• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

QMAIL SPAM ISSUE UNIX

QMAIL PROBLEM : SPAMMERS may BE USING MY MAIL SERVER qmail-send program FOR MALICIOUS PURPOSES, I need confirmation and a successfull patch.

This is the mail alert I'm receiving every minute or so from some comcast IP addresses:


-------------------------------------------------------------------------------------
Hi. This is the qmail-send program at mail.MYDOMAIN.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

<hackattempt@attackersdomain.com>:
Sorry, I couldn't find any host by that name. (#4.1.2)
I'm not going to try again; this message has been in the queue too long.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 2290 invoked for bounce); 17 Jul 2007 13:37:11 -0000
Date: 17 Jul 2007 13:37:11 -0000
From: MAILER-DAEMON@mail.MYDOMAIN.com
To: MYADMINACCOUNT@MYDOMAIN.com
Subject: failure notice

Hi. This is the qmail-send program at mail.MYDOMAIN.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ypfjv@MYDOMAIN.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <hackattempt@domain.com>
Received: (qmail 1538 invoked by uid 108); 17 Jul 2007 13:36:53 -0000
Received: from mxin2.mailhop.org (HELO mhfr-06-bos.dyndns.com) (63.208.196.176)
  by mail.MYDOMAIN.com with SMTP; 17 Jul 2007 13:36:53 -0000
Received: from localhost ([127.0.0.1] helo=mhfr-06-bos.dyndns.com)
by mhfr-06-bos.dyndns.com with esmtp (Exim 4.67)
(envelope-from <hackattempt@domain.com>)
id 1I9DmL-000Psc-So
for ypfjv@MYDOMAIN.com; Fri, 13 Jul 2007 01:33:22 -0400
Received: from c-69-142-215-178.hsd1.nj.comcast.net ([69.142.215.178])
by mhfr-06-bos.dyndns.com with smtp (Exim 4.67)
(envelope-from <ykun@pgnmail.com>)
id 1I9DmG-000Pom-P9
for ypfjv@servak.com; Fri, 13 Jul 2007 01:33:16 -0400
Received: from ypbyc ([43.114.181.40]) by c-69-142-215-178.hsd1.nj.comcast.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 13 Jul 2007 01:25:36 -0400
Message-ID: <46970CD0.1010703@pgnmail.com>
Date: Fri, 13 Jul 2007 01:25:36 -0400
From: Ferrell <ykun@pgnmail.com>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: ypfjv@MYDOMAIN.com
Subject: He is believed to be hiding with al-Qaeda leader Bin Laden on the Afghan-Pakistan border.
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mail-Handler: MailHop by DynDNS
X-Originating-IP: 69.142.215.178
X-Spam-Score: 6.0 (++++++)

SZSN Expands To Become 3rd Largest Agricultural Seed Provider!

Shandong Zhouyuan Seed and Nursery Co., Ltd (SZSN)
$0.24


------------------------------------------------------------------

I receive TONS of these spams with a different (random) user account.
Basically, I feel someone is trying to guess an account that is valid on my server and from that point on the attacker will flood my mailbox.

Anyone saw this before ? How can I fix it ?

I'm a beginner with qmail, so step-by-step would be appreciated (I know unix well enough though).

Best Regards,
Cyber
0
cyberpassion
Asked:
cyberpassion
  • 3
1 Solution
 
grbladesCommented:
I dont use qmail myself but I have an idea what might be going wrong.

What I suspect is happening is that your Qmail configuration is accepting all mail for your domain and then only after it is accepted does it check to see if the recipient is valid. If it is not then it tried to send a non delivery report.
If the non delivery mail is rejected which is highly likely then qmail will have to abort. Often these failed messages are just logged and discarded but in your case it must be sending a message to the postmaster instead.

The way around this problem is to reject mail to invalid recipients straight away.
0
 
grbladesCommented:
Here is an example patch for qmail.
http://qmail.jms1.net/patches/validrcptto.cdb.shtml
0
 
cyberpassionAuthor Commented:
Thanks!
I will try that very soon, and let you know if it worked. It does make a lot of sense... I just wonder if I really need to apply an unknown (beit genuine) system of patches (since my system isn't broken per say). I might prefer just knowing what file to change so the receipts are discarded instead of being sent to postmaster... if you figure out how to do only this part, please let me know.

In the mean time, I'll get back to you on the result (and I will gladly give you the points!)
0
 
grbladesCommented:
I am not sure in what form the patches take but in most cases you use the linux 'patch' command to modify the source code with the patch supplied and then recompile it. The patch file is a text file which just contains a list of line numbers and the lines to be removed or added (basically the output of the diff command incase you are familiar with it). You can therefore have a look at the patch file and see for yourself exactly what changes are being made.
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now