Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th August 2010, 16:07
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 210
Thanks: 42
Thanked 5 Times in 5 Posts
Default my Server is suddenly being used for unauthorised SPAM

Dear all,
what step should I take to stop this as there are number of mails like this I received today all of a sudden. I donot have any such user like ebihoegac2233 on my server. but the returning mail shows X-postifix-Sender:rfc822; ----@mywebsolutions.co.in.

How I can stop this? what measures should I take?


Code:
Reporting-MTA: dns; dns1s24dcb.secure-24.net
X-Postfix-Queue-ID: 91A658C9C70
X-Postfix-Sender: rfc822; ebihoegac2233@mywebsolutions.co.in
Arrival-Date: Thu, 19 Aug 2010 10:19:07 -0400 (EDT)

Final-Recipient: rfc822; larue@unitedroad.com
Original-Recipient: rfc822;larue@unitedroad.com
Action: failed
Status: 5.1.1
Remote-MTA: dns; a.mx.secure-24.net
Diagnostic-Code: smtp; 550 5.1.1 <larue@unitedroad.com>: Recipient address
    rejected: User unknown in relay recipient table
Reply With Quote
Sponsored Links
  #2  
Old 19th August 2010, 16:17
HyperAtom HyperAtom is offline
Member
 
Join Date: Jan 2010
Posts: 79
Thanks: 7
Thanked 3 Times in 3 Posts
Default

I think its just spammers spoofing a mailbox which doesnt exist on your domain. Im not entirely sure, but have you tried setting up an SPF record in your DNS?
Reply With Quote
  #3  
Old 19th August 2010, 16:22
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 210
Thanks: 42
Thanked 5 Times in 5 Posts
Default my Server is suddenly being used for unauthorised SPAM

Yes I am using SPF.

LIKE - v=spf1 mx ~all

can I make it more stringent.

Here I am giving another contents of a returned mail, which even mentions my IP address i.e. 59.90144.48

Hi. This is the qmail-send program at mail.bsa-romania.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<geeageneral@bsa-romania.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <emisyu4996@mywebsolutions.co.in>
Received: (qmail 27607 invoked by uid 507); 19 Aug 2010 16:23:00 +0300
Received: from mywebsolutions.co.in (59.90.144.48)
by mail.bsa-romania.com with SMTP; 19 Aug 2010 16:23:00 +0300
From: <emisyu4996@mywebsolutions.co.in>
To: geeageneral@bsa-romania.com
Date: Thu, 19 Aug 2010 18:53:02 +0530
Subject: Don't be a killjoy when the lights go off
Reply-To: <emisyu4996@mywebsolutions.co.in>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

Check out our latest packages on traditional medical cures
http://www.hammerlabs.ru/

Last edited by pawan; 19th August 2010 at 16:50.
Reply With Quote
  #4  
Old 19th August 2010, 22:13
HyperAtom HyperAtom is offline
Member
 
Join Date: Jan 2010
Posts: 79
Thanks: 7
Thanked 3 Times in 3 Posts
Default

Im pretty sure its nothing to worry about, the fact your IP is listed in the header is just the recipients mailserver resolving your domain which has been spoofed anyway.

I take it your receiving these failed delivery reports from the admin account of your mailserver?
Reply With Quote
  #5  
Old 20th August 2010, 00:41
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 210
Thanks: 42
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by HyperAtom View Post
Im pretty sure its nothing to worry about, the fact your IP is listed in the header is just the recipients mailserver resolving your domain which has been spoofed anyway.

I take it your receiving these failed delivery reports from the admin account of your mailserver?
I am much worried and needs a solutions asap as my ip is also figured after these mails in PBL & CBL database as blacklist and there it is mentioned that

Code:
This IP is infected (or NATting for a computer that is infected) with the rustock spambot.
So Dear HyperAtom and all Senior Members please help me take some measures to resolve it.
Reply With Quote
  #6  
Old 20th August 2010, 01:06
HyperAtom HyperAtom is offline
Member
 
Join Date: Jan 2010
Posts: 79
Thanks: 7
Thanked 3 Times in 3 Posts
 
Default

This may be more serious than I thought, it seems the mail is really coming from your server. Best thing I can think of temporarily is to use OpenDNS servers which block botnets until some of the other members come up with something.

Check your clamav logs + rkhunter for any warnings
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
amavis & ispconfig 3 yalex2000 Installation/Configuration 20 18th February 2010 17:02
Email doesn't work... Ventzy Installation/Configuration 1 14th February 2010 11:49
Can't start apache Musty Server Operation 12 9th March 2008 13:58
cacti problem - graphs have huge gaps Chip Installation/Configuration 7 7th February 2008 23:24
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 04:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.