Forum OpenACS Q&A: unwanted spam from my server... help.

http://www.spamcop.net/w3m?i=z771927124zda0d27e7655172dbb1079dcc05d01992z

How can somebody use my qmail in order to send spam? Could my qmail incidently have an open relay? How can I check on that and close it?

Before I stopped qmail via daemontools I had this suspicious netstat:

tcp        0      0 ipx10231.arasis.de:http dialin-145-254-191:3199 SYN_RECV
tcp      24      0 ipx10231.arasis.d:10000 p508DBF81.dip.t-di:4485 CLOSE_WAIT
tcp        0      0 ipx-132-247-190-80:http p508DBF81.dip.t-di:4986 TIME_WAIT
tcp        0      0 ipx10231.arasis.de:http crawler2.googlebo:38592 TIME_WAIT
tcp        0      1 ipx10231.arasis.d:49847 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49828 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49830 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49845 angel-mta5.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49827 angel-mta5.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49811 angel-mta5.whowher:smtp SYN_SENT
tcp        0      0 ipx10231.arasis.de:http dialin-145-254-191:3179 TIME_WAIT
tcp        0      1 ipx10231.arasis.d:49832 angel-mta4.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49782 angel-mta4.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49846 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49810 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49819 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49783 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49781 angel-mta2.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49831 angel-mta1.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49812 angel-mta1.whowher:smtp SYN_SENT

I just checked again and this angel-mta3.whowher:smtp is still hitting on my server...

What else is weird is that my webmin cannot load the qmail configuration index anymore although it can load i.e. the sendmail configuration index...

And I just checked out how many qmail processes are running... wow there are couple qmail-remote processes:

[root@ipx10231 root]# ps auxww | grep qmail
root      637  0.0  0.0  1372  252 ?        S    2003  0:00 supervise qmail-smtpd
qmaill    643  0.0  0.0  1388  204 ?        S    2003  0:00 /usr/local/bin/multilog t /var/log/qmail
qmaill    649  0.0  0.0  1392  256 ?        S    2003  0:00 /usr/local/bin/multilog t /var/log/qmail/smtpd
qmails  10543  0.0  0.0  1860  452 ?        S    Feb18  0:58 qmail-send
qmaill  10544  0.0  0.0  1392  432 ?        S    Feb18  0:25 splogger qmail
root    10545  0.0  0.0  1392  280 ?        S    Feb18  0:01 qmail-lspawn ./Maildir/
qmailr  10546  0.0  0.0  1400  304 ?        S    Feb18  0:31 qmail-rspawn
qmailq  10547  0.0  0.0  1384  292 ?        S    Feb18  0:05 qmail-clean
root      1417  0.0  0.0  1372  252 ?        S    Mar08  0:01 supervise qmail-send
qmailr  16872  0.0  0.0  1472  444 ?        S    11:45  0:00 qmail-remote yahoo.com mailto:angel_looking4u@cb3.so-net.ne.jp mailto:acid_burn_tr@yahoo.com
qmailr  16873  0.0  0.0  1472  444 ?        S    11:45  0:00 qmail-remote yahoo.com mailto:angel_looking4u@cb3.so-net.ne.jp mailto:dcm67@yahoo.com
root    17513  1.2  6.8 40324 34888 ?      S    11:48  0:05 /usr/libexec/webmin/qmailadmin/index.cgi
root    17516  2.1  0.0  1396  300 ?        D    11:48  0:10 /var/qmail/bin/qmail-qread
qmailr  18452  0.0  0.0  1468  460 ?        S    11:50  0:00 qmail-remote angelfire.com mailto:ammo181@agrarpaedak.at mailto:hidesaka@angelfire.com
qmailr  19137  0.0  0.0  1472  464 ?        S    11:51  0:00 qmail-remote angelfire.com mailto:ammo181@agrarpaedak.at mailto:hideseller@angelfire.com
qmailr  20160  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hideseng@angelfire.com
qmailr  20161  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidesert.kgm@angelfire.com
qmailr  20171  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidetakejo@angelfire.com
qmailr  20181  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidetakeo@angelfire.com
qmailr  20194  0.0  0.0  1476  464 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidetani@angelfire.com
qmailr  20201  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidetaro@angelfire.com
qmailr  20202  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidingcrow@angelfire.com
qmailr  20204  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:adamjh2@astro.com.au mailto:hidinger@angelfire.com
qmailr  20336  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:bingo@catus.it mailto:hidn@angelfire.com
qmailr  20346  0.0  0.0  1476  468 ?        S    11:53  0:00 qmail-remote angelfire.com mailto:bingo@catus.it mailto:hidnrainbo@angelfire.com
qmailr  20509  0.0  0.0  1476  468 ?        S    11:54  0:00 qmail-remote angelfire.com mailto:amml5@bubble.ie mailto:hidy@angelfire.com
qmailr  20510  0.0  0.0  1476  468 ?        S    11:54  0:00 qmail-remote angelfire.com mailto:amml5@bubble.ie mailto:hidyho16@angelfire.com
qmailr  20511  0.0  0.0  1468  460 ?        S    11:54  0:00 qmail-remote angelfire.com mailto:amml5@bubble.ie mailto:hidylan@angelfire.com
qmailr  20532  0.0  0.0  1468  460 ?        S    11:55  0:00 qmail-remote angelfire.com mailto:alien_girl_38574@capitolonline.nl mailto:hiebert@angelfire.com
qmailr  20533  0.0  0.0  1468  460 ?        S    11:55  0:00 qmail-remote angelfire.com mailto:alien_girl_38574@capitolonline.nl mailto:hiec@angelfire.com
qmailr  20546  0.0  0.0  1472  464 ?        S    11:55  0:00 qmail-remote columbus.rr.com mailto:ammalouz@bollebygd.se mailto:ctguy@columbus.rr.com

