0

how to defend my mailserver using by spammer to send email to etc yahoomail , gmail , etc

my mail server now blocked by gmail. already setting to block of all that but still attacked by spammers

below log mail:-

Jun 24 03:29:26 abcd sendmail[13373]: q5NHV7Jm001938: to=<cornchopsunshady@yahoo.com>, ctladdr=<xxx@abcd.com> (525/528), delay=02:58:10, xdelay=00:00:02, mailer=esmtp, pri=3212216, relay=mta7.am0.yahoodns.net. [67.195.168.230], dsn=431, stat=Deferred: 452 Too many recipients

I really appreciate for the advice and assistance .

Edited for log mail : 

Jun 24 03:29:06 abcd sendmail[13371]: q5NKT6s1013371: from='<www-data@crazyhorse.abcd.com>', size=2340, class=0, nrcpts=0,proto=ESMTP, daemon=MTA, relay=myISP.com
jun 24 03:29:06 abcd sendmail[13372]:q5NKT6wz013372: <www-data@abcd.com>.. User unknown
Jun 24 03:29:06 abcd sendmail[13372]:q5NKT6wZ013372: from=<>, size=3324, class=0,nrcpts, proto=ESMTP, daemon=MTA, relay=myISP.com
jun 24 03:29:10 abcd sendmail[13373]: grew WorkList for /var/spool/mqueue to 2000
jun 24 03:29:12 abcd sendmail[13373]: grew Worklist for /var/spool/mqueue to 3000
jun 24 03:29:17 abcd sendmail[13375]:q5NKTFYr013375:<hrdqvqza@abcd.com>... user unknown
jun 24 03:29:18 abcd sendmail[13375]: q5NKTFYr013375: from=<escribikr@docomo.ne.jp>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=00l-4b7f8b4a.static.optonline.net [75.127.139.74]
jun 24 03:29:19 abcd sendmail[13373]: q5NHU5sL001777: to=<cha_010@yahoo.com>,<cha_cha3023@yahoo.com>,<cha_she69@yahoo.com>,<chaaldridge@yahoo.com>,<chaasper@yahoo.com>,ctladdr=<baak@abcd.com> (525/528), delay=02:59:06, xdelay=0 0:00:07, mailer=esmtp, pri=3212216,relay=mta7.am0.yahoodbs.net. [67.195.168.230], dsn=2.0.0, stat=sent (ok dirdel 4/1)

.. and etc ...

fike
  • 31

4 Answers4

5

There are 3 options. I'll list them in order of seriousness.

  • Your server is configured reasonably securely, but you're allowing known authenticated users to relay mail through this server from external addresses, and one or more user accounts have had their passwords compromised. You need to gain control of these accounts in the short term, and review if and how you allow authenticated users to use your service in the longer term.

  • Your server is configured in an insecure manner that allows anonymous email relaying. This is really bad, but trivial to fix.

  • Your server is hacked. This is the worst option. See Lucas' answer.

The answer to which one of these is your problem is contained in your logs.

Rob Moir
  • 32,154
3

If your server is being used to send spam, then it probably got hacked or is set up insecure.

You will need to format the system and reinstall from scratch (if the former is true) AND secure it! So find out how they got in. If you are not able to do this on your own, I suggest getting a professional involved.

Refer to: How do I deal with a compromised server?

Community
  • 1
Lucas Kauffman
  • 16,990
1

It seems as though this kind of spam that your server is sending is relayed through the web server that you run on the machine. Do you by any chance run a webmail interface like SquirrelMail? If so it is quite probable that at least one account is compromised and is used to send spam. In the case of SquirrelMail I would look at all the *.conf files in the data/ directory where it keeps user specific configuration. I would:

grep -l escribikr@docomo.ne.jp *.pref

and then locate compromised accounts. For other webmail systems I would do similar searches. Also I would study qtool.pl in order to start erasing spams from the queue.

adamo
  • 7,045
1

I found the problem stems from my e-mail server vulnerabilities. So I moved to zimbra and activate all the features imaginable. And now I can sleep soundly.

Mike Pennington
  • 8,437
fike
  • 31