Results 1 to 13 of 13
Hybrid View
-
10-31-2006, 08:45 AM #1Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
My server being abused for spamming?
I have a feeling that my server might be abused for spamming. I got an email containing a virus, and the address I recived it from was a non-existance address under my server's domain. Also when checking the header, my domain appeared as the hostname and in the log file it says "localhost" How can I check and secure my mail server?
Thanks
-
10-31-2006, 09:10 PM #2Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Could you post the complete headers of the suspect email and are you using a control panel?
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
10-31-2006, 09:16 PM #3Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
There you go:
Headers:
Code:Delivery-date: Mon, 30 Oct 2006 23:10:30 -0500 Received: from friends by s4.MYDOMAIN.com with local-bsmtp (Exim 4.52) id 1GekxG-0004sL-Rz for webmaster@MYDOMAIN2.org; Mon, 30 Oct 2006 23:10:30 -0500 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on s4.MYDOMAIN.com X-Spam-Level: * X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_50,FORGED_RCVD_HELO, NO_REAL_NAME,TO_CC_NONE autolearn=no version=3.1.7 Received: from [70.84.187.194] (helo=tchw4.MYDOMAIN.com) by s4.MYDOMAIN.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1GekxG-0004sD-NA for webmaster@MYDOMAIN2.org; Mon, 30 Oct 2006 23:10:26 -0500 Received: from [60.225.59.141] (helo=<localhost>) by tchw4.MYDOMAIN.com with smtp (Exim 4.52) id 1Gekx8-0005sB-1I for donations@MYDOMAIN.com; Mon, 30 Oct 2006 23:10:19 -0500 From: <Amorita15@MYDOMAIN.com> Subject: NEWS! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="xsgwvilXUEQtpcMwpmg" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - tchw4.MYDOMAIN.com X-AntiAbuse: Original Domain - MYDOMAIN.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - MYDOMAIN.com X-Source: X-Source-Args: X-Source-Dir: Message-Id: <E1GekxG-0004sL-Rz@s4.MYDOMAIN.com>
Code:/var/log/exim_mainlog 2006-10-30 23:10:19 1Gekx8-0005sB-1I <= Amorita15@MYDOMAIN2.com H=(<localhost>) [60.225.59.141] P=smtp S=21964 2006-10-30 23:10:24 1Gekx8-0005sB-1I => webmaster@MYDOMAIN2.org <donations@MYDOMAIN2.com> R=lookuphost T=remote_smtp H=mail.MYDOMAIN2.org [72.232.218.37] X=TLSv1:AES256-SHA:256 2006-10-30 23:10:24 1Gekx8-0005sB-1I Completed
Thanks
-
10-31-2006, 09:26 PM #4Web Hosting Guru
- Join Date
- Mar 2005
- Location
- Maine, USA
- Posts
- 311
use the following site to check if your mail server is configured properly to not be an open relay:
http://www.abuse.net/relay.html
After that, if someone is using your server to spam, it is probably a client who has a virus or something. Check the server logs.
-
11-01-2006, 10:19 AM #5Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
Originally Posted by hawk82
Mail relay testing
Not available at this time.
-
10-31-2006, 09:28 PM #6Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
The email appears to be coming from someone in Australia (60.225.59.141) using your domain name as their email address... I see quite a lot of spam using that method, however I don't "think" it's coming from your server.
Are there a lot of messages in the Mail Queue?RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-01-2006, 10:33 AM #7Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
Originally Posted by Pat H
On view mail relayers I see nobody sent 358 messages, root sent 13
-
11-01-2006, 10:32 AM #8Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
"Not available at this time"
Then do a Google search for RFC detailing smtp; telnet to port 25 of your box, from another box outside of its network (like from home, or whatever) of permitted smtp senders/destinations, and follow the RFC through to simulate a smtp session sending mail from an address "off network" to another address "off network".
You should see an error rejecting your attempt at some point, if your server is properly configured.
Yes, I realize this might sound like greek. But understanding the protocols (not that hard at a basic level) will help you protect yourself in the future.“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
11-01-2006, 10:47 AM #9Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
Originally Posted by mwatkinsLast edited by liorchen; 11-01-2006 at 10:55 AM.
-
11-01-2006, 11:06 AM #10Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
Originally Posted by mwatkins
Code:220-tchw4.MYDOMAIN ESMTP Exim 4.52 #1 Wed, 01 Nov 2006 10:02:52 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. HELO LIOR 250 tchw4.MYDOMAIN Hello LIOR [MYIP] mail from:webmaster@MYDOMAIN2.org 250 OK rcpt to:myemail@gmail.com 550-MYMOSTNAME (LIOR) [MYIP]:2805 is currently not 550-permitted to relay through this server. Perhaps you have not logged into 550-the pop/imap server in the last 30 minutes or do not have SMTP 550 Authentication turned on in your email client.
Code:220-tchw4.mydomain.com ESMTP Exim 4.52 #1 Wed, 01 Nov 2006 10:12:35 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. helo lior 250 tchw4.rjhnet.com Hello lior [ip] mail from:webmaster@mydomain.com 250 OK rcpt to:myemail@gmail.com 550-Verification failed for <webmaster@mydomain.com> 550-no such address here 550 Sender verify failed
Last edited by liorchen; 11-01-2006 at 11:14 AM.
-
11-01-2006, 11:20 AM #11Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
liorchen - very good - thanks for actually doing the work!
Now, using the headers you posted earlier, emulate that session. Your IP address will be different, but you'll probably learn something about the situation anyway.
If that attempt is rejected, then you likely are seeing someone spoof your email addresses but not actually sending through your server (except when the messages are addressed to valid addresses in your domain).
Not much you can do about that except perhaps try adding SPF records to your DNS, and be sure to report the spam you do receive as spam. Also forward a report/complaint to the spammer's ISP.“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
11-01-2006, 11:29 AM #12Junior Guru Wannabe
- Join Date
- Jun 2006
- Location
- Israel
- Posts
- 38
Originally Posted by mwatkins
550-Verification failed for <amorita15@mydomain.com>
550-no such address here
550 Sender verify failed
-
11-01-2006, 11:51 AM #13Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
My pleasure!
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”