Results 1 to 5 of 5
  1. #1
    Join Date
    Oct 2002
    Location
    Europe/China
    Posts
    49

    Spam possibly send through our server

    We recently received a email from our datacenter that account at our server was possibly sending spam. Here are the headers of spam message received from SpamCop:

    Return-Path: <engzos@rc-harrastus.com>
    Delivered-To: x
    Received: (qmail 4073 invoked from network); 8 Apr 2004 19:36:51 -0000
    Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)
    by blade6.cesmail.net with SMTP; 8 Apr 2004 19:36:51 -0000
    Received: from mailgate.cesmail.net (216.154.195.36)
    by c60.cesmail.net with SMTP; 08 Apr 2004 15:36:51 -0400
    Received: (qmail 23817 invoked from network); 8 Apr 2004 19:36:50 -0000
    Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
    by mailgate.cesmail.net with SMTP; 8 Apr 2004 19:36:50 -0000
    Received: from sextitan.com [66.230.161.98]
    by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)
    for x (single-drop); Thu, 08 Apr 2004 15:36:50 -0400 (EDT)
    Received: from rc-harrastus.com (alpha.verkkomestari.com [66.246.110.187])
    by wicked.internal.realitychecknetwork.com (8.12.8p1/8.12.8) with SMTP id i38J89qp035187
    for <x>; Thu, 8 Apr 2004 15:08:09 -0400 (EDT)
    (envelope-from engzos@rc-harrastus.com)
    Received: from pc36363.lan.rc-harrastus.com (localhost [127.0.0.1]) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9) with ESMTP id 3238353637 for x; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
    Received: (from root@localhost) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9/Submit) id 3238353637; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
    Date: Thu, Apr 8 2004 22:19:47 +0200 (CEST)
    Message-Id: <3431____________3035@pc36363.lan.rc-harrastus.com>

    We have been now investigating this, and know that the person who owns rc-harrastus.com is not sending the spam. He is only using PHP-nuke on his website, and I don't know if there is any vulnerability in PHP-nuke that would make it possible to send spam via it (he is not using webmail of PHP-nuke). We have been looking server mail logs etc. but haven't been able to find any information.

    According to WHM of server there has been 23 393 received and 23 153 send messges between 4th and 9th of April. I believe this is typical for our server, as we have about 400 accounts at the server. Also there is only 100-200 messages in queue (most of them MailScanner messages as it try to respond to email addresses sending virus messages).

    Would it be possible that this spam wasn't send through our server, even our IP is in the header?

    Any help would be appreciated, so that we could solve this problem.
    Mastodon for Business - Business-friendly Mastodon instance
    China Business Forum - Community for SMEs and start-ups interested on doing business in China

  2. #2
    Join Date
    Jun 2003
    Posts
    673
    What's your server's IP address? 66.246.110.187? 66.230.161.98? If a spammer is sending from your server, they could be using a program that sends the mail itself, in which case there won't be anything suspicious in your MTA's logs.

  3. #3
    Join Date
    Oct 2002
    Location
    Europe/China
    Posts
    49
    Server is alpha.verkkomestari.com [66.246.110.187].

    If they are using some program to do that, how could we stop them?
    Mastodon for Business - Business-friendly Mastodon instance
    China Business Forum - Community for SMEs and start-ups interested on doing business in China

  4. #4
    Join Date
    Jun 2003
    Posts
    673
    I think you can use iptables to restrict outgoing SMTP traffic to the UID which your MTA is using. (wow, acronym city in that last sentence.)

  5. #5
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    83
    You can use --uid-owner userid in iptables to do this, however remember it only works in the OUTPUT chain

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •