someone is sending spam using my smtp on qmail. I have authentication on sending messages, but my host company is complaining about spam messages that are sending to numerous emails. is there any solution? or how to fix that...
I have been able to get my server to notify me fast enough so I can delete the account and all he messages sent by that user fast enough. Taking to long might result in getting blacklisted, etc..
So, my question is, how can I prevent something like this? Isn't there a way to completely disable mail for an account (cPanel server) so they can't send mail in the first place? Or, is there a way to somehow silently discard all the eMail sent by a user in a specific group?
I currently have a dedicated server, Linux, with 1 website on it that is sending spam.
At first I thought it was someone spoofing my email address, however when I check my servers Email queue I can see the spam emails in there being sent.
My problem is that I have contacted my server provider and support for the scripts I'm running and everyone is saying its the other persons fault. My server provider is saying everything is up to date and it must be a software exploit on one of my scripts, and the support team from my software is saying its not them that its the server.
i have been receiving lot of spam emails with from and to address being the same email of my domain with content being "click here to see web page" or an image link of viagra shop seen. sometimes it is sent with title "delivery status failure"
i checked the mail headers and it seems that they do not originate with contact form since i used captcha to protect them.
Yesterday my mail logs started showing many a spam email being sent from my server. There isn't anything mission critical running on it, so I took down qmail until I could find the vulnerability and fix it. But try as I might, I haven't found any conclusive vulnerability, so I thought to ask here where someone with more experience might spot something obvious that I've missed (I'm still somewhat new to this).
Anyway, the qmail logs show that the messages came from uid 48, apache. Log excerpt (sending of first spam mail):
Quote:
Aug 28 11:10:51 host qmail-queue[8056]: mail: all addreses are uncheckable - need to skip scanning (by deny mode) Aug 28 11:10:51 host qmail-queue[8056]: scan: the message(drweb.tmp.TNDOi2) sent by anonymous@HOSTNAME to SPAMADDRESS should be passed without checks, because contains uncheckable addresses Aug 28 11:10:51 host qmail: 1188295851.742521 new msg 51970054 Aug 28 11:10:51 host qmail: 1188295851.742679 info msg 51970054: bytes 445 from <anonymous@HOSTNAME> qp 8057 uid 48 Aug 28 11:10:51 host qmail: 1188295851.752799 starting delivery 460: msg 51970054 to remote SPAMADDRESS Aug 28 11:10:51 host qmail: 1188295851.752933 status: local 0/10 remote 1/20
Unfortunately, my Apache logs have no entries around the time when these messages were sent. There are some suspect "CONNECT" requests scattered throughout the logs, but all are denied with 405's, and none correspond exactly with the time of the spam. Example (from about 3 hours after the spam):
(The fact that the final query wasn't denied worries me slightly though. Does anyone have any insight?)
I'm not sure where to go from here. I'm concerned about the lack of logs by Apache. There's a nine hour period without any entries; not unusual for my server given that its not very active, but the time when the spam was sent falls in this time period. I've checked for common security issues, but qmail is configured only to relay from localhost, and Apache isn't configured as an open proxy. Are there any other common issues I should check for? Is there any other information I should post here to help identify the problem?
I'm running Apache version 2.0.52, and qmail 1.03.
I'd be very grateful for any help or links to relevant HOWTOs.
My server is being used for sending out spam email using SMTP auth on server. I am failed to recognize it using phpnobody spam.
The email headers are as below:
[root@serverl ~]# /root/qmHandle -m38168420
-------------- MESSAGE NUMBER 38168420 -------------- Received: (qmail 19615 invoked from network); 21 Dec 2007 11:14:02 -0500 Received: from 124-8-103-212.dynamic.tfn.net.tw (HELO lzbldm) (124.8.103.212) by ip-xx-xx-xxx-229.static.priatdns.com with SMTP; 21 Dec 2007 11:14:02 -0500 Message-ID: <003761451621$48031823$28802762@lzbldm> From: =?big5?B?uPKmaL5sqs6m17uh2VTZVA==?= <twzcgj@ip-72-55-159-229.static.pedns.com> To: <ahyu327@yahoo.com.tw>, <r820309@yahoo.com.tw>, <janejanexxx@yahoo.com.tw>, <mirror8210@yahoo.com.tw>, <angr34@yahoo.com.tw>, <sungerhuang@yahoo.com.tw>, <andy422927@yahoo.com.tw>, <a155882@yahoo.com.tw>, <tsai1926@yahoo.com.tw>, <87878787@yahoo.com.tw>, <joe-5409@yahoo.com.tw> Subject: =?big5?B?s2+xTqxPp0GzzKvhpECmuLTuqs4=?= Date: Sat, 22 Dec 2007 00:14:39 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0748_01590CDE.19AA17B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3198 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
This is a multi-part message in MIME format.
