Koozali.org: home of the SME Server

SME email server has been spam blacklisted, and member of the botnet?

Offline stavi

  • 11
  • +0/-0
Hello colleagues,

My sme email server has been spam blacklisted.
The network has 250 pc and 330 users (xp, w7, w10, outlook 2007, 2010, 2016 etc).
How do I find a spammer (spammers)?
Is it also possible that the spam is not coming out of the internal network, but through the domain?

I checked the mail log analyzer. Sender Statistic.
Total 12k line ...
my sender statistic log file here:
http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar
rar pwd: koozali.org
What period is this? one day, one week, or all the time?
I don't see a user who has sent thousands of emails to this. How is this possible?

I need to ask for help to get started.
many thanks

Offline Curtis

  • 12
  • +0/-0
Re: SME email server has been spam blacklisted, and member of the botnet?
« Reply #1 on: September 18, 2020, 07:29:02 PM »
Hello,

I believe the Sender Statistics Report is cumulative, unless you've manually deleted mail log files.

You may want to review the logs at /var/log/qmail and /var/log/qpsmtpd to track down the source of your outbound messages.  Perhaps the source of the problem is not the SME server, but a compromised client workstation. 

I wish you luck for a quick resolution.

Hello colleagues,

My sme email server has been spam blacklisted.
The network has 250 pc and 330 users (xp, w7, w10, outlook 2007, 2010, 2016 etc).
How do I find a spammer (spammers)?
Is it also possible that the spam is not coming out of the internal network, but through the domain?

I checked the mail log analyzer. Sender Statistic.
Total 12k line ...
my sender statistic log file here:
http://s1.toldacuccot.hu/dl.php?sid=940b04a7c1073a28ddc210d187ca22db&file=senderstatistic.rar
rar pwd: koozali.org
What period is this? one day, one week, or all the time?
I don't see a user who has sent thousands of emails to this. How is this possible?

I need to ask for help to get started.
many thanks

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SME email server has been spam blacklisted, and member of the botnet?
« Reply #2 on: September 18, 2020, 10:16:20 PM »
1st please read my signature.

Quote
3. Don't ask for support on Unsupported versions of software

That includes Windows.....

These are unsupported: XP, W7

Using them means it may be harder to find an issue or get a fix. They may well be compromised. Please upgrade immediately and save yourself a lot of issues (I do not use Windows at all - but the principle remains). I should imagine that XP is unlikely to have up to date antivirus etc....

Next, please spend some time reading the wiki thoroughly - there is a lot of information in there on how to look for errors, logs etc etc.

https://wiki.contribs.org/Email_Statistics
https://wiki.contribs.org/Mail_log_file_analysis
https://wiki.contribs.org/Log_Files
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04
https://wiki.contribs.org/Email

Next, has your server been compromised? It could have been hacked and an attacker could use the mail server directly or run something list a list server (I have seen that happen)?

Or has a local user been compromised?

General logs:

/var/log/messages*

Look for logins in:

/var/log/secure
/var/log/sshd/current

Outgoing mail

Look in:

/var/log/sqpsmtpd/*
/var/log/qmail/*

The length of time the logs are kept for varies. See 'KeepLogFiles'

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation