Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> How To Tell Who Is Spamming Me, need info on tracking spamers
ajbird
post Oct 18 2004, 09:16 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879



hi people,

the inbox of my mailmanager account is getting hammered by thousands (20000 in the last couple of days) of undelivered items. now my worst fear is that someone is using my server to spam others and when i do a ps aux on my server there appears to be a lot of activity like

qmail-remote belitungisland.com masahiro@belitungisland.com

so i guess i have 2 questions.
1) how can i check to see if anyone is using my server to spam other users
and
2) how can i track down and report spammers trying to hit my users - ie they seem to be randomly smamming something@dx3webs.com (one of my domains)

here is an example of an undelivery report - can someone break this down to show who sent it and where from

QUOTE
Hi. This is the qmail-send program at p15151010.pureserver.info.
I tried to deliver a bounce message to this address, but the bounce bounced!

<wghiuwyikcy@attglobal.net>:
32.97.166.40 does not like recipient.
Remote host said: 551 not our customer
Giving up on 32.97.166.40.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 19228 invoked for bounce); 18 Oct 2004 12:48:11 -0000
Date: 18 Oct 2004 12:48:11 -0000
From: MAILER-DAEMON@p15151010.pureserver.info
To: wghiuwyikcy@attglobal.net
Subject: failure notice

Hi. This is the qmail-send program at p15151010.pureserver.info.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pjestes@dx3webs.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <wghiuwyikcy@attglobal.net>
Received: (qmail 19225 invoked from network); 18 Oct 2004 12:48:11 -0000
Received: from moutng.kundenserver.de (212.227.126.171)
  by xdcuk.net with SMTP; 18 Oct 2004 12:48:11 -0000
Received: from [212.227.126.159] (helo=mxng09.kundenserver.de)
by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
id 1CJWvr-0004MF-00
for pjestes@dx3webs.com; Mon, 18 Oct 2004 14:48:11 +0200
Received: from [138.130.6.24] (helo=CPE-138-130-6-24.nsw.bigpond.net.au)
by mxng09.kundenserver.de with smtp (Exim 3.35 #1)
id 1CJWvT-000848-00; Mon, 18 Oct 2004 14:47:49 +0200
X-Message-Info: T21enBQbeoJYbc3s214+Pkfb4kjaEO
Received: from mail6240.mljzs.cox.net (110.216.64.205) by qd651-wrg041.cox.net with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 18 Oct 2004 06:37:11 -0700
Received: from QHNNB1 (m26.188.224.83.unyhx071.c.cox.net 160.88.220.215)
by mail61.w.cox.net (969.8.0plf7/1.91.134) with SMTP id bao66KK29ZJFq5648;
Mon, 18 Oct 2004 09:43:11 -0400
Message-ID: <762q995cef61uzd304vzo$xsk4cyw37i6$ygo60m42@LXG697>
From: "The Stock Radar" <wghiuwyikcy@attglobal.net>
To: "Pjestes" <pjestes@dx3webs.com>
References: <boycott5-X413TlcGELrAD14GAR086a5@cox.net>
Subject: Informed Investors are winners
Date: Mon, 18 Oct 2004 09:41:11 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--987928866321632"
X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been received from a dialup host.
X-Provags-Forward: pjestes@dx3webs.com -> pjestes@dx3webs.com

----987928866321632
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

HouseRaising Inc. OTCBB: HRAI

Net Assets of over 7,000,000

1,100,000 in Homebuilding and Renovation Sales Under Construction.

(Source: News Announcement 9/14/04)

Current Price. 0.48


A massive PR  campaign  is  being  launched  this Weekend and Monday
could be a huge day in the Stock.

blah blah blah blah blah
Go to the top of the page
 
+Quote Post
Jim
post Oct 18 2004, 10:12 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,280
Joined: 19-November 03
From: University of Minnesota- TC
Member No.: 1,828



Its pretty its pretty obvious that something is going on, either interinally, or externally. I think the first thing you want to do is lock down your IP tables and tighten your firewall. Than, you probably want to change the passwords on the server, though that will only slow them down.

Your main concern should be locking down your server, I wouldn't worry so much about trying to track down the guys who are doing this. The odds of you actually getting somewhere are slim to none. They are mirrored out so many times and even if you get back to a source, odds are its starting out in a country that doesn't have the kind of laws we wish they did.

Start by locking down your firewall, and maybe running some anti-virus scans, but really, somebody else around here probably has a better answer.


--------------------
--Jim Lester
jim@linuxhelp.net

Distro: Gentoo
System: AMD Athlon 3000+ XP 2.166 GHz
NVIDIA nForce2 IGP Chipset
1GB 333 MHz DDR SDRAM
NVIDIA nForce2 Dual Head 64 MB Graphics

Server Distro: CentOS
Go to the top of the page
 
+Quote Post
hughesjr
post Oct 18 2004, 07:22 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



One thing you can do is to use something like MailScanner in combination with SpamAssassin ...

I have a very good guide on how to securily setup a CentOS/WBEL server with Postfix / MailScanner / ClamAV / SpamAssassin and webmail via Squirrelmail here ... and here is a good guide for doing a qmail / SpamAssassin / ClamAV setup.

SpamAssassin will block both outgoing and incoming spam...at least if it is going out via SMTP.

You also want to make sure you e-mail server is not setup as an open relay
----------------
And Jim is very right ... you want to lock down your server's iptables to allow only the incoming connections that you want.

The place where you can see who is sending and recieving e-mail from your server is at:

/var/log/maillog


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 18th October 2017 - 11:39 AM