The qmail logs are as below
Dec 23 04:22:02 serverl qmail: 1198401722.886024 end msg 38163426 Dec 23 04:22:02 serverl qmail: 1198401722.886435 new msg 38163440 Dec 23 04:22:02 serverl qmail: 1198401722.886630 info msg 38163440: bytes 5274 from <> qp 21043 uid 2522 Dec 23 04:22:02 serverl qmail: 1198401722.897484 starting delivery 247946: msg 38163440 to remote jr1979@freenet.de Dec 23 04:22:02 serverl qmail: 1198401722.897706 status: local 0/10 remote 9/20 Dec 23 04:22:03 serverl qmail: 1198401723.035092 delivery 247944: failure: 195.4.92.17_does_not_like_recipient./Remote$ Dec 23 04:22:03 serverl qmail: 1198401723.035296 status: local 0/10 remote 8/20 Dec 23 04:22:03 serverl qmail-queue[21076]: mail: all addreses are uncheckable - need to skip scanning (by deny mode) Dec 23 04:22:03 serverl qmail-queue[21076]: scan: the message(drweb.tmp.fkOXLe) sent by #@[] to postmaster@cl-t061-160$ Dec 23 04:22:03 serverl qmail: 1198401723.192176 bounce msg 38163423 qp 21076 Dec 23 04:22:03 serverl qmail: 1198401723.192241 end msg 38163423 Dec 23 04:22:03 serverl qmail: 1198401723.193683 new msg 38163429 Dec 23 04:22:03 serverl qmail: 1198401723.193930 info msg 38163429: bytes 5878 from <#@[]> qp 21092 uid 2522 Dec 23 04:22:03 serverl qmail: 1198401723.220191 starting delivery 247947: msg 38163429 to local 9-postmaster@cl-t061-$ Dec 23 04:22:03 serverl qmail: 1198401723.220247 status: local 1/10 remote 8/20 Dec 23 04:22:03 serverl qmail-local-handlers[21111]: starter: submitter[21118] with error code 100 Dec 23 04:22:03 serverl qmail-local-handlers[21111]: mailsend: wait for submitter failed Dec 23 04:22:03 serverl qmail-local-handlers[21111]: cannot reinject message to mail system Dec 23 04:22:03 serverl qmail: 1198401723.270544 delivery 247947: failure: This_address_no_longer_accepts_mail./ Dec 23 04:22:03 serverl qmail: 1198401723.270720 status: local 0/10 remote 8/20 Dec 23 04:22:03 serverl qmail: 1198401723.270863 triple bounce: discarding bounce/38163429 Dec 23 04:22:03 serverl qmail: 1198401723.270906 end msg 38163429 Dec 23 04:22:03 serverl pop3d: Dec 23 04:22:03 serverl qmail: 1198401723.821852 delivery 247946: failure: 195.4.92.17_does_not_like_recipient./Remote$ Dec 23 04:22:03 serverl qmail: 1198401723.821918 status: local 0/10 remote 7/20 Dec 23 04:22:03 serverl pop3d: IMAP connect from @ [71.107.192.162]INFO: LOGIN, user=support, ip=[71.107.192.162] Dec 23 04:22:03 serverl qmail-queue[21226]: mail: all addreses are uncheckable - need to skip scanning (by deny mode) Dec 23 04:22:03 serverl qmail-queue[21226]: scan: the message(drweb.tmp.Ge7OVb) sent by #@[] to postmaster@cl-t061-160$ Dec 23 04:22:04 serverl qmail: 1198401724.007097 bounce msg 38163440 qp 21226 Dec 23 04:22:04 serverl qmail: 1198401724.007177 end msg 38163440 Dec 23 04:22:04 serverl qmail: 1198401724.008599 new msg 38163295 Dec 23 04:22:04 serverl qmail: 1198401724.008829 info msg 38163295: bytes 5837 from <#@[]> qp 21240 uid 2522 Dec 23 04:22:04 serverl qmail: 1198401724.042842 starting delivery 247948: msg 38163295 to local 9-postmaster@cl-t061-$ Dec 23 04:22:04 serverl qmail: 1198401724.042898 status: local 1/10 remote 7/20 Dec 23 04:22:04 serverl qmail-local-handlers[21255]: starter: submitter[21262] with error code 100 Dec 23 04:22:04 serverl qmail-local-handlers[21255]: mailsend: wait for submitter failed Dec 23 04:22:04 serverl qmail-local-handlers[21255]: cannot reinject message to mail system Dec 23 04:22:04 serverl qmail: 1198401724.089046 delivery 247948: failure: This_address_no_longer_accepts_mail./ Dec 23 04:22:04 serverl qmail: 1198401724.089108 status: local 0/10 remote 7/20
I tried to grep some more information agains UID but failed: [root@serverl ~]# grep 2020 /etc/passwd alias:x:2021:2020:Qmail User:/var/qmail/alias:/bin/false qmaild:x:2020:2020:Qmail User:/var/qmail/:/bin/false qmaill:x:2022:2020:Qmail User:/var/qmail/:/bin/false qmailp:x:2023:2020:Qmail User:/var/qmail/:/bin/false [root@serverl ~]# grep 2522/etc/passwd
got a 2nd notice from my ISP complaining that spams are being sent from my dedicated box. Since the first notice, I had stopped all the mail-related services (sendmail, mailman, courier-imap), which means no emails will be sent out from this box. However, I still received the 2nd notice for spamming.
