Topic: how to stop email spam

[savolkis]

Hello,
My server was added to the blacklist because of email spam, i think there is a virus hiding on my server, tried to scan with sme anti virus system and doesnt helped me at all. Well i need advice, how to remove or block this email virus, and take out my server from blacklist.

OS: Linux
SME Server 8.0

[Stefano]

I think you likely have a pc client with a virus..

or, alternatively, a broken/hacked web app on your server

since we don't know anything about your server and your lan configuration, it's up to you to investigate..

first of all, disconnect SME/your lan from WAN

[savolkis]

well i can tell u that i can see email logs using sme server, and there is main sender 'annonymous'. If virus is not in the server, can u give me advice how to find virus location?

[Stefano]

well i can tell u that i can see email logs using sme server, and there is main sender 'annonymous'. If virus is not in the server, can u give me advice how to find virus location?

you miss to tell us what's running on your server.. do you have any web app (joomla, wordpress, whatever) running on your server and exposed to wan?

is your server in server only or server and gateway mode?

is there any pc on your lan?

we don't know anything about your setup, you are our eyes.. it's up to you to give us as much details as you can..

in other words, help us to help you, thank you

[savolkis]

Ok.
1. I have 8 websites which is designed using joomla 2.5

2. server and gateway mode

3. yes, where is 5pcs on same lan

[Stefano]

ok, then

- disconnect your server from WAN
- do a full AV scan on your pc.. use an anti malware and anti rootkit too
- ensure your joomlas are up to date and there are no known issues with your setup/modules/plugin
- post here some email logs with "anonymous" sender

[janet]

savolkis

Look in the qpsmtpd or sqpsmtpd log files in server manager to see where the bad emails are coming from.

If it looks to be a workstation or workstation user, then disconnect that workstation from the network.
Update your workstation virus scanners & start doing full virus scans on them, one at a time with each workstation disconnected from the network.

If the source appears to be a web app, then disable the app or disable access to the ibay or otherwise disable access to that site & see if the errant email flow stops.
You may have to experiment & stop each website one after each other to see the response (ie no more bad email flow).

Check & see if the exact version of Joomla being used on each site is up to date and/or has any known security issues.
Keep all web apps regularly updated, & update the version of Joomla you are now using.

You really have to provide much more detailed information than what you are providing ie get info from log files etc.

If you do not know how to do this & do not know how to troubleshoot this issue, then you really need to engage a consultant.

As mentioned you really need to disconnect the server from the Internet until you start to disable some sites or infected workstations etc. When you find the source of the problem, then you can reconnect the server. The longer you leave your server sending spam etc, then the more entrenched your server becomes on blacklists & the harder it becomes to get your server off blacklists, so act immediately.

[Frank VB]

About a year ago another forum user also had a spam run, he posted his analysis in this post:

http://forums.contribs.org/index.php?topic=49785.0

He summarized his actions in reply #13.

Although in that case a Wordpress installation was compromised, it contains some good pointers to help you finding the cause of your spamming problem.

Good luck!

[savolkis]

hey again, ill try to give u more info. First of all wanna start about one guy which had similiar issue, but problem isnt the same, and mine opt folder is clear. Someone said to update joomla, well i cant update because some of them runing on 1.6 version others on 2.5.17 versions, if i update, template will fucked up.

I go to my sme server control panel -> mail log files analysis -> sender statistics -> where i can see 4-5 times annonymous as sender i picked one.
----------------------
mess     bytes    sbytes       rbytes    recips  tries       xdelay      sender
480   2249084   1705276   2249084     480    548  4963.588321  102/<anonymous@kompiuteriai.eu>
  21     28561     23710     28561          21     21     1.114462    400/<anonymous@kompiuteriai.eu>
  20     21240     21240     21240          20     20     1.588546    407/<anonymous@kompiuteriai.eu>
----------------------
I want to ask janet where i can find qpsmtpd or sqpsmtpd log files

p.s. I activated spam control, for few days looks like silence. Btw where is any program to see mailing trafic? when i can spot on what time that happened, and at least known an issue, maybe its not server problem, and spam goes from infected pc

[Charles2008]

where i can find qpsmtpd or sqpsmtpd log files

From the thread that Frank VB refers to, Holck says:

"But first, of course, you need to make sure that none of your clients are infected. Scan through /var/log/qpsmtpd/current and /var/log/sqpsmtpd/current    ... "

Code: [Select]

nano /var/log/qpsmtpd/current
I presume that this is what you are looking for.

