Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th February 2010, 18:46
aleksey aleksey is offline
Junior Member
 
Join Date: Dec 2006
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation Spam sent from my server - please help

Hello

I have a big problem, i have a virus in my network that is sending spam.
I know this because the spam is sent only from monday to friday , nothing on weekends.
I'm using ispconfig 2 with suse 10.
I have blocked port 25 from the network to the server, so now users have to use the SquirrelMail, but is still sending spam.
The spam is sent from users that don't exist on the server, and in /var/log/mail they don't show up. the spam is sent from users like ebyheoh6011@xxx.xx
in SquirrelMail the email address and the name can not be changed.
And i do not have any php-scripts on my website everything is simple Html.
And i checked my computer with rkhunter- nothing

If you have any ideas please help,

Last edited by aleksey; 26th February 2010 at 19:37.
Reply With Quote
Sponsored Links
  #2  
Old 26th February 2010, 18:52
carlosinfl carlosinfl is offline
Member
 
Join Date: Dec 2009
Location: Orlando, FL
Posts: 70
Thanks: 3
Thanked 4 Times in 4 Posts
Send a message via AIM to carlosinfl
Default

Sounds like your server is being used as an open relay. Can you run an open relay test?

http://www.checkor.com/
Reply With Quote
  #3  
Old 26th February 2010, 18:53
aleksey aleksey is offline
Junior Member
 
Join Date: Dec 2006
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

This is a returned email from yahoo....
81.xx.xx.xx is my ip address and xxx.xx my domain

Message from yahoo.com.
Unable to deliver message to the following address(es).

<lshen@jauntee.com>:
Database problem FAIL for lshen@jauntee.com
/I'm not going to try again; this message has been in the queue too long.

--- Original message follows.

Return-Path: <wivuky2555@xxx.xx>
Return-Path: <wivuky2555@xxx.xx>
X-RocketTIP: 81.xx.xx.xx: NO_TIP_HEADER_ALLOWED
X-RocketSRV:
s_ip=81.xx.xx.xx;d_t=1267104075;url=centerpure.ru,http://b9ea5a13.centerpure.ru/,radik...etro=Y;SgrnP=N
X-Rocket-Spam: 81.xx.xx.xx
X-YahooFilteredBulk: 81.xx.xx.xx
X-Rocket-Track: cat=BK;
info=rule:BK<id=300>;dmcu:UK<token=NO_MATCH>;ip:BK <ip=81.xx.xx.xx,policy=g-w0,n0,g100>;ipsh:UK<ip=81.xx.xx.xx,policy=P=-1,X=-1,S=-1>;cmsgbk:UK<s=11,m=8>;url2db:NN<url=radikal.ru>
X-YMailISG:
Rr8uyv4WLDulZ8BK8BuDbUdc4gaGC48UrOdqNe7VIoMARtJSk4 NG964HyzyhkxTeiz1LqQi0FlIeeyRWUcUt8ny_PXmiaXpXf4zu 5oY7t6HGJWwRgnkT.anblPAQnU1JHOjJMGep9d7iT6wXi6wPCe RbHkXuJehMxh0Y8uftKVhdIaBJHPGCzkdx2D8nwJeLjLIEQZV1 nxGGLbMTkuKX1Nmd4zdBmBp6w2yz5mbnPPp93CtrdC1ug6FTNA YGQGK1eiYKw18h2r20.Q1fSIUicx3QFeQ0iQUKZanBmGeF6Dmr
X-RocketHELO: xxx.xx
X-RocketMAILFROM: wivuky2555@xxx.xx
X-RocketRCPTTO: 0-lshen@jauntee.com
X-RocketMSGID:1267104073.595142.14003@mta109.biz.mai l.re3.yahoo.com#0
X-Originating-IP: [81.xx.xx.xx]
Authentication-Results: mta109.biz.mail.re3.yahoo.com from=xxx.xx;
domainkeys=neutral (no sig); from=xxx.xx; dkim=neutral (no sig)
Received: from 81.xx.xx.xx (EHLO xxx.xx) (xx.xx.xx.xx)
by mta109.biz.mail.re3.yahoo.com with SMTP; Thu, 25 Feb 2010 05:21:15 -0800
From: "Customer Service" <wivuky2555@xxx.xx>
To: lshen@jauntee.com
Subject: Dear Mr. lshen, buy on 75% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Reply With Quote
  #4  
Old 26th February 2010, 18:55
aleksey aleksey is offline
Junior Member
 
Join Date: Dec 2006
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

http://www.checkor.com/ says

Checking www.xxx.xx:

220 server1.xxx.xx ESMTP Postfix
HELO ortest.checkor.com
250 server1.xxx.xx
RSET
250 2.0.0 Ok
MAIL FROM: test@checkor.com
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Recipient address rejected: Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM:
501 5.5.4 Syntax: MAIL FROM:

RCPT TO: test1@checkor.com
503 5.5.1 Error: need MAIL command

RSET
250 2.0.0 Ok
MAIL FROM: spam@www.xxx.xx
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Recipient address rejected: Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@www.xxx.xx
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Recipient address rejected: Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@www.xxx.xx
250 2.1.0 Ok
RCPT TO: test1@www.xxx.xx
Test Failed, 250 2.1.5 Ok

RSET
250 2.0.0 Ok
MAIL FROM: spam@www.xxx.xx
250 2.1.0 Ok
RCPT TO: "test1@test.com"@www.xxx.xx
554 5.7.1 : Recipient address rejected: Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@www.xxx.xx
250 2.1.0 Ok
RCPT TO: @www.xxx.xx:spamtest@checkor.com
554 5.7.1 : Recipient address rejected: Relay access denied
Reply With Quote
  #5  
Old 27th February 2010, 14:05
aleksey aleksey is offline
Junior Member
 
Join Date: Dec 2006
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Test Failed, 250 2.1.5 Ok
and
503 5.5.1 Error: need MAIL command

is this ok, or do I have a problem ?
Reply With Quote
  #6  
Old 27th February 2010, 17:17
aleksey aleksey is offline
Junior Member
 
Join Date: Dec 2006
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

do you know how can i disable php on my server ?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Server, postfix, gmail relay sjau Server Operation 3 14th December 2010 18:20
amavis & ispconfig 3 yalex2000 Installation/Configuration 20 18th February 2010 17:02
Email doesn't work... Ventzy Installation/Configuration 1 14th February 2010 11:49
Can't start apache Musty Server Operation 12 9th March 2008 13:58
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11


All times are GMT +2. The time now is 15:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.