running from you computer. If you cant find it, a complete system reinstallation will be neccesary.

If you don't send any more spam when shutting down incoming traffic you need to find out what protocol on your computer is hacked. Use ethereal for that and monitor all incoming traffic when allowing incoming traffic again.

----------

