Hi Folks,
I have been having a persistent issue the last few days with a bot using
my server as a relay to send spam. The other day I had 24,000 spam
messages stuck in my qmail queue. I used qmail-remove to remove all
these messages, and this spammer is using a consistent (fake) from
address on my server and is using a consistent netblock in China so I
used iptables to just block the whole network. But I would like to
figure out why the the messages are being accepted.
Here's an example from the log:
@4000000049b3f675121b5e4c tcpserver: pid 32237 from 121.206.74.211
@4000000049b3f675121b6234 tcpserver: ok 32237 0:65.98.207.151:25
:121.206.74.211::2...@4000000049b3f67a155cba24 CHKUSER accepted sender:
from <ty...@bella2.srihosting.com:anonymous:> remote
<F35D3CCB236648E:unknown:121.206.74.211> rcpt <> : sender
accep...@4000000049b3f67a155cc5dc CHKUSER relaying rcpt: from
<ty...@bella2.srihosting.com:anonymous:> remote
<F35D3CCB236648E:unknown:121.206.74.211> rcpt <yt...@yaho.cn> : client
allowed to relay
@4000000049b3f68a372996f4
simscan:[32237]:RELAYCLIENT:16.5675s:-:121.206.74.211:ty...@bella2.srihosting.com:yt...@yaho.cn:
(bella2.srihosting.com is the local system name and was in the RCPT
hosts file until the other day when I removed it, hoping that would
help. We do not receive email on that domain.)
Here's a header from one of the messages:
Received: (qmail 22570 invoked by uid 89); 9 Mar 2009 03:40:25 -0000
Received: by simscan 1.3.1 ppid: 21148, pid: 22563, t: 0.7776s
scanners: attach: 1.3.1 clamav: 0.94.1/m:
Received: from unknown (HELO F35D3CCB236648E) (anonym...@121.206.73.92)
by 0 with ESMTPA; 9 Mar 2009 03:40:24 -0000
From: =?gb2312?B?zuTPwMPUYm80NTgxOTg50rsyMDA5?=
<ty...@bella2.srihosting.com>
Subject: =?gb2312?B?MjAwOb3wxcbTzs+3zfVibzQ1ODE5ODk=?=
To: bo4581...@yahoo.com.cn
Content-Type: text/html;
charset="gb2312"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Date: Mon, 9 Mar 2009 11:40:45 +0800
My rcpthosts file contains only two lines:
bella-solar.com
bellaenergy.com
I am using POP before SMTP, but every time I check that file, I can't
find that IP/netblock in it, so it shouldn't be allowed to relay from
that address.
My tcp.smtp file looks like this:
127.:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/simscan"
(I'm not sure what the second line does or if perhaps this is a source
of my problems? is it allowing all mail to pass through to simscan?)
I've manually attempted to relay through telnet but am always blocked.
Why is CHKUSER allowing this client to relay? How do I go about figuring
this out? I thought I generally understood how qmail worked, but trying
to solve this has shown me I'm not quite there yet.
Any help any of you folks could provide in solving this issue would be
greatly appreciated.
AJ
