Re: Spamming throug my mta (Even with rcpthosts in place)

I'm replying to a 4 month old thread because the problem has started
again. Everything ran great for 4 months but now I'm being used to
send out spam and I don't understand how. All my control files look
good and I'm quite sure I'm not an open relay. As far as I can tell
none of the websites have formmail going of any kind.

I have been getting odd qmail exiting on signal 11 stuff (I posted
elsewhere about this and Dave Sill suggested possibly problems with a
patch, but I haven't applied any. It's an install straight out of
life with qmail instructions), so possibly there's a connection there.

The real problem is I'm not sure how to continue figuring out what's
wrong. I'd really appreciate any ideas anybody has.

Here's the output of qmail-showctl:

---------

qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 120.
subdirectory split: 23.
user ids: 1002, 1003, 1004, 0, 1005, 1006, 1007, 1008.
group ids: 1002, 1003.

badmailfrom: (Default.) Any MAIL FROM is allowed.

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is
rackmount.breinerlogistics.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: (Default.) SMTP DATA limit is 0 bytes.

defaultdomain: Default domain name is breinerlogistics.com.

defaulthost: (Default.) Default host name is
rackmount.breinerlogistics.com.

doublebouncehost: (Default.) 2B recipient host:
rackmount.breinerlogistics.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is
rackmount.breinerlogistics.com.

helohost: (Default.) SMTP client HELO host name is
rackmount.breinerlogistics.com.

idhost: (Default.) Message-ID host name is
rackmount.breinerlogistics.com.

localiphost: (Default.) Local IP address becomes
rackmount.breinerlogistics.com.

locals:

me: My name is rackmount.breinerlogistics.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is breinerlogistics.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800
seconds.

rcpthosts:
SMTP clients may send messages to recipients at dancingdogdiscs.com.
SMTP clients may send messages to recipients at ncannuityinfo.com.
SMTP clients may send messages to recipients at bonehunter.com.
SMTP clients may send messages to recipients at athensark.org.
SMTP clients may send messages to recipients at athensdiscgolf.com.
SMTP clients may send messages to recipients at atlantadiscgolf.com.
SMTP clients may send messages to recipients at beginnerdiscgolf.com.
SMTP clients may send messages to recipients at breinerlogistics.com.
SMTP clients may send messages to recipients at chickswithdiscs.com.
SMTP clients may send messages to recipients at discgolfed.com.
SMTP clients may send messages to recipients at discgolfoholic.com.
SMTP clients may send messages to recipients at discgolfs.com.
SMTP clients may send messages to recipients at discgolfshop.com.
SMTP clients may send messages to recipients at
discgolfsuperstore.com.
SMTP clients may send messages to recipients at discgolftourist.com.
SMTP clients may send messages to recipients at discgopher.com.
SMTP clients may send messages to recipients at donsbachlaw.com.
SMTP clients may send messages to recipients at
extremediscgolf-store.com.
SMTP clients may send messages to recipients at frivolist.com.
SMTP clients may send messages to recipients at genterine.com.
SMTP clients may send messages to recipients at hyzerhurths.com.
SMTP clients may send messages to recipients at jugglist.com.
SMTP clients may send messages to recipients at lynxdgs.com.
SMTP clients may send messages to recipients at newitemproducts.com.
SMTP clients may send messages to recipients at ocudiscgolf.com.
SMTP clients may send messages to recipients at premierdiscgolf.com.
SMTP clients may send messages to recipients at sandbaggers-store.com.
SMTP clients may send messages to recipients at snapplastic.com.
SMTP clients may send messages to recipients at speckledcat.com.
SMTP clients may send messages to recipients at sunkingdiscs.com.
SMTP clients may send messages to recipients at tamudiscgolf.com.
SMTP clients may send messages to recipients at ugarugby.com.
SMTP clients may send messages to recipients at ultimatefrisbees.com.
SMTP clients may send messages to recipients at
universitydiscgolf.com.
SMTP clients may send messages to recipients at
evolutionbizsolutions.com.
SMTP clients may send messages to recipients at
rackmount.breinerlogistics.com.
SMTP clients may send messages to recipients at discgolfwholesale.com.
SMTP clients may send messages to recipients at pdgastore.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220
rackmount.breinerlogistics.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60
seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains:
Virtual domain: athensdiscgolf.com:athensdiscgolf-com
Virtual domain: atlantadiscgolf.com:atlantadiscgolf-com
Virtual domain: beginnerdiscgolf.com:beginnerdiscgolf-com
Virtual domain: bonehunter.com:bonehunter-com
Virtual domain: breinerlogistics.com:breinerlogistics-com
Virtual domain: chickswithdiscs.com:chickswithdiscs-com
Virtual domain: dancingdogdiscs.com:dancingdogdiscs-com
Virtual domain: discgolfed.com:discgolfed-com
Virtual domain: discgolfoholic.com:discgolfoholic-com
Virtual domain: discgolfs.com:discgolfs-com
Virtual domain: discgolfshop.com:discgolfshop-com
Virtual domain: discgolfsuperstore.com:discgolfsuperstore-com
Virtual domain: discgolftourist.com:discgolftourist-com
Virtual domain: discgopher.com:discgopher-com
Virtual domain: donsbachlaw.com:donsbachlaw-com
Virtual domain: extremediscgolf-store.com:extremediscgolf-store-com
Virtual domain: frivolist.com:frivolist-com
Virtual domain: genterine.com:genterine-com
Virtual domain: hyzerhurths.com:hyzerhurths-com
Virtual domain: jugglist.com:jugglist-com
Virtual domain: lynxdgs.com:lynxdgs-com
Virtual domain: ncannuityinfo.com:ncannuityinfo-com
Virtual domain: newitemproducts.com:newitemproducts-com
Virtual domain: ocudiscgolf.com:ocudiscgolf-com
Virtual domain: premierdiscgolf.com:premierdiscgolf-com
Virtual domain: rackmount.breinerlogistics.com:breinerlogistics-com
Virtual domain: sandbaggers-store.com:sandbaggers-store-com
Virtual domain: snapplastic.com:snapplastic-com
Virtual domain: speckledcat.com:speckledcat-com
Virtual domain: sunkingdiscs.com:sunkingdiscs-com
Virtual domain: tamudiscgolf.com:tamudiscgolf-com
Virtual domain: ugarugby.com:ugarugby-com
Virtual domain: ultimatefrisbees.com:ultimatefrisbees-com
Virtual domain: universitydiscgolf.com:universitydiscgolf-com
Virtual domain: bonehunter.com:bonehunter.com
Virtual domain: athensark.org:athensark.org
Virtual domain: athensdiscgolf.com:athensdiscgolf.com
Virtual domain: atlantadiscgolf.com:atlantadiscgolf.com
Virtual domain: beginnerdiscgolf.com:beginnerdiscgolf.com
Virtual domain: breinerlogistics.com:breinerlogistics.com
Virtual domain: chickswithdiscs.com:chickswithdiscs.com
Virtual domain: discgolfed.com:discgolfed.com
Virtual domain: discgolfoholic.com:discgolfoholic.com
Virtual domain: discgolfs.com:discgolfs.com
Virtual domain: discgolfshop.com:discgolfshop.com
Virtual domain: discgolfsuperstore.com:discgolfsuperstore.com
Virtual domain: discgolftourist.com:discgolftourist.com
Virtual domain: discgopher.com:discgopher.com
Virtual domain: donsbachlaw.com:donsbachlaw.com
Virtual domain: extremediscgolf-store.com:extremediscgolf-store.com
Virtual domain: frivolist.com:frivolist.com
Virtual domain: genterine.com:genterine.com
Virtual domain: hyzerhurths.com:hyzerhurths.com
Virtual domain: jugglist.com:jugglist.com
Virtual domain: lynxdgs.com:lynxdgs.com
Virtual domain: newitemproducts.com:newitemproducts.com
Virtual domain: ocudiscgolf.com:ocudiscgolf.com
Virtual domain: premierdiscgolf.com:premierdiscgolf.com
Virtual domain: sandbaggers-store.com:sandbaggers-store.com
Virtual domain: snapplastic.com:snapplastic.com
Virtual domain: speckledcat.com:speckledcat.com
Virtual domain: sunkingdiscs.com:sunkingdiscs.com
Virtual domain: tamudiscgolf.com:tamudiscgolf.com
Virtual domain: ugarugby.com:ugarugby.com
Virtual domain: ultimatefrisbees.com:ultimatefrisbees.com
Virtual domain: universitydiscgolf.com:universitydiscgolf.com
Virtual domain: evolutionbizsolutions.com:evolutionbizsolutions.co m
Virtual domain:
rackmount.breinerlogistics.com:rackmount.breinerlo gistics.com
Virtual domain: discgolfwholesale.com:discgolfwholesale.com
Virtual domain: pdgastore.com:pdgastore.com

