Spam sent from my server - please help

Discussion in 'Server Operation' started by aleksey, Feb 26, 2010.

  1. aleksey

    aleksey New Member

    Hello

    I have a big problem, i have a virus in my network that is sending spam.
    I know this because the spam is sent only from monday to friday , nothing on weekends.
    I'm using ispconfig 2 with suse 10.
    I have blocked port 25 from the network to the server, so now users have to use the SquirrelMail, but is still sending spam.
    The spam is sent from users that don't exist on the server, and in /var/log/mail they don't show up. the spam is sent from users like ebyheoh6011@xxx.xx
    in SquirrelMail the email address and the name can not be changed.
    And i do not have any php-scripts on my website everything is simple Html.
    And i checked my computer with rkhunter- nothing

    If you have any ideas please help,:confused:
     
    Last edited: Feb 26, 2010
  2. carlosinfl

    carlosinfl New Member

    Sounds like your server is being used as an open relay. Can you run an open relay test?

    http://www.checkor.com/
     
  3. aleksey

    aleksey New Member

    This is a returned email from yahoo....
    81.xx.xx.xx is my ip address and xxx.xx my domain

    Message from yahoo.com.
    Unable to deliver message to the following address(es).

    <lshen@jauntee.com>:
    Database problem FAIL for lshen@jauntee.com
    /I'm not going to try again; this message has been in the queue too long.

    --- Original message follows.

    Return-Path: <wivuky2555@xxx.xx>
    Return-Path: <wivuky2555@xxx.xx>
    X-RocketTIP: 81.xx.xx.xx: NO_TIP_HEADER_ALLOWED
    X-RocketSRV:
    s_ip=81.xx.xx.xx;d_t=1267104075;url=centerpure.ru,http://b9ea5a13.centerpure.ru/,radi...i117/1002/6b/3ae95af50399.jpg;Retro=Y;SgrnP=N
    X-Rocket-Spam: 81.xx.xx.xx
    X-YahooFilteredBulk: 81.xx.xx.xx
    X-Rocket-Track: cat=BK;
    info=rule:BK<id=300>;dmcu:UK<token=NO_MATCH>;ip:BK<ip=81.xx.xx.xx,policy=g-w0,n0,g100>;ipsh:UK<ip=81.xx.xx.xx,policy=P=-1,X=-1,S=-1>;cmsgbk:UK<s=11,m=8>;url2db:NN<url=radikal.ru>
    X-YMailISG:
    Rr8uyv4WLDulZ8BK8BuDbUdc4gaGC48UrOdqNe7VIoMARtJSk4NG964HyzyhkxTeiz1LqQi0FlIeeyRWUcUt8ny_PXmiaXpXf4zu5oY7t6HGJWwRgnkT.anblPAQnU1JHOjJMGep9d7iT6wXi6wPCeRbHkXuJehMxh0Y8uftKVhdIaBJHPGCzkdx2D8nwJeLjLIEQZV1nxGGLbMTkuKX1Nmd4zdBmBp6w2yz5mbnPPp93CtrdC1ug6FTNAYGQGK1eiYKw18h2r20.Q1fSIUicx3QFeQ0iQUKZanBmGeF6Dmr
    X-RocketHELO: xxx.xx
    X-RocketMAILFROM: wivuky2555@xxx.xx
    X-RocketRCPTTO: 0-lshen@jauntee.com
    X-RocketMSGID:1267104073.595142.14003@mta109.biz.mail.re3.yahoo.com#0
    X-Originating-IP: [81.xx.xx.xx]
    Authentication-Results: mta109.biz.mail.re3.yahoo.com from=xxx.xx;
    domainkeys=neutral (no sig); from=xxx.xx; dkim=neutral (no sig)
    Received: from 81.xx.xx.xx (EHLO xxx.xx) (xx.xx.xx.xx)
    by mta109.biz.mail.re3.yahoo.com with SMTP; Thu, 25 Feb 2010 05:21:15 -0800
    From: "Customer Service" <wivuky2555@xxx.xx>
    To: lshen@jauntee.com
    Subject: Dear Mr. lshen, buy on 75% off
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
     
  4. aleksey

    aleksey New Member

    http://www.checkor.com/ says

    Checking www.xxx.xx:

    220 server1.xxx.xx ESMTP Postfix
    HELO ortest.checkor.com
    250 server1.xxx.xx
    RSET
    250 2.0.0 Ok
    MAIL FROM: test@checkor.com
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM:
    501 5.5.4 Syntax: MAIL FROM:

    RCPT TO: test1@checkor.com
    503 5.5.1 Error: need MAIL command

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@www.xxx.xx
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@www.xxx.xx
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@www.xxx.xx
    250 2.1.0 Ok
    RCPT TO: test1@www.xxx.xx
    Test Failed, 250 2.1.5 Ok

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@www.xxx.xx
    250 2.1.0 Ok
    RCPT TO: "test1@test.com"@www.xxx.xx
    554 5.7.1 : Recipient address rejected: Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@www.xxx.xx
    250 2.1.0 Ok
    RCPT TO: @www.xxx.xx:spamtest@checkor.com
    554 5.7.1 : Recipient address rejected: Relay access denied
     
  5. aleksey

    aleksey New Member

    Test Failed, 250 2.1.5 Ok
    and
    503 5.5.1 Error: need MAIL command

    is this ok, or do I have a problem ?
     
  6. aleksey

    aleksey New Member

    do you know how can i disable php on my server ?
     

Share This Page