Results 1 to 12 of 12
  1. #1

    am i being used for spam?

    hi guys,

    i hope someone can help.

    1 of my servers is rarely letting any of my hosting clients pop the server to collect their mail. maybe 1 in 10 tries gets them access. im at a loss, this has been going on for a week.

    i have just logged onto the server via ssh, and run mailq - to see what is in the mail queue. there is at least 100 emails sitting in there, all saying connection was denied by the recipient. am i being used for spam?

    if so what can should i do??

    thanks in advance

  2. #2
    100 does not seem like a lot. What span of time do they cover?
    Are they all from the same account? May be a virus on that user's pc doing it. Is the server just overloaded? (type 'top' to see what resources are in use.)

  3. #3
    Another thought. Last time we saw this on our own Raq it was a user with anti-spam software that automatically send a faked 'bounce' message to the spammer. Of course most of these were undeliverable as the spammers were using faked addresses, so they ended up in the mail queue.

  4. #4
    they seemed to be only over the last week....

    i looked at the mail q from midnight commander, and there were tons in there. so i had a look at most of them definately resembled spam. so whether this was right or not, i deleted them all. and the mail q just starts to fill up with emails straight away, probably 10 a minute or more..

  5. #5
    should i maybe turn off spam assissin in case thats what is happening?

  6. #6
    im only running about 40 domains, and none should be doing any mail at this hour of the night...

    after leaving the q for about 5 minutes, i now have about 50 emails in there waiting to send, plus about another 50 which have 0 bytes of data in them...

    sound like spam?

  7. #7
    Sounds like a user spamming. You need to see what account they come from. You should be able to see that in mailq. (It will be the account name, not the email address). Suggest you change the password on that account and see what happens. Could be the user is spamming, or has chosen an easy password that someone has been able to crack.

  8. #8
    ok cool

    in the mail headers, it says "full-name: mail delivery subsystem"

    that what im looking for?

  9. #9
    You should see something like this:

    .......................................
    i4GGUBO16953 253 Sun May 16 19:30 abcd0021
    (host map: lookup (dotwist.com): deferred)
    [email protected]
    i4GG5A515622* 253 Sun May 16 19:05 abcd0021
    (Deferred: Connection timed out with meri.uwasa.fi.)
    [email protected]
    i4G34Pt04418 253 Sun May 16 06:04 abcd0021
    (host map: lookup (attentiveprice.com): deferred)
    [email protected]
    i4FEg0Z26810 253 Sat May 15 17:42 abcd0021
    (Deferred: Connection refused by amomentlikethisagain.com.
    [email protected]

    ..............................

    abcd0021 is the account doing the sending. You wil need to look in each of your domains to see who that is. If there is more than one account , are they in the same domain (which would be suspicious)?

    Ignore any account with only a few bounces. That might be legitimate.

    If the account is oyur own account, then yes, iot may be spam assassin sending faked bounce messages that can't be delivered. Don't use it myself, so can't swear to that.

    Hope this helps.

  10. #10
    mate, appreciate your help... thanks heaps..

  11. #11
    every email, and i mean every email says the account doing the sending is MAILER-DAEMON

    that sounds like me doesnt it???

  12. #12
    Join Date
    Apr 2001
    Location
    FL, USA
    Posts
    925
    1. Make sure you are not an open relay.
    http://www.abuse.net/relay.html
    Just punch in your IP.

    2. Examine your maillogs for emails with a high number of recipients per wrapper. This is the number of emails specified in the To: area of an email. Often, if a spammer has found a way to exploit your system via a web form, they will send many (>100) emails per wrapper.
    Run:
    grep "nrcpts=[1-9][0-9]" /var/log/maillog

    This will pull out the lines that have 10 or addresses specified in the email.

    3. If you find that there are large numbers >100. Look at the relay. If the relay is [email protected], then you may have an insecure form on your server.

    We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
    No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •