How do I configure qmail to stop email from being sent out from specific email address?

Seems I have a spammer. I deleted all formmail scripts and it's still going. It's a shared IP so I can't trace it.

Is there a way to block all email being sent from specific emails addresses?

Thanks

Delete the account. He broke your rules, your TOS, your AUP, which he agreed to upon signing up. Get rid of him now, he's a liability and no matter how much he pays you a month, its not enough.

I would if I knew who he was. :)

Because it if being sent via a default IP I can't trace it. It's been sent anonymously through the mail server.

I thought it was an insecure formmail script but it's not. That's why I want to block all emails sent anonymously - I just don't know how to do that.

I apologize if it seemed like my post said I knew who was doing it - because I have no clue...I wish I did.

Oh, I'm sorry, I thought that you meant you knew the address being used, you just didn't know the IP of the person who is doing the spamming.

If you do know the IP of the person who is spamming, add it to iptables and drop them. Also check to see if its an IP of a customer of yours so you can cancel their account.

It may be possible you are an open relay, if so, require some authentication. POP-before-SMTP or the like.

Mind posting a bit from your mail logs? It might help calrify things a bit. Heres an example from my mail log:

Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.135770 new msg 112549
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.135844 info msg 112549: bytes 6384 from <mortgages2frqk@easy.com> qp 666 uid 101
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.136649 starting delivery 294: msg 112549 to local <<myemailaddy@domain.com>>
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.136669 status: local 1/10 remote 0/20
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.140994 delivery 294: success: did_0+0+1/
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.141049 status: local 0/10 remote 0/20
Feb 6 07:43:02 <<myhostname>> qmail: 1044535382.141063 end msg 112549

I censored out my host name. In short, my mail server received a piece of mail (in this case spam from easy.com), deteremined it to be destined for a local address, and delivered it.

Now for sending mail it would look something like:

Feb 5 18:28:05 <<myhostname>> imapd: Connection, ip=[::ffff:my.ip.add.res]
Feb 5 18:28:05 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:my.ip.add.res]
Feb 5 18:28:26 <<myhostname>> qmail: 1044487706.371289 new msg 112548
Feb 5 18:28:26 <<myhostname>> qmail: 1044487706.371371 info msg 112548: bytes 2894 from <me@domain.com> qp 32345 uid 101
Feb 5 18:28:26 <<myhostname>> qmail: 1044487706.372227 starting delivery 282: msg 112548 to remote myfriend@hotmail.com
Feb 5 18:28:26 <<myhostname>> qmail: 1044487706.372256 status: local 0/10 remote 1/20
Feb 5 18:28:27 <<myhostname>> qmail: 1044487707.183993 delivery 282: success: 65.54.166.230_accepted_message./Remote_host_said:_250__<20030205181548.992C.me@domain.com>_Queued_mail_for_delivery/
Feb 5 18:28:27 <<myhostname>> qmail: 1044487707.184043 status: local 0/10 remote 0/20
Feb 5 18:28:27 <<myhostname>> qmail: 1044487707.184055 end msg 112548

Basically, I opened up my mail client (Becky) and that made the IMAP connection. A Few seconds later, I sent an email to my friend. I too run multiple domains off of this one IP address. What the logs will show you is where the spammer is coming from (imapd: Connection, ip=[::ffff:my.ip.add.res] will be his IP address in there).

Nice example.

