Discussion:
Still spamming...
Shaumarov Boburhon
2011-03-25 10:45:29 UTC
Permalink
Hi guys.. it's again me.. i have again the same problem, somebody is
sending alot of spam from my qmail server, looking
tail -f /var/log/maillog, I can't find any strange emails, it seems
everething ok.. last time i found some users which their passwords was
hacked, and from these accounts the spam was sending...
i thought the problem was solved, unfortunately it's still spamming



##ps ax:

8541 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org dela215-***@public.gmane.org
8543 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org deevusa-***@public.gmane.org
8544 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org deepconnect-***@public.gmane.org
8546 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org deepalitaware-/***@public.gmane.org
8549 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org deepak4date-***@public.gmane.org
8553 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org deep_laugh001-/***@public.gmane.org
8555 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org debasish.das2-***@public.gmane.org
8558 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org debabrata.iit-***@public.gmane.org
8559 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org deb_samal2002-/***@public.gmane.org
8560 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org dearpartha-/***@public.gmane.org
8561 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org ddrmeena-***@public.gmane.org
8566 ? S 0:00 qmail-remote bsnl.co.in david2000-QOiod4cnrWAN+***@public.gmane.org dcpradhan-6Sfbsi4peQ6f0DUV/***@public.gmane.org
8567 ? S 0:00 qmail-remote nitrkl.ac.in david2000-QOiod4cnrWAN+***@public.gmane.org dbehera-***@public.gmane.org
8568 ? S 0:00 qmail-remote iopb.res.in david2000-QOiod4cnrWAN+***@public.gmane.org dbehera-***@public.gmane.org
8569 ? S 0:00 qmail-remote msn.com david2000-QOiod4cnrWAN+***@public.gmane.org davyboy357-***@public.gmane.org
8573 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org dassofm-/***@public.gmane.org
8574 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org dash.nibedita11-***@public.gmane.org
8578 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org das_meeky-/***@public.gmane.org
8579 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org das_madhusmita-/***@public.gmane.org
8584 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org darsh1962-/***@public.gmane.org
8586 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org darkrustam-/***@public.gmane.org
8587 ? S 0:00 qmail-remote dutchmail.com david2000-QOiod4cnrWAN+***@public.gmane.org dantrenner-Bv/vjAMuS/YS+***@public.gmane.org
8588 ? S 0:00 qmail-remote msn.com david2000-QOiod4cnrWAN+***@public.gmane.org danielmohanpersad98-***@public.gmane.org
8589 ? S 0:00 qmail-remote yogachikitsacentre.com david2000-QOiod4cnrWAN+***@public.gmane.org daniellefeurtado-2r358chHoze0T4qjB+***@public.gmane.org
8590 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org damodarpathak-/***@public.gmane.org
8591 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org damienrizzello-***@public.gmane.org
8592 ? S 0:00 qmail-remote ambedkar.org david2000-QOiod4cnrWAN+***@public.gmane.org dalits-***@public.gmane.org
8593 ? S 0:00 qmail-remote iopb.res.in david2000-QOiod4cnrWAN+***@public.gmane.org dalaimk-***@public.gmane.org
8594 ? S 0:00 qmail-remote eth.net david2000-QOiod4cnrWAN+***@public.gmane.org dakshina-***@public.gmane.org
8595 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org daftriandcompany-***@public.gmane.org
8596 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org d.rout60-***@public.gmane.org
8597 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org d.deepali2007-***@public.gmane.org
8598 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org cyntrasingh-***@public.gmane.org
8599 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org cvomstc-/***@public.gmane.org
8600 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org cvairag-***@public.gmane.org
8601 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org cutelove_kru31-/***@public.gmane.org
8602 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org ctk_mina-/***@public.gmane.org
8603 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org cssnayak2006-***@public.gmane.org
8604 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org csrout-***@public.gmane.org
8605 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org csabhinavm-***@public.gmane.org
8606 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org crkraju-/***@public.gmane.org
8607 ? S 0:00 qmail-remote verizon.net david2000-QOiod4cnrWAN+***@public.gmane.org crdesign98-H+***@public.gmane.org
8608 ? S 0:00 qmail-remote d.umn.edu david2000-QOiod4cnrWAN+***@public.gmane.org ***@d.umn.edu
8609 ? S 0:00 qmail-remote aol.com david2000-QOiod4cnrWAN+***@public.gmane.org coutelil-***@public.gmane.org
8610 ? S 0:00 qmail-remote hotpop.com david2000-QOiod4cnrWAN+***@public.gmane.org coolninad-ktR7oAotx3zQT0dZR+***@public.gmane.org
8611 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org coolmahee_2005-/***@public.gmane.org
8612 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org cooldipti_13-/***@public.gmane.org
8613 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org coolbalaji87-***@public.gmane.org
8614 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org cool_ganesh1-/***@public.gmane.org
8615 ? S 0:00 qmail-remote tafecon.com david2000-QOiod4cnrWAN+***@public.gmane.org contact-***@public.gmane.org
8616 ? S 0:00 qmail-remote iitt.ac.in david2000-QOiod4cnrWAN+***@public.gmane.org contact-A4gU7LdLr+ef0DUV/***@public.gmane.org
8617 ? S 0:00 qmail-remote awakeningself.com david2000-QOiod4cnrWAN+***@public.gmane.org connie-56sTcPfcKMjKsszUe28cOwC/***@public.gmane.org
8618 ? S 0:00 qmail-remote sbcglobal.net david2000-QOiod4cnrWAN+***@public.gmane.org cmgraham-***@public.gmane.org
8619 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org cmgarg-/***@public.gmane.org
8620 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org cm4chakra-/***@public.gmane.org
8621 ? S 0:00 qmail-remote inovant.com david2000-QOiod4cnrWAN+***@public.gmane.org clukas-***@public.gmane.org
8623 ? S 0:00 qmail-remote theworld.com david2000-QOiod4cnrWAN+***@public.gmane.org clindley-KVEKqrk+LIpWk0Htik3J/***@public.gmane.org
8624 ? S 0:00 qmail-remote vassar.edu david2000-QOiod4cnrWAN+***@public.gmane.org clhosley-***@public.gmane.org
8625 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org cldinakaran-/***@public.gmane.org
8626 ? S 0:00 qmail-remote euronet.be david2000-QOiod4cnrWAN+***@public.gmane.org claude.laurent-***@public.gmane.org
8627 ? S 0:00 qmail-popup mail.intal.uz /var/popboxes/bin/vchkpw qmail-pop3d Maildir
8628 ? S 0:00 qmail-remote tiscali.be david2000-QOiod4cnrWAN+***@public.gmane.org clau8787-***@public.gmane.org
8629 ? S 0:00 qmail-remote rediffmail.com david2000-QOiod4cnrWAN+***@public.gmane.org cknguptha-QOiod4cnrWAN+***@public.gmane.org
8630 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org cjm6in4ths-/***@public.gmane.org
8631 ? S 0:00 qmail-remote rediffmail.com david2000-QOiod4cnrWAN+***@public.gmane.org chura_giri-QOiod4cnrWAN+***@public.gmane.org


