yet another spam problem

Datcrack · Unread post by **Datcrack** » Sun Jan 27, 2008 7:34 pm

I have spam originating from my server and I'm unable to stop it unfortunately. I've check and logged the web and scripts and its not any kind of script.

STMP is used for the spam. I'm unable to find the user of the authenticated mail account if it exist. Or maybe qmail is hacked ???

Qmail-scanner, clamav and greylisting is installed in the server.

How can I trace the source ???

Plesk is 8.0.1.

Here is a log:

Received: (qmail 3849 invoked by uid 10172); 27 Jan 2008 14:49:19 +0200
Received: from 59.35.2.67 by myserver.com (envelope-from < mprt@myserver.com> , uid 2020) with qmail-scanner-2.01st
(clamdscan: 0.88.3/5565. perlscan: 2.01st.
Clear:RC:0(59.35.2.67):.
Processed in 0.065468 secs); 27 Jan 2008 12:49:19 -0000
Received: from 67.2.35.59.broad.st.gd.dynamic.163data.com.cn (HELO yjrq) (59.35.2.67)
by myserver.com with SMTP; 27 Jan 2008 14:49:18 +0200
Message-ID: < 001344848114$43158547$32368861@yjrq>
From: =?big5?B?uvS49KbmvlCkQKfiuG4=?= < mprt@myserver.com>

Unread post by **scott** » Mon Jan 28, 2008 8:53 am

Who is uid 10172?

Use this:
grep 10172 /etc/passwd

Datcrack · Unread post by **Datcrack** » Mon Jan 28, 2008 8:31 pm

[root@moon ~]# grep 10172 /etc/passwd
qscand

10172:111:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@moon ~]#

I have updated my plesk from 8.0.1 to 8.3 and the spams just stopped. Greylisting has also uninstalled due to this upgrade.

The problem is I still cannot figure if this was an hijacked stmp account or any other bug on the system.

Unread post by **scott** » Mon Jan 28, 2008 10:29 pm

thats coming through either SMTP_AUTH, or if you have poplocking enabled, a whitelisted IP. Grep for smtp_auth and that IP/hostname in your maillogs.

Datcrack · Unread post by **Datcrack** » Tue Jan 29, 2008 5:11 am

Thanks you very much Scott. I've located them tru the auth and have disabled these accounts immediately. Right now they're still trying other accounts the hard way..

Jan 29 01:14:42 moon smtp_auth: SMTP connect from unknown@34.7.35.59.broad.st.gd.dynamic.163data.com.cn [59.35.7.34]
Jan 29 01:14:42 moon smtp_auth: smtp_auth: FAILED: test - no such user from unknown@34.7.35.59.broad.st.gd.dynamic.163data.com.cn [5
9.35.7.34]

Thanks for the help...

Unread post by **scott** » Tue Jan 29, 2008 9:13 am

I'll bet the password on that account was "test" too. I was thinking I should add in a check for joe accounts like that in ASL.