And I somehow cannot svc -u /service/qmail-* anymore... It tells me that it cannot connect or localhost:25

Help? I think I need it 😉

Tom, that's exactly what I did. I thought that qmail was still running, but it actually wasn't. I temporarily closed down port 25 through iptables (lokkit). The queue had over 40.000 emails in it. I found an instruction on google on how to delete them. Basically you can delete them manually but shouldn't delete folders.

Then I added all my domains to accepted domains (rcpthosts), which I must have deleted incidently. By the way: What is the difference of rcpthosts and locals? Should all domains be in both files or only in rcpthosts?

thanks for the reply. I am testing some settings now and I only have mydomain.com in rcpthosts, but I can still send emails to my yahoo.com address?! Why? Before that I didn't have anything written in my rcpthosts. Well I am not 100% sure because I was using the webmin interface to do it. I also restarted qmail after I mad the changes to rcpthosts.

My server is located in a hosting farm and I am the only one having access to it. How could somebody use it to spam other people and how can I test if the relay is still open?

You are correct.

_ James: I am not sure if I installed smtp-auth... How can I check? How could I change this configuration now? _

I am not James, but... if you can send email through any client or through a telnet to port 25 without the system asking you for a username/password then you probably don't have it installed.  smtp-auth exists as a patch and so you can't just change the configuration.  You need to apply it and recompile qmail.  Look for any of the several smtp-auth patches that exist at http://www.qmail.org/top.html

_ To: mailto:myprivateemail%yahoo.com@arasis.de _

qmail doesn't relay addresses of this format.  If you want to reject even the probe, then patch qmail with the patch located here: http://www.qmail.org/qmail-smtpd-relay-reject

HTH.

It's not surprising that ppl chose to play games with it, but when vendors of Firewalls like ZoneAlarm (appear to) require you to accept whatever comes in on it as a valid message, after which a sequence of other Ports are sent messages to and from your PC, then I ask myself, why are these ppl writing Firewalls? Why not just send everyone some virus and be done with it?

0.0.0.0 appears to have yet another purpose. Although localhost is 127.0.0.1, you'll find quite a few connections to your own PC via the address 0.0.0.0, even subsequent to having been assigned an IP.

It also is used as a "starting" address, before you're assigned an IP. However, what "bugs" me is that 0.0.0.0 remains unchanged in your system (if you run XP), and legitimate messages are not only sent by you to countless remote sites, using that IP, but the damn IP continues to be used by some of the most "sensitive" services and DLL's in your entire System, e.g. SvcHost, and System (which is Kernel32.DLL).

Alls I can say is that I do block lots of 0.0.0.0 incoming messages to various programs, but if you block too much of it, you're going to find that you will be unable to connect to various sites to send them messages, as well.

Assumably, one would expect ICMP to be amongst the first messages, as well as, the response from 255.255.255.234 which is recommended to be blocked.

It would seem that there are too many cooks in the kitchen, and each vendor choses to you it for their own purposes and in their own ways, from O/S's to Firewalls.

BTW. By msgs, I'm not inferring E-Mail or anything of the sort. Nor am I suggesting only ICMP is sent over it.

When I was coding mid-level TCP code on a Corporate Intranet
it was understood by all that 0.0.0.0 referred to an address used by the Network Server to make "announcments" to clients. However, that too, was by agreement, and I would not suggest that even then 0.0.0.0 was listened to for other purposes.

As a prime example for screw-ups, unless you take some measures to restrict Ports 445 and 135 from getting msgs from the outside, you might find it problematic, as they too listen for messages from 0.0.0.0, which (I would think) they assume is your own PC, long after you're assigned in IP address. (If running windows be careful about blocking those Ports. Even though RPC is not required for any good reason, Microsoft made it a requirement, and if those ports are blocking your own PC from getting messages from your Keyboard, you'll have to reinstall your partition, or your entire system, if you have no decent stand-alone backup software.)

I would not pretend to portray myself as entirely knowledgeable about 0.0.0.0, in fact, a Google search for it's purposes lead me to this thread, and I just jumped in, although I don't have the ACS software, or even have bothered to look up what it's about.

My quest for more info on 0.0.0.0 continues via the search engine, in a moment. If I'm mistaken in anything I've mentioned, I would be interested in knowing what you would have a comment or correction, or ideas on, pls feel free to comment back to me at: mailto:yourtreat2@hotmail.com. (No need to worry about writing to a spammer, unless this is considered to be spam, as some might think. Instead, I've been programming since 1980, and have done Programming under DOS and windows using C, C++, Java, and more, for the past 11 years.)

Regards - T2