Feb 6 13:30:01 hostname qmail: 1044556201.166086 new msg 160454
Feb 6 13:30:01 hostname qmail: 1044556201.166193 info msg 160454: bytes 458 from <anonymous@mailserver.com> qp 23628 uid 0
Feb 6 13:30:01 hostname qmail: 1044556201.262797 starting delivery 6300: msg 160454 to local root@mailserver.com
Feb 6 13:30:01 hostname qmail: 1044556201.262912 status: local 1/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.263174 new msg 160461
Feb 6 13:30:01 hostname qmail: 1044556201.263226 info msg 160461: bytes 1229 from <anonymous@mailserver.com> qp 23634 uid 561
Feb 6 13:30:01 hostname qmail: 1044556201.371547 starting delivery 6301: msg 160461 to local client@mailserver.com
Feb 6 13:30:01 hostname qmail: 1044556201.371656 status: local 2/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.371681 delivery 6300: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 6 13:30:01 hostname qmail: 1044556201.372009 status: local 1/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.631109 bounce msg 160454 qp 23662
Feb 6 13:30:01 hostname qmail: 1044556201.631224 end msg 160454
Feb 6 13:30:01 hostname qmail: 1044556201.631251 delivery 6301: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 6 13:30:01 hostname qmail: 1044556201.631273 status: local 0/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.678016 bounce msg 160461 qp 23664
Feb 6 13:30:01 hostname qmail: 1044556201.678128 end msg 160461
Feb 6 13:30:01 hostname qmail: 1044556201.678149 new msg 160506
Feb 6 13:30:01 hostname qmail: 1044556201.678172 info msg 160506: bytes 1036 from <> qp 23662 uid 108
Feb 6 13:30:01 hostname qmail: 1044556201.680030 starting delivery 6302: msg 160506 to local anonymous@mailserver.com
Feb 6 13:30:01 hostname qmail: 1044556201.680096 status: local 1/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.680674 new msg 160454
Feb 6 13:30:01 hostname qmail: 1044556201.681595 info msg 160454: bytes 1811 from <> qp 23664 uid 108
Feb 6 13:30:01 hostname qmail: 1044556201.682041 starting delivery 6303: msg 160454 to local anonymous@mailserver.com
Feb 6 13:30:01 hostname qmail: 1044556201.682608 status: local 2/80 remote 1/100
Feb 6 13:30:01 hostname qmail: 1044556201.695332 delivery 6302: failure: Sorry,_no_mailbox_here_by_that_name.
_(#5.1.1)/


Feb 6 13:32:34 hostname imapd: Connection, ip=[::ffff:00.00.00.00]
Feb 6 13:32:34 hostname imapd: LOGIN, user=client@host.com, ip=[::ffff:00.00.00.00]
Feb 6 13:32:34 hostname imapd: LOGOUT, user=client@host.com, ip=[::ffff:00.00.00.00]
Feb 6 13:32:35 hostname imapd: Connection, ip=[::ffff:00.00.00.00]
Feb 6 13:32:35 hostname imapd: LOGIN, user=client@host.com, ip=[::ffff:00.00.00.00]
Feb 6 13:32:35 hostname imapd: LOGOUT, user=client@host.com, ip=[::ffff:00.00.00.00]
Feb 6 13:32:43 hostname qmail: 1044556363.819694 starting delivery 6361: msg 160400 to local pclient@host.com

How is this?

It's being sent as anonymouse@mailserver.com. I thought the deleting formmail would do it, but I guess not. :(

Thank you for your help, I appreciate it.

That could be a webmail program. I know whenever I use squirell mail, it fills my logs with a serious of connections.

Why? Each time you load a page, it makes a connection to your mail server, gets the info/mail, and closes the connection, than displays the page. Than whenever you click a link and go to a new page in squirell mail, it connects again, gets the info, and closes the connection, displaying the info.

So it could be formail, or any other program locally. The reason I say local is becuase of the 00.00.00.00 in yuour logs. My logs look slightly different though when I use my webmail.

Feb 6 13:22:14 <<myhostname>> imapd: Connection, ip=[::ffff:127.0.0.1]
Feb 6 13:22:14 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:127.0.0.1]
Feb 6 13:22:14 <<myhostname>> imapd: LOGOUT, user=me@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0
Feb 6 13:22:15 <<myhostname>> imapd: Connection, ip=[::ffff:127.0.0.1]
Feb 6 13:22:15 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:127.0.0.1]
Feb 6 13:22:15 <<myhostname>> imapd: LOGOUT, user=me@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0
Feb 6 13:22:15 <<myhostname>> imapd: Connection, ip=[::ffff:127.0.0.1]
Feb 6 13:22:15 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:127.0.0.1]
Feb 6 13:22:16 <<myhostname>> imapd: LOGOUT, user=me@domain.com, ip=[::ffff:127.0.0.1], headers=67334, body=0
Feb 6 13:22:24 <<myhostname>> imapd: Connection, ip=[::ffff:127.0.0.1]
Feb 6 13:22:24 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:127.0.0.1]
Feb 6 13:22:24 <<myhostname>> imapd: LOGOUT, user=me@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0
Feb 6 13:22:25 <<myhostname>> imapd: Connection, ip=[::ffff:127.0.0.1]
Feb 6 13:22:25 <<myhostname>> imapd: LOGIN, user=me@domain.com, ip=[::ffff:127.0.0.1]
Feb 6 13:22:26 <<myhostname>> imapd: LOGOUT, user=me@domain.com, ip=[::ffff:127.0.0.1], headers=67024, body=0

As you can see, I juct checked my mail while at work and over the span of 10 seconds made half a dozen connections. The only difference is that my logs say 127.0.0.1 instead of 00.00.00.00 like yours.

So chances are he is still using something on your system, not necessarily formmail.pl but, but something is still on your server that is doing the spamming.

Sorry, I can't help much more than that, maybe someone else here would be able to help.

I just thought of one more thing...

Do you have an alias setup for receiving mail for root?

* root. Under qmail, root never receives mail. Your system may generate
mail messages to root every night; if you don't have an alias for root,
those messages will bounce. (They'll end up double-bouncing to the
postmaster.) Set up an alias for root in ~alias/.qmail-root. .qmail
files are similar to .forward files, but beware that they are strictly
line-oriented---see dot-qmail.0 for details.

taken from:
http://www.qmail.org/man/misc/INSTALL.alias.txt

Notice how it says it will double bounce any mail and end up at postmaster. The reason is because it will be sent from anonymous@mail.domain.com to root@mail.domain.com. That's probably cron reporting that it rotated your logs fine or updated your stats or whatever you have in there. (Or maybe an error message)

Now qmail will receive the message for root, but since you don't have an alias setup for it, it will bounce it back. So it sends it back to anonymous@mail.domain.com, not knowing that the mail is from the server and that name doesin't exist. That bounces. If you've been counting the bounces, thats two so far.

So it sends it over to the postmaster. The postmaster gets it, and its up to him to sort it out. Now if you don't have a postmaster set up, it will bounce yet again. And qmail doesn't like triple bounces. In fact, any mail that is bounced three times in a row is discarded.

I'm going to try to find a log file of what that would look like. Or better yet, try to recreate the scenario tonight for you.

Does this post make sense to you? I have arguably the worst communication skills and it makes it hard for me to explain things to people I work with, let alone on some forum. Any questions, just ask.

I think I get it. I found in the logs the uid of the user. I deleted his account - the email is still sending. This is driving me nuts!

This is what I am getting now:

Feb 6 17:46:54 hostname qmail: 1044571614.717064 status: local 0/80 remote 1/100
Feb 6 17:47:00 hostname qmail: 1044571620.353574 new msg 160522
Feb 6 17:47:00 hostname qmail: 1044571620.353723 info msg 160522: bytes 1227 from <anonymous@mailserver.com> qp 5033 uid 561
Feb 6 17:47:00 hostname qmail: 1044571620.355691 starting delivery 4069: msg 160522 to local deletedclient@mailserver.com
Feb 6 17:47:00 hostname qmail: 1044571620.355783 status: local 1/80 remote 1/100
Feb 6 17:47:00 hostname qmail: 1044571620.363453 delivery 4069: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 6 17:47:00 hostname qmail: 1044571620.363771 status: local 0/80 remote 1/100
Feb 6 17:47:00 hostname qmail: 1044571620.366435 bounce msg 160522 qp 5036
Feb 6 17:47:00 hostname qmail: 1044571620.366473 end msg 160522
Feb 6 17:47:00 hostname qmail: 1044571620.366803 new msg 160874
Feb 6 17:47:00 hostname qmail: 1044571620.366868 info msg 160874: bytes 1808 from <> qp 5036 uid 108
Feb 6 17:47:00 hostname qmail: 1044571620.368557 starting delivery 4070: msg 160874 to local anonymous@mailserver.com
Feb 6 17:47:00 hostname qmail: 1044571620.368697 status: local 1/80 remote 1/100
Feb 6 17:47:00 hostname qmail: 1044571620.374800 delivery 4070: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 6 17:47:00 hostname qmail: 1044571620.375101 status: local 0/80 remote 1/100
Feb 6 17:47:00 hostname qmail: 1044571620.478657 bounce msg 160874 qp 5039
Feb 6 17:47:00 hostname qmail: 1044571620.478752 end msg 160874

So it seems to be bounching - but when does it end? Why is it sending email on an account which is no longer there? I mean, if email is queued, why doesn't it check to see if the account is even there?

