Help - Search - Members - Calendar
Full Version: How To Tell Who Is Spamming Me
Linuxhelp > Support > Technical Support
hi people,

the inbox of my mailmanager account is getting hammered by thousands (20000 in the last couple of days) of undelivered items. now my worst fear is that someone is using my server to spam others and when i do a ps aux on my server there appears to be a lot of activity like


so i guess i have 2 questions.
1) how can i check to see if anyone is using my server to spam other users
2) how can i track down and report spammers trying to hit my users - ie they seem to be randomly smamming (one of my domains)

here is an example of an undelivery report - can someone break this down to show who sent it and where from

Hi. This is the qmail-send program at
I tried to deliver a bounce message to this address, but the bounce bounced!

<>: does not like recipient.
Remote host said: 551 not our customer
Giving up on

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 19228 invoked for bounce); 18 Oct 2004 12:48:11 -0000
Date: 18 Oct 2004 12:48:11 -0000
Subject: failure notice

Hi. This is the qmail-send program at
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <>
Received: (qmail 19225 invoked from network); 18 Oct 2004 12:48:11 -0000
Received: from (
  by with SMTP; 18 Oct 2004 12:48:11 -0000
Received: from [] (
by with esmtp (Exim 3.35 #1)
id 1CJWvr-0004MF-00
for; Mon, 18 Oct 2004 14:48:11 +0200
Received: from [] (
by with smtp (Exim 3.35 #1)
id 1CJWvT-000848-00; Mon, 18 Oct 2004 14:47:49 +0200
X-Message-Info: T21enBQbeoJYbc3s214+Pkfb4kjaEO
Received: from ( by with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 18 Oct 2004 06:37:11 -0700
Received: from QHNNB1 (
by (969.8.0plf7/1.91.134) with SMTP id bao66KK29ZJFq5648;
Mon, 18 Oct 2004 09:43:11 -0400
Message-ID: <762q995cef61uzd304vzo$xsk4cyw37i6$ygo60m42@LXG697>
From: "The Stock Radar" <>
To: "Pjestes" <>
References: <>
Subject: Informed Investors are winners
Date: Mon, 18 Oct 2004 09:41:11 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-RBL-Warning: ( This mail has been received from a dialup host.
X-Provags-Forward: ->

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

HouseRaising Inc. OTCBB: HRAI

Net Assets of over 7,000,000

1,100,000 in Homebuilding and Renovation Sales Under Construction.

(Source: News Announcement 9/14/04)

Current Price. 0.48

A massive PR  campaign  is  being  launched  this Weekend and Monday
could be a huge day in the Stock.

blah blah blah blah blah
Its pretty its pretty obvious that something is going on, either interinally, or externally. I think the first thing you want to do is lock down your IP tables and tighten your firewall. Than, you probably want to change the passwords on the server, though that will only slow them down.

Your main concern should be locking down your server, I wouldn't worry so much about trying to track down the guys who are doing this. The odds of you actually getting somewhere are slim to none. They are mirrored out so many times and even if you get back to a source, odds are its starting out in a country that doesn't have the kind of laws we wish they did.

Start by locking down your firewall, and maybe running some anti-virus scans, but really, somebody else around here probably has a better answer.
One thing you can do is to use something like MailScanner in combination with SpamAssassin ...

I have a very good guide on how to securily setup a CentOS/WBEL server with Postfix / MailScanner / ClamAV / SpamAssassin and webmail via Squirrelmail here ... and here is a good guide for doing a qmail / SpamAssassin / ClamAV setup.

SpamAssassin will block both outgoing and incoming least if it is going out via SMTP.

You also want to make sure you e-mail server is not setup as an open relay
And Jim is very right ... you want to lock down your server's iptables to allow only the incoming connections that you want.

The place where you can see who is sending and recieving e-mail from your server is at:

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.