virtualdomains~: I have no idea what this file does.

locals~: I have no idea what this file does.

rcpthosts~: I have no idea what this file does.

defaultdelivery.old: I have no idea what this file does.

locals.lock: I have no idea what this file does.

morercpthosts.cdb.old: I have no idea what this file does.

concurrencyincoming: I have no idea what this file does.

rcpthosts.lock: I have no idea what this file does.

virtualdomains.lock: I have no idea what this file does.


---------

thanks,

Doug



On 05 Mar 2003 13:14:36 -0500, Dave Sill
<MaxFreedom@sws5.ctd.ornl.gov> wrote:

>Charter <news.charter.net> writes:
>
>> Anyway, the machine's been up a little over a year and last summer
>> we enjoyed a bit of time as an open relay... but that was fixed and
>> had no problems until last week, but I don't understand why qmail
>>
>> allows the messages in. None of the addresses are for domains in
>> rcpthosts.
>
>Are you sure they're coming in via SMTP? Are you doing selective
>relaying? If so, are they coming through an approved relay? Do you
>have a webserver on the system? Is there a formmail CGI?
>
>> Does anyone have any ideas as to why it's happening or what I can
>> do about it?
>
>I've got lots of ideas, but I need some answers. Post qmail-showctl
>output, too.

On Thu, 17 Jul 2003 13:05:20 -0400, Lindsay MacArthur wrote:

> I'm replying to a 4 month old thread because the problem has started
> again. Everything ran great for 4 months but now I'm being used to
> send out spam and I don't understand how. All my control files look
> good and I'm quite sure I'm not an open relay. As far as I can tell
> none of the websites have formmail going of any kind.
Whenever you allow someone other then yourself to send messages through
your server you have the potential for people to send spam through your
mail system.

Since you mention formmail, but are still not sure about 'where' the spam
is coming from you should post the headers one of the 'spam' messages sent
through your system. You gotta figure out where the problem is coming from
before you can fix it.

What measures are you using to limit who has the ability to relay through
your system?
--
Sean

On Fri, 18 Jul 2003 00:04:28 GMT, Sean Plaice <nobody@127.0.0.1>
wrote:

>On Thu, 17 Jul 2003 13:05:20 -0400, Lindsay MacArthur wrote:
>
>> I'm replying to a 4 month old thread because the problem has started
>> again. Everything ran great for 4 months but now I'm being used to
>> send out spam and I don't understand how. All my control files look
>> good and I'm quite sure I'm not an open relay. As far as I can tell
>> none of the websites have formmail going of any kind.
>Whenever you allow someone other then yourself to send messages through
>your server you have the potential for people to send spam through your
>mail system.
>
>Since you mention formmail, but are still not sure about 'where' the spam
>is coming from you should post the headers one of the 'spam' messages sent
>through your system. You gotta figure out where the problem is coming from
>before you can fix it.
>
>What measures are you using to limit who has the ability to relay through
>your system?

I'm using rcpthosts and /etc/tcp.smtp... the site shouldn't be
letting anybody relay through it. The only emails I want going out
from that machine are for people who have setup forwarding addresses
to remote machines.

My /etc/tcp.smtp is:

127.:allow,RELAYCLIENT=""

I haven't seen any of the emails that go out, I just can see a bunch
of qmail-remote when I look at the processes, and I've had complaints
from upstream about the spam. I can also look at the mail logs and
see oodles of messages flying around.

Thanks for your help!

doug