Topic: qmail queue build up due to SPAM

[edb]

Hello All,

I have an SME Server 8 server which has been working fine until today.
All of a sudden this morning users started complaining that they can receive email but not send.
Upon further investigation it appeared that the qmail queue was bogged down with about 27000 messages in the remote queue.
I stopped the qmail service and used qmHandle to delete all the messages to cleanup the queues and then restarted qmail again.
The problem is that the messages just keep on coming so I stopped the HTTP service to see if it was due to a hacked service but it made no difference.
SAMPLE MESSAGE:
 
15832024 (20, 20/15832024)
  Return-path: wo@mydomain.ca
  From: "qopote" 'wo@mydomain.ca'
  To: 'arist@kopitime.com', 'zudomon951@aol.com', 'dewaynebr25@yahoo.com'
  Subject: 
  Date: Wed, 14 Aug 2013 21:59:15 -0700
  Size: 655 bytes

15830774 (12, 12/15830774)
  Return-path: duk@mydomain.ca
  From: "Lqyvas Tzuzi" 'duk@mydomain.ca'
  To: 'maststar@yahoo.com', 'btisdale@axionet.com', 'bbaa1234@hotmail.com', 'guslage@aol.com', 'mgottlieb50@msn.com', 'blydgate@firstclass.wellesley.edu', 'awiebking@yahoo.com'
  Subject: 
  Date: Wed, 14 Aug 2013 21:34:20 -0700
  Size: 748 bytes

The messages are using a from: fictitious names like xyz@mydomain.ca (mydomain is actually our real Domain name) and I cannot seem to stop them from piling-up even with qmail stopped they go to the preprocess queue.
The mail server is using authentication even on the local LAN so would this indicate an internal PC with a virus perhaps?
We have a lot of external branch offices as well so I assume if it is a virus it could be coming from either an internal PC or a PC in a branch office.

Would anyone have any input as to how I could determine where the messages are originating from so I can get this resolved?
Appreciate any assistance offered.
Thank you!

[janet]

edb

Look at the Header of one or a few of those messages, & see what the originating server IP is, or perhaps it is a local workstation IP.
If you find the source, then you should get a good idea of how the mail is getting into your system.
Then take appropriate action
eg
lock that user, change the password, disconnect the workstation, block the external IP (refer firewall FAQ) etc.

[edb]

Thank you for your assistance but can you tell me how I would go about viewing the Header info of the messages?
Thanks again!

[edb]

I believe I found the Header info you are referring to however the messages do not seem to be coming from an internal IP but rather from a different country than that of where I am located.
Some Examples:
Received: from 176-8-233-114-broadband.kyivstar.net (HELO peslpwfxiro) (176.8.233.114)
Received: from Unknown (HELO swipzxpmwuhn) (188.124.66.50)
Received: from unallocated.sta.lan.ua (HELO oeqhvhzslc) (92.249.90.178)
Received: from Unknown (HELO swipzxpmwuhn) (188.124.66.50)
Received: from 2.133.211.230.megaline.telecom.kz (HELO wkiavourcywf) (2.133.211.230)

Here is a sample of a complete message:

Received: (qmail 30320 invoked by uid 453); 14 Aug 2013 17:48:21 -0000
X-Virus-Checked: Checked by ClamAV on mydomain.ca
Received: from Unknown (HELO xsovcx) (83.167.25.32)
  (smtp-auth username robing, mechanism login)
  by mydomain.ca (qpsmtpd/0.84) with (AES128-SHA encrypted) ESMTPSA; Wed, 14 Aug 2013 12:48:21 -0500
Date: Wed, 14 Aug 2013 18:39:32 -0700
To: <krazie42069@hotmail.com>, <mindaym@aol.com>, <eangli14@gmail.com>, <mstutz19@aol.com>, <chris_polar1@hotmail.com>, <tonya0429@aol.com>, <strictly_buisness22@hotmail.com>, <stevenharnagel@yahoo.com>, <ha0345@qmul.ac.uk>
Subject: 
From: "Hh" <xa@mydomain.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-2"

http://www.bikesandmore.ch/movie.htm pyn bywu muvu
xoniso s nihupo

This is really weird and hard to stop.

[edb]

If I start qmail again and do 

Code: [Select]

/var/qmail/bin/qmail-qread here is a sample of the output of the command:

14 Aug 2013 23:01:32 GMT  #15828091  788  <wo@mydomain.ca>  bouncing
  done  remote  jjj_stephen@lycos.com
  done  remote  b.j@wlv.ac.uk
  done  remote  neil3nidad@gmail.com
        remote  bearnbxrs@aol.com
  done  remote  d_17_a@hotmail.com
  done  remote  withu@705aol.com
  done  remote  mjoacimhot@hotmail.com
  done  remote  johnlee8343@yahoo.com
        remote  like_0831@yeah.net
  done  remote  xavier0927@yahoo.com
14 Aug 2013 23:01:24 GMT  #15828045  692  <toja@mydomain.ca>  bouncing
  done  remote  ronmsu2003@yahoo.com
  done  remote  emmachiaha@yahoo.co.uk
  done  remote  waheedbangsh@yahoo.com
        remote  godziller2001@aol.com
        remote  ttracibob@aol.com
14 Aug 2013 23:02:24 GMT  #15828344  641  <lu@mydomain.ca>
        remote  marley728@hotmail.com
        remote  egd12@yahoo.com
        remote  amquintini81@gmail.com
14 Aug 2013 23:02:21 GMT  #15828321  616  <qaveg@mydomain.ca>
        remote  ps.steveanthony@gmail.com
        remote  deonte00@gmail.com
        remote  jschleicher@gci.net

[_alex]

edb,

Code: [Select]

Received: (qmail 30320 invoked by uid 453); 14 Aug 2013 17:48:21 -0000
X-Virus-Checked: Checked by ClamAV on mydomain.ca
Received: from Unknown (HELO xsovcx) (83.167.25.32)
  (smtp-auth username robing, mechanism login)

these IP addresses are from russia, ukraine and bulgaria.

Anyway, in this particular exemple, they have used a user called "robing"

You may start by changing the password for that user.

[edb]

Thank you for pointing that out to me!
I missed that somehow so I will attempt to lock that account and see what happens.
I will check that users PC tomorrow for any malware or viruses too.
They must have got his password somehow so I will change it and that should make it stop I hope.

Thanks again for your observation!

-edb

[janet]

edb

...how I would go about viewing the Header info of the messages?

You found them already, but remember Forum search (& Charlie) is your friend, see
http://forums.contribs.org/index.php/topic,40959.msg190441.html#msg190441

[_alex]

The msg headers You have provided clearly show that the spammer/zombie pc connected directly to your server from the internet using authenticaded SMTP. (i.e. not from one of your internal machines).

First make sure that all your users are using strong passwords.

than you need to clean your mail queue and remove your server IP from blacklist(s):
http://multirbl.valli.org/lookup/

[edb]

Thanks for the quick assistance from both of you!
Sometimes I guess if you let someone else have a look they can see the obvious that you can't.
Disabling the account and rebooting the server has stopped the SPAM bombardment TG.
PS I will also make sure he has a new secure password but not sure how the Spammers would have obtained it.

-edb

[_alex]

disabling the account may be a bit drastic: the user will not receive any email; temporarily changing his password is good enough.
a reboot is no needed.