Spam through our server

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Spam through our server

Unread post by octet »

Hi,

We recently started to get tons of spam through our server:

Image


I have changed all email passwords for the domain flamingoblinds.co.uk and ban the IP address trying to connect to IMAP but it looks like it's still able to do it.

What am I doing wrong please?

Code: Select all

[root@zeus ~]# grep 10073 /etc/passwd
qscand:x:10073:156:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@zeus ~]# 

Image


Image


Image
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spam through our server

Unread post by mikeshinn »

If I understand you corrrectly, the qscand user isnt the one logging in thats the user the mailservers antivirus system uses. So if you didnt change the passwords for the mailuser then they may still be logging in as that user.

As for blacklisting the IP, thats done via the kernels firewalling system. What are your firewall rules:

iptables -L -n
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Re: Spam through our server

Unread post by octet »

Hi Michael,

Thanks for your reply.

According to the dumps in qmhandle he is logging in using info@flamingoblinds.co.uk?!?! There is no such mailuser, it's just an alias to a different user and I have changed all the passwords for that domain.

iptables rules here (long list, .cn, .br and .mx blocked):

http://seology.com/iptables.txt

More maillog concerning info@flamingoblinds.co.uk here:

http://seology.com/spamfb.txt
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Spam through our server

Unread post by faris »

I'm not seeing what I expect to see from you /usr/psa/var/log/maillog

Assuming this user is sending via smtp, there should be a "connect" entry and/or a "login" entry before any "from" entries. I'm not seeing either in your log extract.

Authenticated smtp logs can also be found in /var/log/secure depending on your config.

Is romani-online your server? If not, then the header might be faked. The whole thing may be generated by a php or perl script. I'm also baffled as to why the bad guy is using a real domain on your server as the "from" address. I've not seen this done before (though I'm not saying it doesn't happen -- just saying I've not seen it done personally). Normally they use any old address.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply