Hello I have a big problem, i have a virus in my network that is sending spam. I know this because the spam is sent only from monday to friday , nothing on weekends. I'm using ispconfig 2 with suse 10. I have blocked port 25 from the network to the server, so now users have to use the SquirrelMail, but is still sending spam. The spam is sent from users that don't exist on the server, and in /var/log/mail they don't show up. the spam is sent from users like [email protected] in SquirrelMail the email address and the name can not be changed. And i do not have any php-scripts on my website everything is simple Html. And i checked my computer with rkhunter- nothing If you have any ideas please help,
Sounds like your server is being used as an open relay. Can you run an open relay test? http://www.checkor.com/
This is a returned email from yahoo.... 81.xx.xx.xx is my ip address and xxx.xx my domain Message from yahoo.com. Unable to deliver message to the following address(es). <[email protected]>: Database problem FAIL for [email protected] /I'm not going to try again; this message has been in the queue too long. --- Original message follows. Return-Path: <[email protected]> Return-Path: <[email protected]> X-RocketTIP: 81.xx.xx.xx: NO_TIP_HEADER_ALLOWED X-RocketSRV: s_ip=81.xx.xx.xx;d_t=1267104075;url=centerpure.ru,http://b9ea5a13.centerpure.ru/,radi...i117/1002/6b/3ae95af50399.jpg;Retro=Y;SgrnP=N X-Rocket-Spam: 81.xx.xx.xx X-YahooFilteredBulk: 81.xx.xx.xx X-Rocket-Track: cat=BK; info=rule:BK<id=300>;dmcu:UK<token=NO_MATCH>;ip:BK<ip=81.xx.xx.xx,policy=g-w0,n0,g100>;ipsh:UK<ip=81.xx.xx.xx,policy=P=-1,X=-1,S=-1>;cmsgbk:UK<s=11,m=8>;url2db:NN<url=radikal.ru> X-YMailISG: Rr8uyv4WLDulZ8BK8BuDbUdc4gaGC48UrOdqNe7VIoMARtJSk4NG964HyzyhkxTeiz1LqQi0FlIeeyRWUcUt8ny_PXmiaXpXf4zu5oY7t6HGJWwRgnkT.anblPAQnU1JHOjJMGep9d7iT6wXi6wPCeRbHkXuJehMxh0Y8uftKVhdIaBJHPGCzkdx2D8nwJeLjLIEQZV1nxGGLbMTkuKX1Nmd4zdBmBp6w2yz5mbnPPp93CtrdC1ug6FTNAYGQGK1eiYKw18h2r20.Q1fSIUicx3QFeQ0iQUKZanBmGeF6Dmr X-RocketHELO: xxx.xx X-RocketMAILFROM: [email protected] X-RocketRCPTTO: [email protected] X-RocketMSGID:[email protected]#0 X-Originating-IP: [81.xx.xx.xx] Authentication-Results: mta109.biz.mail.re3.yahoo.com from=xxx.xx; domainkeys=neutral (no sig); from=xxx.xx; dkim=neutral (no sig) Received: from 81.xx.xx.xx (EHLO xxx.xx) (xx.xx.xx.xx) by mta109.biz.mail.re3.yahoo.com with SMTP; Thu, 25 Feb 2010 05:21:15 -0800 From: "Customer Service" <[email protected]> To: [email protected] Subject: Dear Mr. lshen, buy on 75% off MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
http://www.checkor.com/ says Checking www.xxx.xx: 220 server1.xxx.xx ESMTP Postfix HELO ortest.checkor.com 250 server1.xxx.xx RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] 554 5.7.1 : Recipient address rejected: Relay access denied RSET 250 2.0.0 Ok MAIL FROM: 501 5.5.4 Syntax: MAIL FROM: RCPT TO: [email protected] 503 5.5.1 Error: need MAIL command RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] 554 5.7.1 : Recipient address rejected: Relay access denied RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] 554 5.7.1 : Recipient address rejected: Relay access denied RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] Test Failed, 250 2.1.5 Ok RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: "[email protected]"@www.xxx.xx 554 5.7.1 : Recipient address rejected: Relay access denied RSET 250 2.0.0 Ok MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: @www.xxx.xx:[email protected] 554 5.7.1 : Recipient address rejected: Relay access denied
Test Failed, 250 2.1.5 Ok and 503 5.5.1 Error: need MAIL command is this ok, or do I have a problem ?
