Scalix Forums

I am at my wits end tryign to figure out where the SPAM is coming from.

I have been recigin 1000 of messages and it is killing my /var/log/messages file and netstat.

Even if I turn of smtp (omoff -d0 smtp) messages are still pouring in. This is the part that makes no sense. If the smtpd process is off, how can the message connect to it? Take a look at the header. I rm * my mqueue file but within a split second 1000 messages are back. Here are a few files dumps. I will send paypal $$$ for anyone that can help me solve this. Its driving me nuts. This is a personal scalix setup.

from /var/log/mqueue
_____________________
l6211PQh006794 4945 Sun Jul 1 21:01 <servizi@bancoposte.it>
8BITMIME (Deferred: Connection refused by chifis.unipv.it.) <echasegc@chifis.unipv.it>

l620wSU2002588 4945 Sun Jul 1 20:58 <servizi@bancoposte.it>
8BITMIME (Deferred: Connection timed out with cespedsutes.it.)
<dpipan@cespedsutes.it>

Total requests: 752
___________________________________________

FROM /var/log/mauillog
_______________________________
Jul 1 21:05:18 mail sendmail[15039]: l6214HVn015030: to=<enripey@yahoo.it>, delay=00:01:01, xdelay=00:01:01, mailer=esmtp, pri=125645, relay=h.mx.mail.yahoo.com. [68.142.237.182], dsn=4.0.0, stat=Deferred: 421 Message from (XXXXXXXXXXX) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

Jul 1 21:05:43 mail sendmail[12865]: l6213gg4012859: to=<emartino@gol.grosseto.it>, delay=00:02:01, xdelay=00:02:01, mailer=esmtp, pri=125645, relay=smtp.gol.grosseto.it. [89.202.247.224], dsn=4.2.0, stat=Deferred: 450 <emartino@gol.grosseto.it>: Recipient address rejected: Riprova piu' tardi per favore, greylist in azione

_______________________________
FROM OMSHOWLOG
[OM 4884] omshowlog : No logged records match the specified criteria
______________________________________________

A SAMPLE MESSAGE
_____________________________________________________

[root@mail mqueue]# cat qfl620qhAW024450
V8
T1183337563
K1183337563
N1
P121863
I253/1/1918274
MDeferred: 421 Message from ()))))))))))))))) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
Fds
$_localhost.localdomain [127.0.0.1]
$rESMTP
$smail.XXX.net
${daemon_flags}
${if_addr}127.0.0.1
S<service@moneybookers.com>
Z3606.22551183322921.mail.XXX.net
MDeferred: 421 Message from (XXX.XXX.XXX.XXX) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
rRFC822; wrl_xa25@yahoo.com.cn
RPNFD:<wrl_xa25@yahoo.com.cn>
H?P?Return-Path: <g>
H??Received: from mail.XXX.net (localhost.localdomain [127.0.0.1])
by mail.XXX.net (8.13.1/8.13.1) with ESMTP id l620qhAW024450
for <wrl_xa25@yahoo.com.cn>; Sun, 1 Jul 2007 20:52:43 -0400
H??Received: from User (static-66-16-20-178.dsl.cavtel.net [66.16.20.178])
by mail.XXX.net (Scalix SMTP Relay 11.0.4.10790)
via ESMTP; Sun, 01 Jul 2007 16:48:41 -0400 (EDT)
H??Date: Sun, 1 Jul 2007 16:49:45 -0400
H??From: "service@moneybookers.com"<service@moneybookers.com>
H??Reply-To: <service@moneybookers.com>
H??Message-ID: <3606.22551183322921.mail.XXX.net@MHS>
H??Subject: Important Notification of Moneybookers Account
H??X-MSMail-Priority: Normal
H??X-Priority: 3
H??x-scalix-Hops: 1
H??X-Mailer: Microsoft Outlook Express 6.00.2600.0000
H??X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
H??MIME-Version: 1.0
H??Content-Type: text/html;
charset="Windows-1251"
H??Content-Disposition: inline

Classic case of spam attack.
A tail -f /var/log/maillog tells you exactly where it is coming from:
H??Received: from User (static-66-16-20-178.dsl.cavtel.net [66.16.20.178])

Just cd to /etc/mail and edit access.
Add:
66.16.20.178 DISCARD

Save it and type make on that directory
then /etc/init.d/sendmail restart

Keep the entry on the access file for a few days and then comment it out.
Keep one eye on the /var/log/maillog. If the spam continues, they flip to another ip, than DISCARD the whole class range, as in:
66.16.20 DISCARD

If it continues, you just escalate, and discard the whole domain:
cavtel.net DISCARD

In 5 minutes you'll have solved the problem.

That is good information. Thank you. I also realized why I saw no connections from this host and why even after I shut down Smtpd (omoff -d0 smtpd) that messages were still filling up the mailq. when I checked omstat -s, I saw that the Internet Delivery queu had over 100,000 messages. So I think smtpd already accepted all of the messages and it was sitting in the queue and interfacing with sendmail. Does that make sense?

I used that diag program to delete all messages in the Internet queue and the problem went away (and I added the discard line like you suggested).

THANKS!

I understand what do do for /etc/mail , but what about smtpd.conf? Isnt that the program listinnig for smtp inbound requests? I thought sendmail only listes to outbound request from smtpd.conf? Am I getting this right?