### tail -f /var/service/qmail-send/log/main/current
@400000004d8c715617b89be4 status: local 0/10 remote 254/255
@400000004d8c715617b8ab84 starting delivery 35382: msg 854058 to remote ips_38con-/***@public.gmane.org
@400000004d8c715617b8bf0c status: local 0/10 remote 255/255
@400000004d8c715629d0f2cc delivery 34355: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715629d10e24 status: local 0/10 remote 254/255
@400000004d8c715629d11dc4 starting delivery 35383: msg 854058 to remote invisible_flying_torsoman-/***@public.gmane.org
@400000004d8c715629d1314c status: local 0/10 remote 255/255
@400000004d8c71562fab7fb4 delivery 34676: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c71562fab9724 status: local 0/10 remote 254/255
@400000004d8c71562fabaaac starting delivery 35384: msg 854058 to remote iniselvi-***@public.gmane.org
@400000004d8c71562fabba4c status: local 0/10 remote 255/255
@400000004d8c7158272e0974 delivery 35379: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c7158272e20e4 status: local 0/10 remote 254/255
@400000004d8c7158272e346c starting delivery 35385: msg 854058 to remote info-***@public.gmane.org
@400000004d8c7158272e440c status: local 0/10 remote 255/255
@400000004d8c715a07a03794 delivery 35368: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715a07a04f04 status: local 0/10 remote 254/255
@400000004d8c715a07a0628c starting delivery 35386: msg 854058 to remote imt.rajeev-***@public.gmane.org
@400000004d8c715a07a07614 status: local 0/10 remote 255/255
@400000004d8c715b051a53ec delivery 35377: success: 74.125.39.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1301049799_y3si850346fak.158/
@400000004d8c715b051a6b5c status: local 0/10 remote 254/255
@400000004d8c715b051a7ee4 starting delivery 35387: msg 854058 to remote imsurana-/***@public.gmane.org
@400000004d8c715b051a8e84 status: local 0/10 remote 255/255
@400000004d8c715b0ebae984 delivery 35225: success: 166.77.11.48_accepted_message./Remote_host_said:_250_ok:__Message_216732716_accepted/
@400000004d8c715b0ebb04dc status: local 0/10 remote 254/255
@400000004d8c715b0ebb147c starting delivery 35388: msg 854058 to remote imamashraf1-QOiod4cnrWAN+***@public.gmane.org
--
With best regards,
Shaumarov Boburhon

