Results 1 to 5 of 5
-
04-09-2004, 05:33 PM #1Junior Guru Wannabe
- Join Date
- Oct 2002
- Location
- Europe/China
- Posts
- 49
Spam possibly send through our server
We recently received a email from our datacenter that account at our server was possibly sending spam. Here are the headers of spam message received from SpamCop:
Return-Path: <engzos@rc-harrastus.com>
Delivered-To: x
Received: (qmail 4073 invoked from network); 8 Apr 2004 19:36:51 -0000
Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)
by blade6.cesmail.net with SMTP; 8 Apr 2004 19:36:51 -0000
Received: from mailgate.cesmail.net (216.154.195.36)
by c60.cesmail.net with SMTP; 08 Apr 2004 15:36:51 -0400
Received: (qmail 23817 invoked from network); 8 Apr 2004 19:36:50 -0000
Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
by mailgate.cesmail.net with SMTP; 8 Apr 2004 19:36:50 -0000
Received: from sextitan.com [66.230.161.98]
by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)
for x (single-drop); Thu, 08 Apr 2004 15:36:50 -0400 (EDT)
Received: from rc-harrastus.com (alpha.verkkomestari.com [66.246.110.187])
by wicked.internal.realitychecknetwork.com (8.12.8p1/8.12.8) with SMTP id i38J89qp035187
for <x>; Thu, 8 Apr 2004 15:08:09 -0400 (EDT)
(envelope-from engzos@rc-harrastus.com)
Received: from pc36363.lan.rc-harrastus.com (localhost [127.0.0.1]) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9) with ESMTP id 3238353637 for x; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Received: (from root@localhost) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9/Submit) id 3238353637; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Date: Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Message-Id: <3431____________3035@pc36363.lan.rc-harrastus.com>
We have been now investigating this, and know that the person who owns rc-harrastus.com is not sending the spam. He is only using PHP-nuke on his website, and I don't know if there is any vulnerability in PHP-nuke that would make it possible to send spam via it (he is not using webmail of PHP-nuke). We have been looking server mail logs etc. but haven't been able to find any information.
According to WHM of server there has been 23 393 received and 23 153 send messges between 4th and 9th of April. I believe this is typical for our server, as we have about 400 accounts at the server. Also there is only 100-200 messages in queue (most of them MailScanner messages as it try to respond to email addresses sending virus messages).
Would it be possible that this spam wasn't send through our server, even our IP is in the header?
Any help would be appreciated, so that we could solve this problem.█ Mastodon for Business - Business-friendly Mastodon instance
█ China Business Forum - Community for SMEs and start-ups interested on doing business in China
-
04-09-2004, 05:57 PM #2Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 673
What's your server's IP address? 66.246.110.187? 66.230.161.98? If a spammer is sending from your server, they could be using a program that sends the mail itself, in which case there won't be anything suspicious in your MTA's logs.
-
04-09-2004, 06:04 PM #3Junior Guru Wannabe
- Join Date
- Oct 2002
- Location
- Europe/China
- Posts
- 49
Server is alpha.verkkomestari.com [66.246.110.187].
If they are using some program to do that, how could we stop them?█ Mastodon for Business - Business-friendly Mastodon instance
█ China Business Forum - Community for SMEs and start-ups interested on doing business in China
-
04-09-2004, 06:26 PM #4Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 673
I think you can use iptables to restrict outgoing SMTP traffic to the UID which your MTA is using. (wow, acronym city in that last sentence.)
-
04-09-2004, 06:33 PM #5Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Venezuela
- Posts
- 83
You can use --uid-owner userid in iptables to do this, however remember it only works in the OUTPUT chain