×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Spammers keep using my server (HELP - SOS)

Spammers keep using my server (HELP - SOS)

Spammers keep using my server (HELP - SOS)

(OP)
I host sites and email via a root server from 1and1.com that is running Plesk Parallel 9.0.1 on Linux 2.6.23.16-20080211a.  Spammers keep hacking my server and sending spam to everyone on my server and the world.  My server is now blacklisted and does a poor job of blocking received spam.  This has been a recurrent problem and 1and1 offers no support since it's an unmanaged server.  Any tips and suggested software to add would be much appreciated it.

Plesk Mail Configuration:
authorization is required: SMTP

DomainKeys spam protection: Verify incoming mail

SPF spam protection: Only create Received
SPF local rules: include:spf.trusted-forwarder.org

Names for POP3/IMAP mail accounts: Only use of full POP3/IMAP mail accounts names is allowed

Thanks,
Paul

RE: Spammers keep using my server (HELP - SOS)

I also read your thread in the apache forum and I'm not sure this is really a sendmail or apache problem.  First, what makes you think that you've been 'hacked'?  In the other thread, you mention that your mail server is not an open relay - please confirm using mxtoolbox- run the lookup, then the diagnostic http://www.mxtoolbox.com/

What else is running besides apache & the mail server?  Are you running a CMS, bulletin board, or unsecured contact forms?  My gut tells me that it's probably something else.

RE: Spammers keep using my server (HELP - SOS)

(OP)
Thanks smah.  This is probably more of a qmail issue.  Went to the website and smtp diagnostics verified it is not an open relay.

The only scripts I can think of that may be exploited are nms formmail and mail.php.  

All my users get tons and tons of Russian spam.  I also get spam sent to me with spoof addresses from domains on my server that contain viruses.  Also, if I check the mail queue, it's filled with spam messages.  I got lucky by calling 1and1 in the middle of the night one day and got a tech who was a little more open to helping me (I guess he was bored).  He said spammers were definitely using my server and could see them in real time.  He did something (not sure what) to stop them but it didn't last long.   

RE: Spammers keep using my server (HELP - SOS)

If your smtp server is authenticating then they may be using a vulnerability in a mail script on your server.  For example, some CMS programs such as phpnuke and the like have security leaks out the wazoo.  Hackers not only look for vulnerabilities in mail scripts but mysql server as well.  Scripts do not use the smtp port, they access sendmail directly from the command mode.  Sendmail is most often setup to relay mail from a localhost or localdomain without authentication.  You need to make sure this is not how they are getting in.  One way of telling is that in the header information it will say that the mail is from apache@localhost.localdomain.  As you can see there are quite a few ways for hackers to get in and do the things you say.  One way of narrowing it down would be to know how they are getting in.  First look at your logs.  You will be able to see who is doing what on your system.  Whether it's apache's access and error logs or your mail log, something is bound to show up.  If you see anything that you are not sure about, copy and paste a segment of it here and we will take a look.  Another way of checking is to do a web search for "open relay test".  You should get a list of sites that will try to sendmail through your server using the most common methods used by spammers.  Once we find and correct the problem, you need to try to get your good name back.  Here is an address with info on how to go about doing that.  There is a box where you can enter the ip of your server and you will get a list of all the black lists you are on.  Mind you, you do not need to be an open relay to be black listed.  It can be something as stupid as the hostname of the machine your server is running on.  Anyway, have a look and you should find everything you need to get back in their good graces.  http://www.iinet.com/support/answer.php?id=83

Keep in touch and let us know how things are coming along.     

RE: Spammers keep using my server (HELP - SOS)

Sorry for stepping on your post smah.  We must have answered this about the same time but I went to get a cup of joe in the middle of my reply and got called away.  When I came back, I submitted my reply and went to work on other things.  When I checked this thread this morning, it looks like I went over the same things you guys already talked about. I didn't go over the issue of receiving spam because receiving all the spam in the world won't get a server black listed so I wanted to address that issue first.  Once the server is secure, you can use Procmail and SpamAssassin to deal with incoming spam and junk mail.  There is also an anti virus program called clamav which can be setup to check your file system and mail for viruses.  All these are open source.

   

RE: Spammers keep using my server (HELP - SOS)

(OP)
Thanks RhythmAce!  Will do everything you suggested.  I actually have SpamAssassin installed on the server (with the "score" set to 7).  To make matters worse, now emails I send to other users are marked as spam even though my email address is on the white list AND the user Outlook has my email addy configured as not spam.  Go figure?

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close