[Frank VB]

Someone said to update joomla, well i cant update because some of them runing on 1.6 version others on 2.5.17 versions, if i update, template will fucked up.

You're running Joomla 2.5.17. Latest version of the 2.5 branch is 2.5.19. So you should at least upgrade your 2.5.17 installation to version 2.5.19. This is a minor upgrade, it won't ruin your templates. BTW, you have a test server for testing Joomla upgrades, don't you?

About Joomla 1.6: latest version is 1.6.6 but this version isn't supported anymore by Joomla IIRC. You should at least upgrade to 1.6.6. Upgrade to 2.5 or 3.2 better still.

Also check additional components and modules you've installed on your Joomla site for upgrades.

[savolkis]

From the thread that Frank VB refers to, Holck says:

"But first, of course, you need to make sure that none of your clients are infected. Scan through /var/log/qpsmtpd/current and /var/log/sqpsmtpd/current    ... "

Code: [Select]

nano /var/log/qpsmtpd/current
I presume that this is what you are looking for.

For my eyes it looks fine, i can make screenshot if its necesary

You're running Joomla 2.5.17. Latest version of the 2.5 branch is 2.5.19. So you should at least upgrade your 2.5.17 installation to version 2.5.19. This is a minor upgrade, it won't ruin your templates. BTW, you have a test server for testing Joomla upgrades, don't you?

About Joomla 1.6: latest version is 1.6.6 but this version isn't supported anymore by Joomla IIRC. You should at least upgrade to 1.6.6. Upgrade to 2.5 or 3.2 better still.

Also check additional components and modules you've installed on your Joomla site for upgrades.

I dont think that would solve my problem, because old webepages isnt updated for long time, and email issue comes to me few months ago, most recent update page was my main page which is located on primary dir. i need smth to follow my email trafic.

[janet]

savolkis

For my eyes it looks fine.....

You can more easily read the log files in the GUI Server manager, View log files panel.

You are not looking to see if qpsmtpd or sqpsmtpd looks fine, you are looking to see the source of emails, so you need to examine each message carefully, to try & determine what machine or source or user the email was sent from.

There have been previous examples of this shown in the forums, refer to other thread mentioned & search forums on header.

[savolkis]

savolkis

You can more easily read the log files in the GUI Server manager, View log files panel.

You are not looking to see if qpsmtpd or sqpsmtpd looks fine, you are looking to see the source of emails, so you need to examine each message carefully, to try & determine what machine or source or user the email was sent from.

There have been previous examples of this shown in the forums, refer to other thread mentioned & search forums on header.

yes, where is only my internet provider emails, and cant see any others.

[janet]

savolkis

Have you ran full virus scans on your 5 LAN PC's ?

Are your PC email clients configured to send mail via the sme servers smtp server or are they sending directly to your ISPs smtp server ?
Check what the outgoing server setting is (in each of your PC's email clients) to determine this.
If mail is bypassing the sme server then the problem is more than likely with your PC's.

Also are you using secure connections to the server using ports 993 & 465 (for IMAP), different ports for POP etc. Again check your PC email clients for these settings.
You should use secure SSL connections to the sme mail server to prevent unauthorised users or robots or viruses from injecting mail into sme server.

You need to send a test message from each PC one by one, noting the time it was sent, & then identify that message in the qpsmtpd/current or sqpsmtpd/current log file. Then you will see details of each PC & user that has logged in to the mail system on your sme server.
When you know what you are looking for, you can then start scouring/searching the mentioned log files for evidence of spam or virus laden messages being sent through your server.

Is anonymous@kompiuteriai.eu associated with your sme server ?
Is that a valid user, is that your domain name ?

The log files I advised you to look at are where you will see all email messages being sent & received via your server, you need to look harder & more carefully.

Also you said you enabled spam control, exactly what did you enable & where ?
Why do you say that there was "silence", how do you know that.
Your original issue is that you were blacklisted by other mail servers/RBL lists, so therefore that causes your outgoing mail not to be delivered.
What makes you believe that enabling spam control caused that blacklisting situation to change.

Also what blacklist was your server on, how do you know that ?

Please slowly answer all questions & provide all answers.