I think I am being used as a relay for spam
I think I am being used as a relay for spam
I have relay enabled because I have a php form or two that need to send emails when filled out. Since php.ini has no SMTP authentication fields, I have to enable relay.
I have enabled relay for 127.0.0.1 only, so it seems this would stop any spammers from sending bulk through my server.
BUT, I keep getting tons of returned email to one of my addresses that I never sent.
I can provide screen shots or whatever it takes to get this resolved, please help.
Eric
I have enabled relay for 127.0.0.1 only, so it seems this would stop any spammers from sending bulk through my server.
BUT, I keep getting tons of returned email to one of my addresses that I never sent.
I can provide screen shots or whatever it takes to get this resolved, please help.
Eric
Returned mail only means someone used your email address as the sender or reply-to address.
You can sign up with these and test your server to see if it is an open relay:
http://www.abuse.net/relay.html
Note that usually it fails on the last test if you have a catch all defined, that doesn't mean it's an open relay, but the other tests shoudl be blocked.
DO NOT use ordb.org since you will be instantly black listed before you have chance to fix any problems.
You can sign up with these and test your server to see if it is an open relay:
http://www.abuse.net/relay.html
Note that usually it fails on the last test if you have a catch all defined, that doesn't mean it's an open relay, but the other tests shoudl be blocked.
DO NOT use ordb.org since you will be instantly black listed before you have chance to fix any problems.
I have the same problem. It looks like a PHP script that is sending the mail out, as it uses the sender address that is used in PHP ini.
I searched all hosted websites, but can't find the source.
I also need to have the localhost 127.0.0.1 to be abled to send mail for some websites.
Even if i disable this localhost in the "allow relay from" the mails keeps on going out. Sometimes several times a day
I searched all hosted websites, but can't find the source.
I also need to have the localhost 127.0.0.1 to be abled to send mail for some websites.
Even if i disable this localhost in the "allow relay from" the mails keeps on going out. Sometimes several times a day
This is what i Posted in the forum for MailEnable Professional & Webmail, this problem is not limited to any version I think.
http://forum.mailenable.com/viewtopic.p ... 92&start=0
http://forum.mailenable.com/viewtopic.p ... 92&start=0
So, why do you think this is a configuration issue in mailenable when you obviously have a php script on your server sending out spam ?
Anything located on your servers can be malicious, this is a basic thing to understand, if you cannot or do not want to prevent malicious scripts on your server you have no chance of getting to the bottom of this.
I would suggest you disable the possibility to send emails until you can figure it out, or limit the number of outgoing emails, the number of recipients and so on.
Anything located on your servers can be malicious, this is a basic thing to understand, if you cannot or do not want to prevent malicious scripts on your server you have no chance of getting to the bottom of this.
I would suggest you disable the possibility to send emails until you can figure it out, or limit the number of outgoing emails, the number of recipients and so on.
well problem is that it is sent from local. And i can't find what is starting this. It must be a PHP script. This is just a little piece of the logfile.
See log below.
06/04/06 14:05:27 SMTP-IN A12B220BA1D845BFA45DE136DCDD6EE6.MAI 452 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 92CDAA1425EB41C5AA61469D7A646123.MAI 452 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 RCPT RCPT TO:<abranohana@msn.com> 250 Requested mail action okay, completed 43 30
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 12E2DF1C793F4F84A7AF6085B28CBAC7.MAI 468 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 RCPT RCPT TO:<pologrlva@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 47C25A86BED44889A27CC9FFA7E78600.MAI 576 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 RCPT RCPT TO:<larroyo03@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 2997344A6F5F4286841B862761ABF486.MAI 576 82.133.136.237 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 4A3DD270487846D2A606FF02F0BE3756.MAI 388 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 RCPT RCPT TO:<rmins@txcyber.com> 250 Requested mail action okay, completed 43 29
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN A61571650CB94D2482C969EC89C577D3.MAI 404 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
See log below.
06/04/06 14:05:27 SMTP-IN A12B220BA1D845BFA45DE136DCDD6EE6.MAI 452 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 92CDAA1425EB41C5AA61469D7A646123.MAI 452 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 RCPT RCPT TO:<abranohana@msn.com> 250 Requested mail action okay, completed 43 30
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 12E2DF1C793F4F84A7AF6085B28CBAC7.MAI 468 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 RCPT RCPT TO:<pologrlva@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 47C25A86BED44889A27CC9FFA7E78600.MAI 576 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 RCPT RCPT TO:<larroyo03@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 2997344A6F5F4286841B862761ABF486.MAI 576 82.133.136.237 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 4A3DD270487846D2A606FF02F0BE3756.MAI 388 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 RCPT RCPT TO:<rmins@txcyber.com> 250 Requested mail action okay, completed 43 29
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN A61571650CB94D2482C969EC89C577D3.MAI 404 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
- full virusscan is done and found 2 trojans (that was already 2 weeks ago)
after removing them, the mailsending remains.
- I installed Trojanhunter, no results.
- problem is finding the script(s) that is/are the reason. I already asked customers to delete their websites and upload them again.
Formatting the server and restoring the domains don't make sence as it would also restore the bad script
after removing them, the mailsending remains.
- I installed Trojanhunter, no results.
- problem is finding the script(s) that is/are the reason. I already asked customers to delete their websites and upload them again.
Formatting the server and restoring the domains don't make sence as it would also restore the bad script
GOT IT !
A customer had installed an old version of a PHP script (VWAR) that is used by online gamers. That website was hacked and unfortunately the customer didn't inform us.
That site was used to sent out all mail.
More info about VWAR: http://secunia.com/advisories/19524/
A customer had installed an old version of a PHP script (VWAR) that is used by online gamers. That website was hacked and unfortunately the customer didn't inform us.
That site was used to sent out all mail.
More info about VWAR: http://secunia.com/advisories/19524/