ISP <<UzNet>>
Contacts :
icq# : 192-467-164
mailto: mighty_bob-***@public.gmane.org
Jigar Raval
2011-03-25 11:14:37 UTC
Permalink
Hello,

What is your entry in tcp.smtp. I hope it is like below

:allow
:deny

Also, check your rcpthost file. For temporary if you have allowed web based email access, kindly stop and check.

With Regards
Jigar
Subject: [qmr] Still spamming...
Date: Friday, March 25, 2011, 4:15 PM
Hi guys.. it's again me.. i have
again the same problem, somebody is
sending alot of spam from my qmail server, looking
tail -f /var/log/maillog, I can't find any strange emails,
it seems
everething ok.. last time i found some users which their
passwords was
hacked, and from these accounts the spam was sending...
i thought the problem was solved, unfortunately it's still
spamming
8541 ?        S     
8543 ?        S     
8544 ?        S     
8546 ?        S     
8549 ?        S     
8553 ?        S     
8555 ?        S     
8558 ?        S     
8559 ?        S     
8560 ?        S     
8561 ?        S     
8566 ?        S     
8567 ?        S     
8568 ?        S     
8569 ?        S     
8573 ?        S     
8574 ?        S     
8578 ?        S     
8579 ?        S     
8584 ?        S     
8586 ?        S     
8587 ?        S     
8588 ?        S     
8589 ?        S     
8590 ?        S     
8591 ?        S     
8592 ?        S     
8593 ?        S     
8594 ?        S     
8595 ?        S     
8596 ?        S     
8597 ?        S     
8598 ?        S     
8599 ?        S     
8600 ?        S     
8601 ?        S     
8602 ?        S     
8603 ?        S     
8604 ?        S     
8605 ?        S     
8606 ?        S     
8607 ?        S     
8608 ?        S     
8609 ?        S     
8610 ?        S     
8611 ?        S     
8612 ?        S     
8613 ?        S     
8614 ?        S     
8615 ?        S     
8616 ?        S     
8617 ?        S     
8618 ?        S     
8619 ?        S     
8620 ?        S     
8621 ?        S     
8623 ?        S     
8624 ?        S     
8625 ?        S     
8626 ?        S     
8627 ?        S     
0:00 qmail-popup mail.intal.uz /var/popboxes/bin/vchkpw
qmail-pop3d Maildir
8628 ?        S     
8629 ?        S     
8630 ?        S     
8631 ?        S     
### tail -f /var/service/qmail-send/log/main/current
@400000004d8c715617b89be4 status: local 0/10 remote
254/255
@400000004d8c715617b8ab84 starting delivery 35382: msg
@400000004d8c715617b8bf0c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715629d10e24 status: local 0/10 remote
254/255
@400000004d8c715629d11dc4 starting delivery 35383: msg
@400000004d8c715629d1314c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c71562fab9724 status: local 0/10 remote
254/255
@400000004d8c71562fabaaac starting delivery 35384: msg
@400000004d8c71562fabba4c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c7158272e20e4 status: local 0/10 remote
254/255
@400000004d8c7158272e346c starting delivery 35385: msg
@400000004d8c7158272e440c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715a07a04f04 status: local 0/10 remote
254/255
@400000004d8c715a07a0628c starting delivery 35386: msg
@400000004d8c715a07a07614 status: local 0/10 remote
255/255
74.125.39.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1301049799_y3si850346fak.158/
@400000004d8c715b051a6b5c status: local 0/10 remote
254/255
@400000004d8c715b051a7ee4 starting delivery 35387: msg
@400000004d8c715b051a8e84 status: local 0/10 remote
255/255
166.77.11.48_accepted_message./Remote_host_said:_250_ok:__Message_216732716_accepted/
@400000004d8c715b0ebb04dc status: local 0/10 remote
254/255
@400000004d8c715b0ebb147c starting delivery 35388: msg
 
