Results 1 to 13 of 13

Hybrid View

  1. #1
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38

    My server being abused for spamming?

    I have a feeling that my server might be abused for spamming. I got an email containing a virus, and the address I recived it from was a non-existance address under my server's domain. Also when checking the header, my domain appeared as the hostname and in the log file it says "localhost" How can I check and secure my mail server?
    Thanks

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Could you post the complete headers of the suspect email and are you using a control panel?
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  3. #3
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    There you go:
    Headers:
    Code:
    Delivery-date: Mon, 30 Oct 2006 23:10:30 -0500
    Received: from friends by s4.MYDOMAIN.com with local-bsmtp (Exim 4.52)
         id 1GekxG-0004sL-Rz
         for webmaster@MYDOMAIN2.org; Mon, 30 Oct 2006 23:10:30 -0500
    X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on s4.MYDOMAIN.com
    X-Spam-Level: *
    X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_50,FORGED_RCVD_HELO,
         NO_REAL_NAME,TO_CC_NONE autolearn=no version=3.1.7
    Received: from [70.84.187.194] (helo=tchw4.MYDOMAIN.com)
         by s4.MYDOMAIN.com with esmtps (TLSv1:AES256-SHA:256)
         (Exim 4.52)
         id 1GekxG-0004sD-NA
         for webmaster@MYDOMAIN2.org; Mon, 30 Oct 2006 23:10:26 -0500
    Received: from [60.225.59.141] (helo=<localhost>)
         by tchw4.MYDOMAIN.com with smtp (Exim 4.52)
         id 1Gekx8-0005sB-1I
         for donations@MYDOMAIN.com; Mon, 30 Oct 2006 23:10:19 -0500
    From: <Amorita15@MYDOMAIN.com>
    Subject: NEWS!
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
         boundary="xsgwvilXUEQtpcMwpmg"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - tchw4.MYDOMAIN.com
    X-AntiAbuse: Original Domain - MYDOMAIN.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - MYDOMAIN.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Message-Id: <E1GekxG-0004sL-Rz@s4.MYDOMAIN.com>
    Log:

    Code:
    /var/log/exim_mainlog
    
    2006-10-30 23:10:19 1Gekx8-0005sB-1I <= Amorita15@MYDOMAIN2.com H=(<localhost>) [60.225.59.141] P=smtp S=21964
    2006-10-30 23:10:24 1Gekx8-0005sB-1I => webmaster@MYDOMAIN2.org <donations@MYDOMAIN2.com> R=lookuphost T=remote_smtp H=mail.MYDOMAIN2.org [72.232.218.37] X=TLSv1:AES256-SHA:256
    2006-10-30 23:10:24 1Gekx8-0005sB-1I Completed
    I'm using the latest cpanel.

    Thanks

  4. #4
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    311
    use the following site to check if your mail server is configured properly to not be an open relay:
    http://www.abuse.net/relay.html

    After that, if someone is using your server to spam, it is probably a client who has a virus or something. Check the server logs.

  5. #5
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    Quote Originally Posted by hawk82
    use the following site to check if your mail server is configured properly to not be an open relay:
    http://www.abuse.net/relay.html

    After that, if someone is using your server to spam, it is probably a client who has a virus or something. Check the server logs.
    Everytime I try this test, it says:
    Mail relay testing

    Not available at this time.

  6. #6
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    The email appears to be coming from someone in Australia (60.225.59.141) using your domain name as their email address... I see quite a lot of spam using that method, however I don't "think" it's coming from your server.

    Are there a lot of messages in the Mail Queue?
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  7. #7
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    Quote Originally Posted by Pat H
    The email appears to be coming from someone in Australia (60.225.59.141) using your domain name as their email address... I see quite a lot of spam using that method, however I don't "think" it's coming from your server.

    Are there a lot of messages in the Mail Queue?
    There are currently 516 messages in the mail queue. Some of them do look suspicious. How can I know more?