Maybe I have it all wrong. :)

From the text you sent, by the time all the messages triple bounce it will be done? I deleted this account a couple of hours ago.

I do appreciate your help. :)

I meant to post this last night, but things were sort of glitchy on the forums.

Give me some time for cron to hit. Thats 4AM EST. But since I wont be awake than, I'll try to hammer out another reply at work tomorrow, that way I can better show you what a triple bounce looks like.

As for mails still sending, I don't know what to tell you, they should have stopped once the queue is empty.

As for your logs, what is creating the mail to anoymous@mailserver.com? Is the mailserver.com your domain or an external one?

From what I can tell, I can't see all of your logs, something is creating mail under the UID of 561 (a person most likely) is sending a message to the email address setup by your client (whom you deleted). But since that address is gone (qmail doesn't know that, all it knows is it has mail for a certain addy. It just tries to deliver it) is bounces. UID 108 (on my system thats the UID for vpopmail) than tries to bounce it to anonymous. qmail (again not knowing or caring if the address exists or not) tries to deliver. That bounces.

I'll make another post in ~11 hours from now showing you what a triple bounce should look like. I had to delete a few users (namely my root alias and my postmaster) on my experimental box and I want to see how that turns out.

A side note... do you have anything running in cron that might be triggering this? Any programs or anything that would send emails to someone, maybe an uptime monitor, stats that update every 5 mintes, etc? Something that would generate an email constantly?

The one thing I've noticed, is that for some reason, you have had in each and every single log portion is that your remote mail is always 1 out of 100. Whats up with that? Is qmail consistently trying to deliever that mail? Check out your queue and see what that message is.

I really need sleep, I hope to make a post from work tomorrow showing you what a triple bounce looks like, though this may be something different.

Later today I will try to find the triple bounce.

Originally posted by Chuggles
How do I configure qmail to stop email from being sent out from specific email address?

Seems I have a spammer. I deleted all formmail scripts and it's still going. It's a shared IP so I can't trace it.

Is there a way to block all email being sent from specific emails addresses?

Thanks

You could create some wrapper, but you should set up the system to limit the number of emails, and configure it to include the UID of the user's shell, SMTP connection or CGI or PHP script if run via a module or CGI, to better track users next time.

I apologize for not posting earlier but WHT is loading extremely slow for me.

I figured it out. The anonymous emails were from a cron job still running on the account I deleted. That's why the emails were still generating. Now it has me wondering if there are other crons laying around that should not be there. That is for another day. :)

Thank you for you help! It was a learning experience.

It only took me a few guesses, but I got it (usually mails from anonymous are generated by some part of the server as opposed to a user) sort of. Just for future reference here is what a triple bounce looks like in the logs:

Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.369038 new msg 112550
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.369120 info msg 112550: bytes 552 from <anonymous@mail.domain.com> qp 20587 uid 0
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.370807 starting delivery 6: msg 112550 to local root@mail.domain.com
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.370848 status: local 1/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.372936 delivery 6: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.372989 status: local 0/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.374501 bounce msg 112550 qp 20590
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.374542 end msg 112550
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.374826 new msg 112551
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.374847 info msg 112551: bytes 1150 from <> qp 20590 uid 106
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.375731 starting delivery 7: msg 112551 to local anonymous@mail.domain.com
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.375749 status: local 1/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.378287 delivery 7: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.378341 status: local 0/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.379859 bounce msg 112551 qp 20593
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.379900 end msg 112551
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.380188 new msg 112550
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.380210 info msg 112550: bytes 1650 from <#@[]> qp 20593 uid 106
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.381135 starting delivery 8: msg 112550 to local postmaster@mail.domain.com
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.381265 status: local 1/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.383569 delivery 8: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.383893 status: local 0/10 remote 0/20
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.384027 triple bounce: discarding bounce/112550
Feb 8 04:02:02 <<myhostname>> qmail: 1044694922.384123 end msg 112550

one thing to note is that Qmail with vpopmail installed will not allow you to delete post-master, and it will create a new alias for post-master if needed.

That is my experience on a FreeBSD box.