It seems like some people are able to freely send e-mail through my servers, even though they are not users.

I dont know how to stop this, its sending the load on the server very high. I can see the ip number of the person doing it in the exim logs and even added it in the hosts.deny file but that hasnt stopped it.

Any help would be much appreciated.

Maybe you have one of those unprotected "formmailers" on your server....

Try this:
locate formmail.
if you get any formmail.pl or formmail.cgi you might be screwed... These use sendmail and they are easy to abuse :)

Ah, theres about 50 of them. What can i do? It would take me ages to remove all of them and notify every one. And even then it might not be that.

check to see if your mail relays are open, if you need help with that email me at mike@zcentric.com or IM hijinks7

Well see the thing is, formmail uses the values in the HTML to send mail, and this ALSO includes the recipient (usually site holder)...

BUT if a spammer abuses your script, it sets the recipient to people that should be spammed... Get what I mean??

What you can do it edit formmail.pl/.cgi and "hardcode" the recipient in there... (and disable the HTML value "recipient ")
That is your only solution...

I can't relay off your mailserver:

telnet SplashHost.com 25
Trying 216.118.67.66...
Connected to SplashHost.com.
Escape character is '^]'.
220-superfastserver.com ESMTP Exim 3.34 #1 Fri, 25 Jan 2002 09:00:41 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
mail from:<webmaster@SplashHost.com>
250 <webmaster@SplashHost.com> is syntactically correct
rcpt to:<dave@cpfc.org>
550-Host cpfc-online.com [66.33.90.125] is not permitted
550-to relay through superfastserver.com.
550-Perhaps you have not logged into the pop/imap server in the last 30 minutes.
550-You may also have been rejected because your ip address
550-does not have a reverse DNS entry.
550 relaying to <dave@cpfc.org> prohibited by administrator

can you try the server extrafastserver.com ,thats the one with the problem just now.

Nope

telnet extrafastserver.com 25
Trying 64.247.26.182...
Connected to extrafastserver.com.
Escape character is '^]'.
220-server1.extrafastserver.com ESMTP Exim 3.34 #1 Fri, 25 Jan 2002 09:20:35 -05
00
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
mail from:<webmaster@SplashHost.com>
250 <webmaster@SplashHost.com> is syntactically correct
rcpt to:<dave@cpfc.org>
550-Host cpfc-online.com [66.33.90.125] is not permitted
550-to relay through server1.extrafastserver.com.
550-Perhaps you have not logged into the pop/imap server in the last 30 minutes.
550-You may also have been rejected because your ip address
550-does not have a reverse DNS entry.
550 relaying to <dave@cpfc.org> prohibited by administrator

Ive switched apache off, and the mail keeps on being sent.

it looks like this in the log


2002-01-25 09:49:13 16U7fB-00041B-00 <= freeultimatehgh@yahoo.co.jp H=(inmateseco.com) [210.83.200.146] P=esmtp S=3614 id=200201251502703.SM01820@smtp0136.mail.yahoo.com

That means nothing...

Sendmail has a mailq...

PM me and I will help you solve this...

Here's the link you need. Formmail.pl (including current 1.9 version) can be used by spammers offsite to send spam.

http://www.securityfocus.com/archive/1/252232

Options:

- Remove or disable formmail.pl immediately.

- Hard-code the recipient email address in formmail.pl itself, rather
than allow it to be passed in from your HTML form.

- Download and configure a "hardened" version of formmail.pl (version "1.9s") released by the software development group that discovered the vulnerability. It is available at
ftp://ftp.monkeys.com/pub/formmail/1.9s/ and contains a number of security improvements. The script author warns, however, that the new version has not been fully tested or subjected to peer review.

Its not formmail.pl thats causing, i checked the logs to make sure.

Maybe it's not formmail.pl THIS time. You should still notify your customers about this vulnerability. Our system sent out over 10,000 spams before we tracked it down. :angry:

Another spammer scenario that we have encountered recently: Somebody signs up and installs a single PHP page. Then they start POST-ing to it from elsewhere, maybe once every 10 seconds so as to not arouse suspicion, with each POST sending perhaps 100 email addresses to their spam script.

The way we found this spammer was to look at the contents of the spam bounced to postmaster from one of the hundreds of invalid recipients and then check for the domain name spamvertised in our customer email database. Found the email, connected it to the account, checked the logs, and sure enough, a POST every 10 seconds from the same IP (which turned out to be a compromised machine in Switzerland).

As per our TOS, we charged the spammer $100 and closed their account.

The problem with charging spammers is they probably signed up with a stolen credit card.

You would think a thread 6 months old would never come back ;)