own dedicated box running CentOS 4.2 with Plesk 8.1. 1 site hosted on it.
concerns are
1. Is my box hacked in and hijacked to send out spam? If yes, how can I check for system integrity?
2. Based on the service status dump, is there something else I need to do in the meantime to stop the box from sending out spam?
3. If there's someone who willing to help out, I'm willing to pay a small amount (~$50, sorry I'm broke!) to fix the server and just kinda help me through the process.
one of my clients told me he tried to send an email to somebody and he receives this error:
The addresses to which the message has not yet been delivered are:
a.......u@a.......t.ro Delay reason: SMTP error from remote mail server after MAIL FROM:<a.......r@i.....s.ro>: host mail.a.....t.ro [82.77.203.xx]: 451 4.1.8 Possibly forged hostname for 67.222.136.xx
No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you. Last message received on 17.06.2009 at 16:10
Any ideea what might be? he's having this problem only when tries to send an email to that email address, and I'm not sure if it's a problem on our server or on their server
Everytime I try to access a PHP script with Oracle on it, I get this message:
Quote:
Warning: oci_connect() [function.oci-connect]: OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in /path/to/file.php on line 215
This was on PHP 5.
In my attempts to resolve this problem, here is what I did.
I tried the following with oracle-xe running and while it had been stopped:
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/nls_lang.sh: 114: [[: not found /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/nls_lang.sh: 114: [[: not found
and here is /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/nls_lang.sh:
Code: 103 # Detertmine the LANGUAGE_TERRITORY part of NLS_LANG 104 # we derive it from the current locale by inspecting the LC_ALL and 105 # the LANG environment variable. Other LC_* environment variables 106 # are not inspected. 107 # 108 if [[ -n "$LC_ALL" ]]; then 109 locale=$LC_ALL 110 elif [[ -n "$LANG" ]]; then 111 locale=$LANG 112 else 113 locale= 114 fi
I then opened /etc/bash.bashrc and tried adding this to the bottom:
Code: LC_ALL='en_GB' export LC_ALL and sourced it but that did not work so I replaced it with this:
Code: LC_ALL='C' export LC_ALL and sourced it but still no luck.
I am trying to figure out a way to move a site from 1 host to another... The problem is that I don't just have a bunch of HTML files to move... I rented a VPS server for the last year, I believe it was CentOS 5 (OS). I setup several things on the server, MYSQL, FFMPEG, ETC...
I am now wanting to move to a dedicated server HOWEVER I DO NOT WANT TO START ALL OVER AGAIN. The site is rather busy and it is important to do the transition as fast as possible.
SO -- I have used Symantec Ghost before to "clone" a computer before. It basically takes an IMAGE of the entire HD and then you can paste/burn that image on a new HD and it makes a PERFECT copy of the original machine.
BUT - I have NO CLUE how to do this over the internet?
when i click "Email Accounts" section in Helm see "Failed to get Email Accounts",also cant add any new Email Account, Helm Log:
Cannot create ActiveX component. at Microsoft.VisualBasic.Interaction.CreateObject(String ProgId, String ServerName) at MailEnable.Administration.Mailbox.GetAutoResponderStatus() at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccount(String name) at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccountList() at MailEnableProvider.ListEmailAccounts(ProviderData CommandData) ......