--
With best regards,
   Shaumarov Boburhon
  ISP <<UzNet>>
  icq# : 192-467-164
               
             
Torsten Kersandt
2011-03-25 11:14:50 UTC
Permalink
Please do a
tail -f /var/service/qmail-smtpd/log/main/current
and look for repeating ip addresses in the received from

make sure you have no other ip addresses in the tcp.cdb than
127.0.0.1:allow,RELAYCLIENT""

once established where it is coming from, add it to the tcp server file as
in "1.1.1.1:deny",
stop qmail-send or you get blacklisted very soon until resolved
clear the queue

there are lots of possibilities of where the stuff comes from.
It may even be a mail script in one of you websites, so the address would be
localhost , 127.0.0.1



-----Original Message-----
From: Shaumarov Boburhon [mailto:mighty_bob-***@public.gmane.org]
Sent: 25 March 2011 10:45
To: qmr-iGp6mRlwfsr/sFSC9fAAV0B+***@public.gmane.org
Subject: [qmr] Still spamming...

Hi guys.. it's again me.. i have again the same problem, somebody is
sending alot of spam from my qmail server, looking
tail -f /var/log/maillog, I can't find any strange emails, it seems
everething ok.. last time i found some users which their passwords was
hacked, and from these accounts the spam was sending...
i thought the problem was solved, unfortunately it's still spamming



##ps ax:

