Page 1 of 1
HELP!!! Spammers use my hmailserver???
Posted: 2007-06-13 10:07
i'm from italy, i speak a bit of english.
I have installed hmailserv and it work perfectly 6 days.
I have configured 4 domains and 10 mailbox.
In first 6 days the traffic of the server was 40-50 massages (30 spam).
This morning in the status windows i see:
Processed Messages: 8116 !!!!!!!!!!!!!!!!!!!!!!!!
Now, I have problem to sent mail to some address and my server is now in RBL.
Any will help me to resolve?
Posted: 2007-06-13 10:58
Have you ticked external to external in any of your ip ranges?
Posted: 2007-06-13 11:12
Allow deliveries from
external to external account
is NOT checked (local computer and internet)!
Posted: 2007-06-13 11:25
Please run an open relay test like this:
This might help to find your (probably) setup problem.
Posted: 2007-06-13 11:47
This is the result of the open relay test
Relay Test Result
All test performed, no relay accepted
Posted: 2007-06-13 12:27
Are you sure the emails have been sent though and not just received?
Do you have logging enabled?
Are emails still being sent?
Are there any emails in your undelivered queue?
Posted: 2007-06-13 12:37
- Logging is enabled
- i suppose that email was successful sent why in the log file i see
2007-06-11 04:21:23 ktkktharrison@OMISSIS 127.0.0.1 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 543
2007-06-12 00:41:18 admin@OMISSIS hereshope58@OMISSIS 203.147.XX.XX 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 2162
- if can help i can send you part of log file
Posted: 2007-06-13 13:05
Is "OMSSIS" a local domain in your system?
Is "Require SMTP authentication for external deliveries" selected in the IP ranges?
Posted: 2007-06-13 14:48
Nooo... i have change the line whit OMISSIS in this post to hide the domain and the IP address.
In the IP Range -> Internet ->Require Authentication for deliveries
to remote accounts IS CHECKED
Posted: 2007-06-13 15:57
Couldn't this be one of your users?
Posted: 2007-06-13 16:01
absolutely No, all account are administrated by me and my staff.
how i can remove my ip from RBL???
Posted: 2007-06-13 21:47
I would be more concerned with finding out who and how someone used your server to send spam with before trying to remove your IP from an RBL. If you don't and it happens again you will have to go through the whole process again.
Please post your log file from the time the spam sending started. Need about a minutes worth of log file to correctly identify what happened. Please do not post the whole log.
If you are worried about privacy please change your domain name to domain.com and your ip address to 220.127.116.11 that way we can see what is you and what is the spammer.
Posted: 2007-06-13 23:01
Reading this thread, it looks to me like the server has been compromised and the spam is actually being delivered locally to the SMTP server.
This situation should be visible by analyzing the logs. If there's a large number of local (127.0.0.1 or local net IPs) mail deliveries to HMS, that would confirm it.
Another way to find out would be to (at least temporarily) impose SMTP Auth also for local->external deliveries. If the spamming stops, then we found the reason.
It is an increasing plague, that genuine SMTP servers (mostly *NIX boxes) are compromised/rootkitted and then abused of for spamming. The trick is always the same: spam is delivered through the backdoor and locally delivered to the SMTP outbound engine. That way all relaying restrictions are levered out as usually SMTP services allow local IPs to deliver to everywhere. Furthermore, of course such systems resist to any open-relay test.
Scrivimi un email a email@example.com
se ti posso assistere in qualche modo nella tua lingua materna. Saluti!
Posted: 2007-06-13 23:20
Maybe some spammer got your login info; u may try to change your passwords, and limit your accounts sending mails...
Posted: 2007-06-14 10:13
This mornig the situation is returned to normality
Processed Messages: 20
Messages containing virus: 0
Messages containing spam: 130
I have stopped the UltraVNCServer (i use it only whit very difficult password and DSM plugin) and the XAMPP web server.
"If there's a large number of local (127.0.0.1 or local net IPs) mail deliveries to HMS, that would confirm it. "
Yes, the spam is generated from 127.0.0.1
Posted: 2007-06-14 11:39
Then you need to look at any local scripts you have running and any potential security holes you may have left open by not configuring your apps carefully or protecting correctly any scripts you have written.