Spam sent from my server - please help

Discussion in 'Server Operation' started by aleksey, Feb 26, 2010.

  1. aleksey

    aleksey New Member

    Hello

    I have a big problem, i have a virus in my network that is sending spam.
    I know this because the spam is sent only from monday to friday , nothing on weekends.
    I'm using ispconfig 2 with suse 10.
    I have blocked port 25 from the network to the server, so now users have to use the SquirrelMail, but is still sending spam.
    The spam is sent from users that don't exist on the server, and in /var/log/mail they don't show up. the spam is sent from users like [email protected]
    in SquirrelMail the email address and the name can not be changed.
    And i do not have any php-scripts on my website everything is simple Html.
    And i checked my computer with rkhunter- nothing

    If you have any ideas please help,:confused:
     
    Last edited: Feb 26, 2010
  2. carlosinfl

    carlosinfl New Member

    Sounds like your server is being used as an open relay. Can you run an open relay test?

    http://www.checkor.com/
     
  3. aleksey

    aleksey New Member

    This is a returned email from yahoo....
    81.xx.xx.xx is my ip address and xxx.xx my domain

    Message from yahoo.com.
    Unable to deliver message to the following address(es).

    <[email protected]>:
    Database problem FAIL for [email protected]
    /I'm not going to try again; this message has been in the queue too long.

    --- Original message follows.

    Return-Path: <[email protected]>
    Return-Path: <[email protected]>
    X-RocketTIP: 81.xx.xx.xx: NO_TIP_HEADER_ALLOWED
    X-RocketSRV:
    s_ip=81.xx.xx.xx;d_t=1267104075;url=centerpure.ru,http://b9ea5a13.centerpure.ru/,radi...i117/1002/6b/3ae95af50399.jpg;Retro=Y;SgrnP=N
    X-Rocket-Spam: 81.xx.xx.xx
    X-YahooFilteredBulk: 81.xx.xx.xx
    X-Rocket-Track: cat=BK;
    info=rule:BK<id=300>;dmcu:UK<token=NO_MATCH>;ip:BK<ip=81.xx.xx.xx,policy=g-w0,n0,g100>;ipsh:UK<ip=81.xx.xx.xx,policy=P=-1,X=-1,S=-1>;cmsgbk:UK<s=11,m=8>;url2db:NN<url=radikal.ru>
    X-YMailISG:
    Rr8uyv4WLDulZ8BK8BuDbUdc4gaGC48UrOdqNe7VIoMARtJSk4NG964HyzyhkxTeiz1LqQi0FlIeeyRWUcUt8ny_PXmiaXpXf4zu5oY7t6HGJWwRgnkT.anblPAQnU1JHOjJMGep9d7iT6wXi6wPCeRbHkXuJehMxh0Y8uftKVhdIaBJHPGCzkdx2D8nwJeLjLIEQZV1nxGGLbMTkuKX1Nmd4zdBmBp6w2yz5mbnPPp93CtrdC1ug6FTNAYGQGK1eiYKw18h2r20.Q1fSIUicx3QFeQ0iQUKZanBmGeF6Dmr
    X-RocketHELO: xxx.xx
    X-RocketMAILFROM: [email protected]
    X-RocketRCPTTO: [email protected]
    X-RocketMSGID:[email protected]#0
    X-Originating-IP: [81.xx.xx.xx]
    Authentication-Results: mta109.biz.mail.re3.yahoo.com from=xxx.xx;
    domainkeys=neutral (no sig); from=xxx.xx; dkim=neutral (no sig)
    Received: from 81.xx.xx.xx (EHLO xxx.xx) (xx.xx.xx.xx)
    by mta109.biz.mail.re3.yahoo.com with SMTP; Thu, 25 Feb 2010 05:21:15 -0800
    From: "Customer Service" <[email protected]>
    To: [email protected]
    Subject: Dear Mr. lshen, buy on 75% off
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
     
  4. aleksey

    aleksey New Member

    http://www.checkor.com/ says

    Checking www.xxx.xx:

    220 server1.xxx.xx ESMTP Postfix
    HELO ortest.checkor.com
    250 server1.xxx.xx
    RSET
    250 2.0.0 Ok
    MAIL FROM: [email protected]
    250 2.1.0 Ok
    RCPT TO: [email protected]
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM:
    501 5.5.4 Syntax: MAIL FROM:

    RCPT TO: [email protected]
    503 5.5.1 Error: need MAIL command

    RSET
    250 2.0.0 Ok
    MAIL FROM: [email protected]
    250 2.1.0 Ok
    RCPT TO: [email protected]
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: s[email protected]
    250 2.1.0 Ok
    RCPT TO: [email protected]
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: [email protected]
    250 2.1.0 Ok
    RCPT TO: [email protected]
    Test Failed, 250 2.1.5 Ok

    RSET
    250 2.0.0 Ok
    MAIL FROM: [email protected]
    250 2.1.0 Ok
    RCPT TO: "[email protected]"@www.xxx.xx
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: [email protected]
    250 2.1.0 Ok
    RCPT TO: @www.xxx.xx:[email protected]
    554 5.7.1 : Recipient address rejected: Relay access denied
     
  5. aleksey

    aleksey New Member

    Test Failed, 250 2.1.5 Ok
    and
    503 5.5.1 Error: need MAIL command

    is this ok, or do I have a problem ?
     
  6. aleksey

    aleksey New Member

    do you know how can i disable php on my server ?
     

Share This Page