Re: [qmailtoaster] spamming on server

2017-08-16 Thread Rajesh M 
thanks all

figured this out.

i had recently updated qmail and it reinstalled sendmail binary.

i have removed this and also taken necessary precautions for tracking the 
culprits

rajesh


- Original Message -
From: Jaime Lerner [mailto:jaimeler...@geekgoddess.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Wed, 16 Aug 2017 09:25:09 -0400
Subject:

My guess is the spammer is using php's mail() function and you have your
server set up so the mail function goes into qmail rather than something
else. As long as you have your localhost allowed (as you do), any script
using the local mail() function will have full access.

From:  Rajesh M <24x7ser...@24x7server.net>
Reply-To:  
Date:  Wednesday, August 16, 2017 at 9:22 AM
To:  
Subject:  [qmailtoaster] spamming on server

hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php
script the spammer was injecting emails into the qmail queue ie there is
nothing in the smtp logs, but the send logs contained 1000s of remote
delivery entries.

i use squirrelmail but with smtp authentication only, ie email sent to
external domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",
CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/q
mail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] spamming on server

2017-08-16 Thread South Computers 

Also check your /var/log/qmail/submission/current for bad activity


Pedro Estevão wrote:

Are you talking on a ilegit web hosting issue (script under wordpress site) or 
a ilegit access to your webmail (squirrelmail)?
Or if I miss understood what are web hosting and webmail related?

-Original Message-
From: Rajesh M [mailto:24x7ser...@24x7server.net]
Sent: 16 August 2017 14:22
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] spamming on server

hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php 
script the spammer was injecting emails into the qmail queue ie there is 
nothing in the smtp logs, but the send logs contained 1000s of remote delivery 
entries.

i use squirrelmail but with smtp authentication only, ie email sent to external 
domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] spamming on server

2017-08-16 Thread South Computers 
Check your /var/log/maillog for lots of different IPs sending through 
one account via smtp, or create a phpmail log file to detect where the 
bad script is, like this:

https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/




Pedro Estevão wrote:

Are you talking on a ilegit web hosting issue (script under wordpress site) or 
a ilegit access to your webmail (squirrelmail)?
Or if I miss understood what are web hosting and webmail related?

-Original Message-
From: Rajesh M [mailto:24x7ser...@24x7server.net]
Sent: 16 August 2017 14:22
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] spamming on server

hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php 
script the spammer was injecting emails into the qmail queue ie there is 
nothing in the smtp logs, but the send logs contained 1000s of remote delivery 
entries.

i use squirrelmail but with smtp authentication only, ie email sent to external 
domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] spamming on server

2017-08-16 Thread Pedro Estevão 
Are you talking on a ilegit web hosting issue (script under wordpress site) or 
a ilegit access to your webmail (squirrelmail)?
Or if I miss understood what are web hosting and webmail related?

-Original Message-
From: Rajesh M [mailto:24x7ser...@24x7server.net] 
Sent: 16 August 2017 14:22
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] spamming on server

hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php 
script the spammer was injecting emails into the qmail queue ie there is 
nothing in the smtp logs, but the send logs contained 1000s of remote delivery 
entries.

i use squirrelmail but with smtp authentication only, ie email sent to external 
domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] spamming on server

2017-08-16 Thread Jaime Lerner 
My guess is the spammer is using php's mail() function and you have your
server set up so the mail function goes into qmail rather than something
else. As long as you have your localhost allowed (as you do), any script
using the local mail() function will have full access.

From:  Rajesh M <24x7ser...@24x7server.net>
Reply-To:  
Date:  Wednesday, August 16, 2017 at 9:22 AM
To:  
Subject:  [qmailtoaster] spamming on server

hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php
script the spammer was injecting emails into the qmail queue ie there is
nothing in the smtp logs, but the send logs contained 1000s of remote
delivery entries.

i use squirrelmail but with smtp authentication only, ie email sent to
external domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",
CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/q
mail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] spamming on server

2017-08-16 Thread Rajesh M 
hi

i have a few websites along with qmailtoaster

i noted that one of the websites with wordpress was hacked and using a php 
script the spammer was injecting emails into the qmail queue ie there is 
nothing in the smtp logs, but the send logs contained 1000s of remote delivery 
entries.

i use squirrelmail but with smtp authentication only, ie email sent to external 
domains from my server has to smtp authenticate first.

my tcp.smtp is as follows

127.0.0.1:allow
:allow,BADMIMETYPE="",QMAILQUEUE="/var/qmail/bin/simscan",BADLOADERTYPE="M",CHKUSER_START="ALWAYS",
CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",
DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

how could the spammer directly inject email to the qmail queue ?

what am i missing here ?

thanks
rajesh


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com