Help - Search - Members - Calendar
Full Version: How To Tell Who Is Spamming Me
Linuxhelp > Support > Technical Support
ajbird
hi people,

the inbox of my mailmanager account is getting hammered by thousands (20000 in the last couple of days) of undelivered items. now my worst fear is that someone is using my server to spam others and when i do a ps aux on my server there appears to be a lot of activity like

qmail-remote belitungisland.com masahiro@belitungisland.com

so i guess i have 2 questions.
1) how can i check to see if anyone is using my server to spam other users
and
2) how can i track down and report spammers trying to hit my users - ie they seem to be randomly smamming something@dx3webs.com (one of my domains)

here is an example of an undelivery report - can someone break this down to show who sent it and where from

QUOTE
Hi. This is the qmail-send program at p15151010.pureserver.info.
I tried to deliver a bounce message to this address, but the bounce bounced!

<wghiuwyikcy@attglobal.net>:
32.97.166.40 does not like recipient.
Remote host said: 551 not our customer
Giving up on 32.97.166.40.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 19228 invoked for bounce); 18 Oct 2004 12:48:11 -0000
Date: 18 Oct 2004 12:48:11 -0000
From: MAILER-DAEMON@p15151010.pureserver.info
To: wghiuwyikcy@attglobal.net
Subject: failure notice

Hi. This is the qmail-send program at p15151010.pureserver.info.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pjestes@dx3webs.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <wghiuwyikcy@attglobal.net>
Received: (qmail 19225 invoked from network); 18 Oct 2004 12:48:11 -0000
Received: from moutng.kundenserver.de (212.227.126.171)
  by xdcuk.net with SMTP; 18 Oct 2004 12:48:11 -0000
Received: from [212.227.126.159] (helo=mxng09.kundenserver.de)
by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
id 1CJWvr-0004MF-00
for pjestes@dx3webs.com; Mon, 18 Oct 2004 14:48:11 +0200
Received: from [138.130.6.24] (helo=CPE-138-130-6-24.nsw.bigpond.net.au)
by mxng09.kundenserver.de with smtp (Exim 3.35 #1)
id 1CJWvT-000848-00; Mon, 18 Oct 2004 14:47:49 +0200
X-Message-Info: T21enBQbeoJYbc3s214+Pkfb4kjaEO
Received: from mail6240.mljzs.cox.net (110.216.64.205) by qd651-wrg041.cox.net with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 18 Oct 2004 06:37:11 -0700
Received: from QHNNB1 (m26.188.224.83.unyhx071.c.cox.net 160.88.220.215)
by mail61.w.cox.net (969.8.0plf7/1.91.134) with SMTP id bao66KK29ZJFq5648;
Mon, 18 Oct 2004 09:43:11 -0400
Message-ID: <762q995cef61uzd304vzo$xsk4cyw37i6$ygo60m42@LXG697>
From: "The Stock Radar" <wghiuwyikcy@attglobal.net>
To: "Pjestes" <pjestes@dx3webs.com>
References: <boycott5-X413TlcGELrAD14GAR086a5@cox.net>
Subject: Informed Investors are winners
Date: Mon, 18 Oct 2004 09:41:11 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--987928866321632"
X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been received from a dialup host.
X-Provags-Forward: pjestes@dx3webs.com -> pjestes@dx3webs.com

----987928866321632
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

HouseRaising Inc. OTCBB: HRAI

Net Assets of over 7,000,000

1,100,000 in Homebuilding and Renovation Sales Under Construction.

(Source: News Announcement 9/14/04)

Current Price. 0.48


A massive PR  campaign  is  being  launched  this Weekend and Monday
could be a huge day in the Stock.

blah blah blah blah blah
Jim
Its pretty its pretty obvious that something is going on, either interinally, or externally. I think the first thing you want to do is lock down your IP tables and tighten your firewall. Than, you probably want to change the passwords on the server, though that will only slow them down.

Your main concern should be locking down your server, I wouldn't worry so much about trying to track down the guys who are doing this. The odds of you actually getting somewhere are slim to none. They are mirrored out so many times and even if you get back to a source, odds are its starting out in a country that doesn't have the kind of laws we wish they did.

Start by locking down your firewall, and maybe running some anti-virus scans, but really, somebody else around here probably has a better answer.
hughesjr
One thing you can do is to use something like MailScanner in combination with SpamAssassin ...

I have a very good guide on how to securily setup a CentOS/WBEL server with Postfix / MailScanner / ClamAV / SpamAssassin and webmail via Squirrelmail here ... and here is a good guide for doing a qmail / SpamAssassin / ClamAV setup.

SpamAssassin will block both outgoing and incoming spam...at least if it is going out via SMTP.

You also want to make sure you e-mail server is not setup as an open relay
----------------
And Jim is very right ... you want to lock down your server's iptables to allow only the incoming connections that you want.

The place where you can see who is sending and recieving e-mail from your server is at:

/var/log/maillog
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.