HELP! Email bot killing me!

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
lysaer
Normal user
Normal user
Posts: 35
Joined: 2006-01-22 03:51

HELP! Email bot killing me!

Post by lysaer » 2007-12-18 06:20

I have an email bot, I don't know if it's on my server (trying my best to find the blasted thing but no luck yet) or on a client, but my smtp queue is generating THOUSANDS of emails per hour with return emails with a from such as:

From: "Boswa" <xciotz@ev1s-xxx-xxx-xxx-xx.ev1servers.net>

Where the xx's are one of my IP addresses. I've checked the bind to IP address and put in my primary IP, which is not the one in the from email, but that hasn't slowed things down at all.

Is there any way to set Hmail to require SMTP authentication from a valid user that I just haven't found yet in the documentation?

Also, I've unchecked the option for "allow empty sender address" yet I still have emails with no sender address in the header in the queue.

Help!!!

User avatar
mattg
Moderator
Moderator
Posts: 20794
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HELP! Email bot killing me!

Post by mattg » 2007-12-18 07:38

lysaer wrote:Is there any way to set Hmail to require SMTP authentication from a valid user that I just haven't found yet in the documentation?
Settings >> Advanced >> IP ranges >> Require Authentication for deliveries

lysaer
Normal user
Normal user
Posts: 35
Joined: 2006-01-22 03:51

Post by lysaer » 2007-12-18 18:48

Thank you so much, I've done that now.

That's dramatically cut down on the spam, although I'm still getting some coming through from external sources that appear to be coming from internal. They don't have an actual received from IP that's mine, though. They range from all over, from the UK to Russia to Canada.

I don't know why these are still coming through, though. With authentication, SPF, dns-mx lookup, etc all turned on, these emails should not be coming through. and when they go out, they look like they're coming from my server.

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-12-18 18:54

Could it be that a spammer has managed to guess an easy pass for any of your users ? Check the account from which the spam is originated to see if it comes from your own server and then have a look at it's user/password robustness.

User avatar
mattg
Moderator
Moderator
Posts: 20794
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Post by mattg » 2007-12-19 03:58

Do some open relay tests to make sure that you aren't allowing anyone to send e-mail through your server.

http://www.hmailserver.com/documentatio ... elay_tests

lysaer
Normal user
Normal user
Posts: 35
Joined: 2006-01-22 03:51

Post by lysaer » 2007-12-19 19:50

Ok, did all three mail relay tests; they show I have no open relay.

Here is a sample header from one of the emails:
Return-Path: <xciotz@ev1s-207-218-201-38.ev1servers.net>
Received: from WD ([211.138.9.114])
by seventwodesign.com
with hMailServer ; Wed, 19 Dec 2007 10:37:28 -0600
Message-ID: <76C4C333-5F62-4038-860A-2E00BAE08543@seventwodesign.com>
From: "Stpuff" <xciotz@ev1s-207-218-201-38.ev1servers.net>
To: "mydaipeng" <mydaipeng@sohu.com>
Subject: =?GB2312?B?zvPH+Lb+o7q/vLrLxKnOu7y0zNTMrTIzOTcz?=
Date: Thu, 20 Dec 2007 00:37:26 +0800
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Also, now that I have SMTP authentication turned on, everyone trying to send email TO an address on my server is getting:
PERM_FAILURE: SMTP Error (state 13): 530 SMTP authentication is required.
sent back to them. That's when I have "require authentication to local accounts" turned on. I've got that disabled right now.

redrummy
Senior user
Senior user
Posts: 370
Joined: 2007-06-21 06:52
Location: Alaska

Post by redrummy » 2007-12-21 11:55

Ah. I didn't see this topic when I replied to your other post on the same issue: http://www.hmailserver.com/forum/viewtopic.php?t=11185

Anyway, I concur w/ iprat's suspicion that you've got a compromised account and the same suggestions apply to pin it down. Good luck. Die spammer die.

Ryan

Post Reply