8541 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
dela215-***@public.gmane.org
8543 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
deevusa-***@public.gmane.org
8544 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
deepconnect-***@public.gmane.org
8546 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
deepalitaware-/***@public.gmane.org
8549 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
deepak4date-***@public.gmane.org
8553 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
deep_laugh001-/***@public.gmane.org
8555 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
debasish.das2-***@public.gmane.org
8558 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
debabrata.iit-***@public.gmane.org
8559 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
deb_samal2002-/***@public.gmane.org
8560 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
dearpartha-/***@public.gmane.org
8561 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
ddrmeena-***@public.gmane.org
8566 ? S 0:00 qmail-remote bsnl.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
dcpradhan-6Sfbsi4peQ6f0DUV/***@public.gmane.org
8567 ? S 0:00 qmail-remote nitrkl.ac.in
david2000-QOiod4cnrWAN+***@public.gmane.org dbehera-***@public.gmane.org
8568 ? S 0:00 qmail-remote iopb.res.in david2000-QOiod4cnrWAN+***@public.gmane.org
dbehera-***@public.gmane.org
8569 ? S 0:00 qmail-remote msn.com david2000-QOiod4cnrWAN+***@public.gmane.org
davyboy357-***@public.gmane.org
8573 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
dassofm-/***@public.gmane.org
8574 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
dash.nibedita11-***@public.gmane.org
8578 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
das_meeky-/***@public.gmane.org
8579 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
das_madhusmita-/***@public.gmane.org
8584 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
darsh1962-/***@public.gmane.org
8586 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
darkrustam-/***@public.gmane.org
8587 ? S 0:00 qmail-remote dutchmail.com
david2000-QOiod4cnrWAN+***@public.gmane.org dantrenner-Bv/vjAMuS/YS+***@public.gmane.org
8588 ? S 0:00 qmail-remote msn.com david2000-QOiod4cnrWAN+***@public.gmane.org
danielmohanpersad98-***@public.gmane.org
8589 ? S 0:00 qmail-remote yogachikitsacentre.com
david2000-QOiod4cnrWAN+***@public.gmane.org daniellefeurtado-2r358chHoze0T4qjB+***@public.gmane.org
8590 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
damodarpathak-/***@public.gmane.org
8591 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
damienrizzello-***@public.gmane.org
8592 ? S 0:00 qmail-remote ambedkar.org
david2000-QOiod4cnrWAN+***@public.gmane.org dalits-***@public.gmane.org
8593 ? S 0:00 qmail-remote iopb.res.in david2000-QOiod4cnrWAN+***@public.gmane.org
dalaimk-***@public.gmane.org
8594 ? S 0:00 qmail-remote eth.net david2000-QOiod4cnrWAN+***@public.gmane.org
dakshina-***@public.gmane.org
8595 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
daftriandcompany-***@public.gmane.org
8596 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
d.rout60-***@public.gmane.org
8597 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
d.deepali2007-***@public.gmane.org
8598 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
cyntrasingh-***@public.gmane.org
8599 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
cvomstc-/***@public.gmane.org
8600 ? S 0:00 qmail-remote hotmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
cvairag-***@public.gmane.org
8601 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
cutelove_kru31-/***@public.gmane.org
8602 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
ctk_mina-/***@public.gmane.org
8603 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
cssnayak2006-***@public.gmane.org
8604 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
csrout-***@public.gmane.org
8605 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
csabhinavm-***@public.gmane.org
8606 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
crkraju-/***@public.gmane.org
8607 ? S 0:00 qmail-remote verizon.net david2000-QOiod4cnrWAN+***@public.gmane.org
crdesign98-H+***@public.gmane.org
8608 ? S 0:00 qmail-remote d.umn.edu david2000-QOiod4cnrWAN+***@public.gmane.org
***@d.umn.edu
8609 ? S 0:00 qmail-remote aol.com david2000-QOiod4cnrWAN+***@public.gmane.org
coutelil-***@public.gmane.org
8610 ? S 0:00 qmail-remote hotpop.com david2000-QOiod4cnrWAN+***@public.gmane.org
coolninad-ktR7oAotx3zQT0dZR+***@public.gmane.org
8611 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
coolmahee_2005-/***@public.gmane.org
8612 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
cooldipti_13-/***@public.gmane.org
8613 ? S 0:00 qmail-remote gmail.com david2000-QOiod4cnrWAN+***@public.gmane.org
coolbalaji87-***@public.gmane.org
8614 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
cool_ganesh1-/***@public.gmane.org
8615 ? S 0:00 qmail-remote tafecon.com david2000-QOiod4cnrWAN+***@public.gmane.org
contact-***@public.gmane.org
8616 ? S 0:00 qmail-remote iitt.ac.in david2000-QOiod4cnrWAN+***@public.gmane.org
contact-A4gU7LdLr+ef0DUV/***@public.gmane.org
8617 ? S 0:00 qmail-remote awakeningself.com
david2000-QOiod4cnrWAN+***@public.gmane.org connie-56sTcPfcKMjKsszUe28cOwC/***@public.gmane.org
8618 ? S 0:00 qmail-remote sbcglobal.net
david2000-QOiod4cnrWAN+***@public.gmane.org cmgraham-***@public.gmane.org
8619 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
cmgarg-/***@public.gmane.org
8620 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
cm4chakra-/***@public.gmane.org
8621 ? S 0:00 qmail-remote inovant.com david2000-QOiod4cnrWAN+***@public.gmane.org
clukas-***@public.gmane.org
8623 ? S 0:00 qmail-remote theworld.com
david2000-QOiod4cnrWAN+***@public.gmane.org clindley-KVEKqrk+LIpWk0Htik3J/***@public.gmane.org
8624 ? S 0:00 qmail-remote vassar.edu david2000-QOiod4cnrWAN+***@public.gmane.org
clhosley-***@public.gmane.org
8625 ? S 0:00 qmail-remote yahoo.co.in david2000-QOiod4cnrWAN+***@public.gmane.org
cldinakaran-/***@public.gmane.org
8626 ? S 0:00 qmail-remote euronet.be david2000-QOiod4cnrWAN+***@public.gmane.org
claude.laurent-***@public.gmane.org
8627 ? S 0:00 qmail-popup mail.intal.uz
/var/popboxes/bin/vchkpw qmail-pop3d Maildir
8628 ? S 0:00 qmail-remote tiscali.be david2000-QOiod4cnrWAN+***@public.gmane.org
clau8787-***@public.gmane.org
8629 ? S 0:00 qmail-remote rediffmail.com
david2000-QOiod4cnrWAN+***@public.gmane.org cknguptha-QOiod4cnrWAN+***@public.gmane.org
8630 ? S 0:00 qmail-remote yahoo.com david2000-QOiod4cnrWAN+***@public.gmane.org
cjm6in4ths-/***@public.gmane.org
8631 ? S 0:00 qmail-remote rediffmail.com
david2000-QOiod4cnrWAN+***@public.gmane.org chura_giri-QOiod4cnrWAN+***@public.gmane.org


