Page 1 of 1

HELP!!! Spammers use my hmailserver???

Posted: 2007-06-13 10:07
by scarob
i'm from italy, i speak a bit of english.
I have installed hmailserv and it work perfectly 6 days.
I have configured 4 domains and 10 mailbox.
In first 6 days the traffic of the server was 40-50 massages (30 spam).

This morning in the status windows i see:
Processed Messages: 8116 !!!!!!!!!!!!!!!!!!!!!!!!

Now, I have problem to sent mail to some address and my server is now in RBL.

Any will help me to resolve?

Posted: 2007-06-13 10:58
by ^DooM^
Have you ticked external to external in any of your ip ranges?

Posted: 2007-06-13 11:12
by scarob
Allow deliveries from
external to external account

is NOT checked (local computer and internet)!

Posted: 2007-06-13 11:25
by iprat
Please run an open relay test like this:

This might help to find your (probably) setup problem.

Posted: 2007-06-13 11:47
by scarob
This is the result of the open relay test

Relay Test Result
All test performed, no relay accepted

Posted: 2007-06-13 12:27
by ^DooM^
Are you sure the emails have been sent though and not just received?

Do you have logging enabled?

Are emails still being sent?

Are there any emails in your undelivered queue?

Posted: 2007-06-13 12:37
by scarob
- Logging is enabled
- i suppose that email was successful sent why in the log file i see

2007-06-11 04:21:23 ktkktharrison@OMISSIS SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 543

2007-06-12 00:41:18 admin@OMISSIS hereshope58@OMISSIS 203.147.XX.XX SMTP ?virus=&rblgheuristicspam=0&ssl=0 250 2162

- if can help i can send you part of log file

Posted: 2007-06-13 13:05
by martin
Is "OMSSIS" a local domain in your system?
Is "Require SMTP authentication for external deliveries" selected in the IP ranges?

Posted: 2007-06-13 14:48
by scarob
Nooo... i have change the line whit OMISSIS in this post to hide the domain and the IP address.

In the IP Range -> Internet ->Require Authentication for deliveries
to remote accounts IS CHECKED

Posted: 2007-06-13 15:57
by GotNet
Couldn't this be one of your users?

Posted: 2007-06-13 16:01
by scarob
absolutely No, all account are administrated by me and my staff.

Any idea?
how i can remove my ip from RBL???

Posted: 2007-06-13 21:47
by ^DooM^
I would be more concerned with finding out who and how someone used your server to send spam with before trying to remove your IP from an RBL. If you don't and it happens again you will have to go through the whole process again.

Please post your log file from the time the spam sending started. Need about a minutes worth of log file to correctly identify what happened. Please do not post the whole log.

If you are worried about privacy please change your domain name to and your ip address to that way we can see what is you and what is the spammer.

Posted: 2007-06-13 23:01
by MP3Freak
Reading this thread, it looks to me like the server has been compromised and the spam is actually being delivered locally to the SMTP server.
This situation should be visible by analyzing the logs. If there's a large number of local ( or local net IPs) mail deliveries to HMS, that would confirm it.
Another way to find out would be to (at least temporarily) impose SMTP Auth also for local->external deliveries. If the spamming stops, then we found the reason.

It is an increasing plague, that genuine SMTP servers (mostly *NIX boxes) are compromised/rootkitted and then abused of for spamming. The trick is always the same: spam is delivered through the backdoor and locally delivered to the SMTP outbound engine. That way all relaying restrictions are levered out as usually SMTP services allow local IPs to deliver to everywhere. Furthermore, of course such systems resist to any open-relay test.

Scrivimi un email a se ti posso assistere in qualche modo nella tua lingua materna. Saluti! ;-)

Posted: 2007-06-13 23:20
by Kaan1983
Maybe some spammer got your login info; u may try to change your passwords, and limit your accounts sending mails...

Posted: 2007-06-14 10:13
by scarob
This mornig the situation is returned to normality

Number of
Processed Messages: 20
Messages containing virus: 0
Messages containing spam: 130

I have stopped the UltraVNCServer (i use it only whit very difficult password and DSM plugin) and the XAMPP web server.

To MP3Freak:
"If there's a large number of local ( or local net IPs) mail deliveries to HMS, that would confirm it. "
Yes, the spam is generated from

Posted: 2007-06-14 11:39
by ^DooM^
Then you need to look at any local scripts you have running and any potential security holes you may have left open by not configuring your apps carefully or protecting correctly any scripts you have written.