Server crashing - possbile spam relay???

[nokesc]

I may not be posting this in the right place but I didn't find anything else that seemed appropriate ...

My problem is this, I have a Scalix 11.2 server that has been running great for the last 3 or 4 months. Until the last week or so it started crashing, well users complained of not getting emails. At first I would just reboot and everything started working again so I thought nothing of it. However it has progressed to an few hour thing. In looking @ the messages log I see the following ...

Mar 19 11:15:48 mail omslapd[16255]: conn=5055 op=0 RESULT err=0 tag=101 nentries=0
Mar 19 11:15:49 mail omslapd[16255]: conn=5055 op=1 UNBIND
Mar 19 11:15:49 mail omslapd[16255]: conn=5055 op=1 fd=9 closed errno=0
Mar 19 11:15:52 mail nss_wins[27177]: m2HMCNM2013519: to=<plebiscite@yahoo.com>, delay=1+19:03:29, xdelay=00:00:03, mailer=esmtp, pri=5882723, relay=d.mx.mail.yahoo.com. [66.196.82.7], dsn=4.0.0, stat=Deferred: 421 4.7.0 [TS01] Messages from 64.122.176.57 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 19 11:15:54 mail omslapd[16255]: conn=5056 fd=9 connection from unknown (192.168.0.250)
Mar 19 11:15:54 mail omslapd[16255]: conn=5056 op=0 SRCH base="o=scalix" scope=2 filter="(&(|(&(objectclass=scalixPerson)(omulcaps=*))(objectclass=scalixDistributionList)(sn=+bb))(mail=scratching@yahoo.com))"
Mar 19 11:15:54 mail omslapd[16255]: conn=5056 op=0 RESULT err=0 tag=101 nentries=0
Mar 19 11:15:55 mail omslapd[16255]: conn=5056 op=1 UNBIND
Mar 19 11:15:55 mail omslapd[16255]: conn=5056 op=1 fd=9 closed errno=0
Mar 19 11:15:56 mail nss_wins[27177]: m2HMO8Jm016182: to=<scratching@yahoo.com>, delay=1+18:51:48, xdelay=00:00:01, mailer=esmtp, pri=5972723, relay=c.mx.mail.yahoo.com. [216.39.53.3], dsn=2.0.0, stat=Sent (ok dirdel)
Mar 19 11:15:56 mail omslapd[16255]: conn=5057 fd=9 connection from unknown (192.168.0.250)
Mar 19 11:15:56 mail omslapd[16255]: conn=5057 op=0 SRCH base="o=scalix" scope=2 filter="(&(|(&(objectclass=scalixPerson)(omulcaps=*))(objectclass=scalixDistributionList)(sn=+bb))(mail=sarcastic@yahoo.com))"


these messages just keep growing. Also in my 'root' mail I am seeing stuff like this ...

Return-Path: <excavations@yahoo.com>
Received: from mail.statewideslc.com (localhost [127.0.0.1])
by mail.statewideslc.com (8.13.6/8.13.6/SuSE Linux 0. with ESMTP id m2DI8SOb018771
for <snq@telekbird.com.cn>; Thu, 13 Mar 2008 12:10:02 -0600
Received: from pockets ( [82.119.92.103])
by mail.statewideslc.com (Scalix SMTP Relay 11.0.4.10790)
via ESMTP; Thu, 13 Mar 2008 12:06:51 -0600 (MDT)
Date: Thu, 13 Mar 2008 17:12:33 +0000
From: "Meg Garcia"<excavations@yahoo.com>
To: snq@telekbird.com.cn
Message-ID: <6850.20131205431612.mail.statewideslc.com@MHS>
Subject: re:re:first
x-scalix-Hops: 1
Mime-Version: 1.0
Content-Type: text/html
Content-Disposition: inline
X-Spam-Flag: YES
X-Spam-Status: Yes, score=13.1 required=5.0 tests=BAYES_99,FORGED_YAHOO_RCVD,
HTML_COMMENT_SAVED_URL,HTML_IMAGE_ONLY_08,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_1,MIME_HTML_ONLY autolearn=no version=3.1.3
X-Spam-Level: *************
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
mail.statewideslc.com

What stands out to me is Received: from pockets ( [82.119.92.103]) but I have the following in my smtpd.cfg which should prevent me from being used as a 'relay'

RELAY accept 127.0.0.1
RELAY accept .statewideslc.com
RELAY accept 192.168.0.
RELAY Log_Reject ALL

so I don't know what to make of this Received: from pockets ( [82.119.92.103]) at least to me it looks like it's originating there.

[nokesc]

HELP!

[nokesc]

Isn't there anyone here that has an idea what could be going on .... ok maybe someone can answer this, I see the following in my /var/log/messages and I dont know what to make of it ...

Mar 21 12:05:35 mail nss_wins[24005]: m2JGuvPx032236: to=<exorbitant@yahoo.com>, delay=1+21:09:45, xdelay=00:00:00, mailer=esmtp, pri=5072623, relay=f.mx.mail.yahoo.com., dsn=4.0.0, stat=Deferred
Mar 21 12:05:35 mail omslapd[20306]: conn=10413 fd=9 connection from unknown (192.168.0.250)
Mar 21 12:05:35 mail omslapd[20306]: conn=10413 op=0 SRCH base="o=scalix" scope=2 filter="(&(|(&(objectclass=scalixPerson)(omulcaps=*))(objectclass=scalixDistributionList)(sn=+bb))(mail=correlative@yahoo.com))"

doesn't this mean that an email on my server is going to=<exorbitant@yahoo.com> from mail=correlative@yahoo.com? How can this be happening it is not my domain and my smtpd.cfg is setup correctly? I plead ignorance someone out there in scalix land has to have a idea ....

[jaime.pinto]

You *DO NOT* have open relay.
You may just be a target of spam attack

To start, edit /etc/mail/access and add all the suspicious senders as you see in hte /var/log/mailog, as follows

# /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Connect:statewideslc.com DISCARD
Connect:82.119.92.103 DISCARD
Connect:192.168.0.250 DISCARD

Note: don't even bother with the REJECT flag, because that will put an even bigger onus on your server. Remember to type make inside /etc/mail and restart sendmail
The above should produce a immediate relief, but it's not the ideal solution

You'll need to install an anti-virus/anti-spam cocktail on your server
X-Spam-Flag: YES
X-Spam-Status: Yes, score=13.1 required=5.0
that should have been a good hint for you. Search the forum and the wiki on how to do set it up.

Good luck

[nokesc]

Thanks for the help. BTW I have spamassassin installed and it's doing a great job of filtering. The thing I don't get is that this problem just started. I have another client with a identical setup and I watch the /var/log/messages and I don't see this kind of thing. I mat be missing something here but it really looks from the logs as if I have an open relay ... also can't I just add the offending ip's to /etc/hosts.deny rather than /etc/mail/access ... the only reason I'd rather not touch /etc/mail/access is that I went with a Suse install and I always have problems running SuSeConfig

[jaime.pinto]

To start, you don't have open relay, or your server would've been put out of its misery some 3-5 minutes after it had been detected as such. Do a google search on "open relay check" and you can see several websites to confirm that for you.

/etc/hosts.deny is for a different purpose, such as who can or not ssh or rsh to your system.

For sendmail you need /etc/mail/access
For scalix there is a smtp.config file as well somewhere.

Since you say you have spamassassin I suspect you need an upgrade of the rpm as well as the antivirus definitions and subscriptions to spamassassin