### tail -f /var/service/qmail-send/log/main/current
@400000004d8c715617b89be4 status: local 0/10 remote 254/255
@400000004d8c715617b8ab84 starting delivery 35382: msg 854058 to remote
ips_38con-/***@public.gmane.org
@400000004d8c715617b8bf0c status: local 0/10 remote 255/255
@400000004d8c715629d0f2cc delivery 34355: deferral:
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715629d10e24 status: local 0/10 remote 254/255
@400000004d8c715629d11dc4 starting delivery 35383: msg 854058 to remote
invisible_flying_torsoman-/***@public.gmane.org
@400000004d8c715629d1314c status: local 0/10 remote 255/255
@400000004d8c71562fab7fb4 delivery 34676: deferral:
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c71562fab9724 status: local 0/10 remote 254/255
@400000004d8c71562fabaaac starting delivery 35384: msg 854058 to remote
iniselvi-***@public.gmane.org
@400000004d8c71562fabba4c status: local 0/10 remote 255/255
@400000004d8c7158272e0974 delivery 35379: deferral:
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c7158272e20e4 status: local 0/10 remote 254/255
@400000004d8c7158272e346c starting delivery 35385: msg 854058 to remote
info-***@public.gmane.org
@400000004d8c7158272e440c status: local 0/10 remote 255/255
@400000004d8c715a07a03794 delivery 35368: deferral:
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715a07a04f04 status: local 0/10 remote 254/255
@400000004d8c715a07a0628c starting delivery 35386: msg 854058 to remote
imt.rajeev-***@public.gmane.org
@400000004d8c715a07a07614 status: local 0/10 remote 255/255
@400000004d8c715b051a53ec delivery 35377: success:
74.125.39.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1301049799_y3s
i850346fak.158/
@400000004d8c715b051a6b5c status: local 0/10 remote 254/255
@400000004d8c715b051a7ee4 starting delivery 35387: msg 854058 to remote
imsurana-/***@public.gmane.org
@400000004d8c715b051a8e84 status: local 0/10 remote 255/255
@400000004d8c715b0ebae984 delivery 35225: success:
166.77.11.48_accepted_message./Remote_host_said:_250_ok:__Message_216732716_
accepted/
@400000004d8c715b0ebb04dc status: local 0/10 remote 254/255
@400000004d8c715b0ebb147c starting delivery 35388: msg 854058 to remote
imamashraf1-QOiod4cnrWAN+***@public.gmane.org
--
With best regards,
Shaumarov Boburhon

ISP <<UzNet>>
Contacts :
icq# : 192-467-164
mailto: mighty_bob-***@public.gmane.org
Shaumarov Boburhon
2011-03-25 13:17:59 UTC
Permalink
now my tcp.smtp file likes this

127.:allow,RELAYCLIENT=""
:allow

all other ip address commented to check, also cleared qmail queue,
and in rcphosts file there left just my necessary domens.

after this run

tail -f /var/service/qmail-smtpd/log/main/current, there is almost
normal, coming ip addresses are not repeating so fastly, they are as
usual 2 or 3 times coming, because i am also running greylist that's
why there some delay .

After deleting qmail queue, tail -f
/var/service/qmail-send/log/main/current, as I understand it's going
to send the deleted queue mails?

400000004d8c923d2868bbf4 warning: trouble opening remote/74/5996694; will try again later
@400000004d8c923d2868d74c warning: trouble opening remote/168/5996577; will try again later
@400000004d8c923d28690a14 warning: trouble opening remote/125/854464; will try again later
@400000004d8c923d286944ac warning: trouble opening remote/62/854612; will try again later
@400000004d8c923d28697f44 warning: trouble opening remote/9/5996629; will try again later
@400000004d8c923d2869bdc4 warning: trouble opening remote/196/854324; will try again later
@400000004d8c923d2869f85c warning: trouble opening remote/96/854435; will try again later
@400000004d8c923d286a4294 warning: trouble opening remote/39/854800; will try again later
@400000004d8c923d286a8ccc warning: trouble opening remote/181/854309; will try again later
@400000004d8c923d286adaec warning: trouble opening remote/153/5996773; will try again later
@400000004d8c923d286b119c warning: trouble opening remote/174/854513; will try again later
@400000004d8c923d286b678c warning: trouble opening remote/62/854190; will try again later
@400000004d8c923d286bb1c4 warning: trouble opening remote/5/854555; will try again later
@400000004d8c923d286bec5c warning: trouble opening remote/70/854831; will try again later
@400000004d8c923d286c3694 warning: trouble opening remote/192/854109; will try again later
@400000004d8c923d286c6d44 warning: trouble opening remote/177/5996797; will try again later
@400000004d8c923d286cbb64 warning: trouble opening remote/10/854138; will try again later









-----------------------
What is your entry in tcp.smtp. I hope it is like below

:allow
:deny

Also, check your rcpthost file. For temporary if you have allowed web based email access, kindly stop and check.

With Regards
Jigar
Subject: [qmr] Still spamming...
Date: Friday, March 25, 2011, 4:15 PM
Hi guys.. it's again me.. i have
again the same problem, somebody is
sending alot of spam from my qmail server, looking
tail -f /var/log/maillog, I can't find any strange emails,
it seems
everething ok.. last time i found some users which their
passwords was
hacked, and from these accounts the spam was sending...
i thought the problem was solved, unfortunately it's still
spamming
8541 ? S
8543 ? S
8544 ? S
8546 ? S
8549 ? S
8553 ? S
8555 ? S
8558 ? S
8559 ? S
8560 ? S
8561 ? S
8566 ? S
8567 ? S
8568 ? S
8569 ? S
8573 ? S
8574 ? S
8578 ? S
8579 ? S
8584 ? S
8586 ? S
8587 ? S
8588 ? S
8589 ? S
8590 ? S
8591 ? S
8592 ? S
8593 ? S
8594 ? S
8595 ? S
8596 ? S
8597 ? S
8598 ? S
8599 ? S
8600 ? S
8601 ? S
8602 ? S
8603 ? S
8604 ? S
8605 ? S
8606 ? S
8607 ? S
8608 ? S
8609 ? S
8610 ? S
8611 ? S
8612 ? S
8613 ? S
8614 ? S
8615 ? S
8616 ? S
8617 ? S
8618 ? S
8619 ? S
8620 ? S
8621 ? S
8623 ? S
8624 ? S
8625 ? S
8626 ? S
8627 ? S
0:00 qmail-popup mail.intal.uz /var/popboxes/bin/vchkpw
qmail-pop3d Maildir
8628 ? S
8629 ? S
8630 ? S
8631 ? S
### tail -f /var/service/qmail-send/log/main/current
@400000004d8c715617b89be4 status: local 0/10 remote
254/255
@400000004d8c715617b8ab84 starting delivery 35382: msg
@400000004d8c715617b8bf0c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715629d10e24 status: local 0/10 remote
254/255
@400000004d8c715629d11dc4 starting delivery 35383: msg
@400000004d8c715629d1314c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c71562fab9724 status: local 0/10 remote
254/255
@400000004d8c71562fabaaac starting delivery 35384: msg
@400000004d8c71562fabba4c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c7158272e20e4 status: local 0/10 remote
254/255
@400000004d8c7158272e346c starting delivery 35385: msg
@400000004d8c7158272e440c status: local 0/10 remote
255/255
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715a07a04f04 status: local 0/10 remote
254/255
@400000004d8c715a07a0628c starting delivery 35386: msg
@400000004d8c715a07a07614 status: local 0/10 remote
255/255
74.125.39.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1301049799_y3si850346fak.158/
@400000004d8c715b051a6b5c status: local 0/10 remote
254/255
@400000004d8c715b051a7ee4 starting delivery 35387: msg
@400000004d8c715b051a8e84 status: local 0/10 remote
255/255
166.77.11.48_accepted_message./Remote_host_said:_250_ok:__Message_216732716_accepted/
@400000004d8c715b0ebb04dc status: local 0/10 remote
254/255
@400000004d8c715b0ebb147c starting delivery 35388: msg
Gustavo Castro
2011-03-25 14:20:26 UTC
Permalink
Shaumarov:

You may have something vulnerable on your web service that allow a
remote attacker to send spam through your server. You might search for
a PHP script or a vulnerable service (squirrelmail perhaps?) that can
be used to send spam. Stop your web service, stop your email service
(qmail-smtpd and qmail-send at least) and AFTER you make sure those
services are down, run this in a bash shell:

for THEMESS in $( /var/qmail/bin/qmail-qread | grep
"david2000-QOiod4cnrWAN+***@public.gmane.org" | awk '{print $6}' | sed 's/#//' ; do
qmHandle -d$THEMESS ; done

That will clean your queue without risking your legitimate messages. Then run

qfixq live

(You can download it from this page:
http://qmail.jms1.net/scripts/qfixq.shtml ). That will fix any
inconsistence in the queue.