    On view mail relayers I see nobody sent 358 messages, root sent 13

  8. #8
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    "Not available at this time"

    Then do a Google search for RFC detailing smtp; telnet to port 25 of your box, from another box outside of its network (like from home, or whatever) of permitted smtp senders/destinations, and follow the RFC through to simulate a smtp session sending mail from an address "off network" to another address "off network".

    You should see an error rejecting your attempt at some point, if your server is properly configured.

    Yes, I realize this might sound like greek. But understanding the protocols (not that hard at a basic level) will help you protect yourself in the future.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  9. #9
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    Quote Originally Posted by mwatkins
    "Not available at this time"

    Then do a Google search for RFC detailing smtp; telnet to port 25 of your box, from another box outside of its network (like from home, or whatever) of permitted smtp senders/destinations, and follow the RFC through to simulate a smtp session sending mail from an address "off network" to another address "off network".

    You should see an error rejecting your attempt at some point, if your server is properly configured.

    Yes, I realize this might sound like greek. But understanding the protocols (not that hard at a basic level) will help you protect yourself in the future.
    Ok I'll try, thanks
    Last edited by liorchen; 11-01-2006 at 10:55 AM.

  10. #10
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    Quote Originally Posted by mwatkins
    "Not available at this time"

    Then do a Google search for RFC detailing smtp; telnet to port 25 of your box, from another box outside of its network (like from home, or whatever) of permitted smtp senders/destinations, and follow the RFC through to simulate a smtp session sending mail from an address "off network" to another address "off network".

    You should see an error rejecting your attempt at some point, if your server is properly configured.

    Yes, I realize this might sound like greek. But understanding the protocols (not that hard at a basic level) will help you protect yourself in the future.
    This is what I get:

    Code:
    220-tchw4.MYDOMAIN ESMTP Exim 4.52 #1 Wed, 01 Nov 2006 10:02:52 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    HELO LIOR
    250 tchw4.MYDOMAIN Hello LIOR [MYIP]
    mail from:webmaster@MYDOMAIN2.org
    250 OK
    rcpt to:myemail@gmail.com
    550-MYMOSTNAME (LIOR) [MYIP]:2805 is currently not
    550-permitted to relay through this server. Perhaps you have not logged into
    550-the pop/imap server in the last 30 minutes or do not have SMTP
    550 Authentication turned on in your email client.
    or when using a local domain:
    Code:
    220-tchw4.mydomain.com ESMTP Exim 4.52 #1 Wed, 01 Nov 2006 10:12:35 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    helo lior
    250 tchw4.rjhnet.com Hello lior [ip]
    mail from:webmaster@mydomain.com
    250 OK
    rcpt to:myemail@gmail.com
    550-Verification failed for <webmaster@mydomain.com>
    550-no such address here
    550 Sender verify failed
    Last edited by liorchen; 11-01-2006 at 11:14 AM.

  11. #11
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    liorchen - very good - thanks for actually doing the work!

    Now, using the headers you posted earlier, emulate that session. Your IP address will be different, but you'll probably learn something about the situation anyway.

    If that attempt is rejected, then you likely are seeing someone spoof your email addresses but not actually sending through your server (except when the messages are addressed to valid addresses in your domain).

    Not much you can do about that except perhaps try adding SPF records to your DNS, and be sure to report the spam you do receive as spam. Also forward a report/complaint to the spammer's ISP.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  12. #12
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    Quote Originally Posted by mwatkins
    liorchen - very good - thanks for actually doing the work!

    Now, using the headers you posted earlier, emulate that session. Your IP address will be different, but you'll probably learn something about the situation anyway.

    If that attempt is rejected, then you likely are seeing someone spoof your email addresses but not actually sending through your server (except when the messages are addressed to valid addresses in your domain).

    Not much you can do about that except perhaps try adding SPF records to your DNS, and be sure to report the spam you do receive as spam. Also forward a report/complaint to the spammer's ISP.
    Looks like it also fails
    550-Verification failed for <amorita15@mydomain.com>
    550-no such address here
    550 Sender verify failed
    Thanks for all your help!

  13. #13
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    My pleasure!
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •