Re: [qmailtoaster] spamming on server
thanks all figured this out. i had recently updated qmail and it reinstalled sendmail binary. i have removed this and also taken necessary precautions for tracking the culprits rajesh - Original Message - From: Jaime Lerner [mailto:jaimeler...@geekgoddess.com] To: qmailtoaster-list@qmailtoaster.com Sent: Wed, 16 Aug 2017 09:25:09 -0400 Subject: My guess is the spammer is using php's mail() function and you have your server set up so the mail function goes into qmail rather than something else. As long as you have your localhost allowed (as you do), any script using the local mail() function will have full access. From: Rajesh M <24x7ser...@24x7server.net> Reply-To:Date: Wednesday, August 16, 2017 at 9:22 AM To: Subject: [qmailtoaster] spamming on server hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M", CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/q mail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] spamming on server
Also check your /var/log/qmail/submission/current for bad activity Pedro Estevão wrote: Are you talking on a ilegit web hosting issue (script under wordpress site) or a ilegit access to your webmail (squirrelmail)? Or if I miss understood what are web hosting and webmail related? -Original Message- From: Rajesh M [mailto:24x7ser...@24x7server.net] Sent: 16 August 2017 14:22 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] spamming on server hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] spamming on server
Check your /var/log/maillog for lots of different IPs sending through one account via smtp, or create a phpmail log file to detect where the bad script is, like this: https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/ Pedro Estevão wrote: Are you talking on a ilegit web hosting issue (script under wordpress site) or a ilegit access to your webmail (squirrelmail)? Or if I miss understood what are web hosting and webmail related? -Original Message- From: Rajesh M [mailto:24x7ser...@24x7server.net] Sent: 16 August 2017 14:22 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] spamming on server hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] spamming on server
Are you talking on a ilegit web hosting issue (script under wordpress site) or a ilegit access to your webmail (squirrelmail)? Or if I miss understood what are web hosting and webmail related? -Original Message- From: Rajesh M [mailto:24x7ser...@24x7server.net] Sent: 16 August 2017 14:22 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] spamming on server hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] spamming on server
My guess is the spammer is using php's mail() function and you have your server set up so the mail function goes into qmail rather than something else. As long as you have your localhost allowed (as you do), any script using the local mail() function will have full access. From: Rajesh M <24x7ser...@24x7server.net> Reply-To:Date: Wednesday, August 16, 2017 at 9:22 AM To: Subject: [qmailtoaster] spamming on server hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M", CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/q mail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] spamming on server
hi i have a few websites along with qmailtoaster i noted that one of the websites with wordpress was hacked and using a php script the spammer was injecting emails into the qmail queue ie there is nothing in the smtp logs, but the send logs contained 1000s of remote delivery entries. i use squirrelmail but with smtp authentication only, ie email sent to external domains from my server has to smtp authenticate first. my tcp.smtp is as follows 127.0.0.1:allow :allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS", CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1", DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private" how could the spammer directly inject email to the qmail queue ? what am i missing here ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com