And then start your qmail-smtp and qmail-send services again (ONLY
if you need them running. Check then if you have something
compromised. Download chkrootkit and run it:

# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar xzf chkrootkit.tar.gz
# cd chkrootkit-0.49
# make sense
# ./chkrootkit

Read carefully and fix anything you find. You can use rkhunter if you want.
If you can capture traffic, you can check where is the attacker
coming from. You can find it in the logs too, but you will have to
read more files and waste more time, allowing the attacker to react to
your actions.
There's more things I would do on your situation, but I'm not in
front of your server...
Just my 2 cents... hope it helps.

Cheers,
Gustavo
Post by Shaumarov Boburhon
Hi guys.. it's again me.. i have again the same problem, somebody is
sending alot of spam from my qmail server, looking
tail -f /var/log/maillog, I can't find any strange emails, it seems
everething ok.. last time i found some users which their passwords was
hacked, and from these accounts the spam was sending...
i thought the problem was solved, unfortunately it's still spamming
 8627 ?        S      0:00 qmail-popup mail.intal.uz /var/popboxes/bin/vchkpw qmail-pop3d Maildir
 ### tail -f /var/service/qmail-send/log/main/current
@400000004d8c715617b89be4 status: local 0/10 remote 254/255
@400000004d8c715617b8ab84 starting delivery 35382: msg 854058 to remote ips_38con-/***@public.gmane.org
@400000004d8c715617b8bf0c status: local 0/10 remote 255/255
@400000004d8c715629d0f2cc delivery 34355: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715629d10e24 status: local 0/10 remote 254/255
@400000004d8c715629d11dc4 starting delivery 35383: msg 854058 to remote invisible_flying_torsoman-/***@public.gmane.org
@400000004d8c715629d1314c status: local 0/10 remote 255/255
@400000004d8c71562fab7fb4 delivery 34676: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c71562fab9724 status: local 0/10 remote 254/255
@400000004d8c71562fabaaac starting delivery 35384: msg 854058 to remote iniselvi-***@public.gmane.org
@400000004d8c71562fabba4c status: local 0/10 remote 255/255
@400000004d8c7158272e0974 delivery 35379: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c7158272e20e4 status: local 0/10 remote 254/255
@400000004d8c7158272e346c starting delivery 35385: msg 854058 to remote info-***@public.gmane.org
@400000004d8c7158272e440c status: local 0/10 remote 255/255
@400000004d8c715a07a03794 delivery 35368: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@400000004d8c715a07a04f04 status: local 0/10 remote 254/255
@400000004d8c715a07a0628c starting delivery 35386: msg 854058 to remote imt.rajeev-***@public.gmane.org
@400000004d8c715a07a07614 status: local 0/10 remote 255/255
@400000004d8c715b051a53ec delivery 35377: success: 74.125.39.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1301049799_y3si850346fak.158/
@400000004d8c715b051a6b5c status: local 0/10 remote 254/255
@400000004d8c715b051a7ee4 starting delivery 35387: msg 854058 to remote imsurana-/***@public.gmane.org
@400000004d8c715b051a8e84 status: local 0/10 remote 255/255
@400000004d8c715b0ebae984 delivery 35225: success: 166.77.11.48_accepted_message./Remote_host_said:_250_ok:__Message_216732716_accepted/
@400000004d8c715b0ebb04dc status: local 0/10 remote 254/255
@400000004d8c715b0ebb147c starting delivery 35388: msg 854058 to remote imamashraf1-QOiod4cnrWAN+***@public.gmane.org
--
With best regards,
  Shaumarov Boburhon
 ISP <<UzNet>>
 icq# : 192-467-164
--
Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastrop-***@public.gmane.org

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342
Continue reading on narkive:
Loading...