HELP!!! Spammers use my hmailserver???

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

HELP!!! Spammers use my hmailserver???

Post by scarob » 2007-06-13 10:07

Hi,
i'm from italy, i speak a bit of english.
I have installed hmailserv and it work perfectly 6 days.
I have configured 4 domains and 10 mailbox.
In first 6 days the traffic of the server was 40-50 massages (30 spam).

This morning in the status windows i see:
Processed Messages: 8116 !!!!!!!!!!!!!!!!!!!!!!!!

Why?
Now, I have problem to sent mail to some address and my server is now in RBL.

Any will help me to resolve?
Tnk
Sc@rob

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-06-13 10:58

Have you ticked external to external in any of your ip ranges?

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-13 11:12

Allow deliveries from
external to external account

is NOT checked (local computer and internet)!

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-06-13 11:25

Please run an open relay test like this:

http://www.abuse.net/relay.html

This might help to find your (probably) setup problem.

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-13 11:47

This is the result of the open relay test

Relay Test Result
All test performed, no relay accepted

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-06-13 12:27

Are you sure the emails have been sent though and not just received?

Do you have logging enabled?

Are emails still being sent?

Are there any emails in your undelivered queue?

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-13 12:37

- Logging is enabled
- i suppose that email was successful sent why in the log file i see

2007-06-11 04:21:23 ktkktharrison@OMISSIS 127.0.0.1 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 543

2007-06-12 00:41:18 admin@OMISSIS hereshope58@OMISSIS 203.147.XX.XX 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 2162

- if can help i can send you part of log file

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-06-13 13:05

Is "OMSSIS" a local domain in your system?
Is "Require SMTP authentication for external deliveries" selected in the IP ranges?

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-13 14:48

Nooo... i have change the line whit OMISSIS in this post to hide the domain and the IP address.

In the IP Range -> Internet ->Require Authentication for deliveries
to remote accounts IS CHECKED

GotNet
Normal user
Normal user
Posts: 207
Joined: 2005-04-16 20:52
Contact:

Post by GotNet » 2007-06-13 15:57

Couldn't this be one of your users?

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-13 16:01

absolutely No, all account are administrated by me and my staff.

Any idea?
how i can remove my ip from RBL???

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-06-13 21:47

I would be more concerned with finding out who and how someone used your server to send spam with before trying to remove your IP from an RBL. If you don't and it happens again you will have to go through the whole process again.

Please post your log file from the time the spam sending started. Need about a minutes worth of log file to correctly identify what happened. Please do not post the whole log.

If you are worried about privacy please change your domain name to domain.com and your ip address to 123.123.123.123 that way we can see what is you and what is the spammer.

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Post by MP3Freak » 2007-06-13 23:01

Reading this thread, it looks to me like the server has been compromised and the spam is actually being delivered locally to the SMTP server.
This situation should be visible by analyzing the logs. If there's a large number of local (127.0.0.1 or local net IPs) mail deliveries to HMS, that would confirm it.
Another way to find out would be to (at least temporarily) impose SMTP Auth also for local->external deliveries. If the spamming stops, then we found the reason.

It is an increasing plague, that genuine SMTP servers (mostly *NIX boxes) are compromised/rootkitted and then abused of for spamming. The trick is always the same: spam is delivered through the backdoor and locally delivered to the SMTP outbound engine. That way all relaying restrictions are levered out as usually SMTP services allow local IPs to deliver to everywhere. Furthermore, of course such systems resist to any open-relay test.

@scarob
Scrivimi un email a hmailserver@spmtst.homeip.net se ti posso assistere in qualche modo nella tua lingua materna. Saluti! ;-)

Kaan1983
Senior user
Senior user
Posts: 595
Joined: 2007-01-30 16:26
Location: TÜRKIYE

Post by Kaan1983 » 2007-06-13 23:20

Maybe some spammer got your login info; u may try to change your passwords, and limit your accounts sending mails...

scarob
New user
New user
Posts: 16
Joined: 2007-06-13 09:51

Post by scarob » 2007-06-14 10:13

This mornig the situation is returned to normality

Status:
Number of
Processed Messages: 20
Messages containing virus: 0
Messages containing spam: 130

I have stopped the UltraVNCServer (i use it only whit very difficult password and DSM plugin) and the XAMPP web server.


To MP3Freak:
"If there's a large number of local (127.0.0.1 or local net IPs) mail deliveries to HMS, that would confirm it. "
Yes, the spam is generated from 127.0.0.1

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-06-14 11:39

Then you need to look at any local scripts you have running and any potential security holes you may have left open by not configuring your apps carefully or protecting correctly any scripts you have written.

Post Reply