# Sendmail relay? Complaints about spam



## BernardoCR (Apr 13, 2011)

Hello,

I am receiving several e-mails telling me that an e-mail I use with a FreeBSD server is sending spam messages, containing virus and spyware codes.

In fact, I have seen one of these messages, and it shows on the sender my e-mail address.

People even sent complaints to the police, and I am starting to be afraid of getting in trouble without having nothing to do with it.

I have searched in /var/log/maillog and didn't find any of the addresses people complaint about.

On the sendmail daily run output, I am receiving the following messages (don't know if this has something to do with it):


```
Checking for rejected mail hosts:
 429 550 check_rcpt [email]services@virtualife.com.br[/email] denied
 10 550 check_rcpt [email]k8899@kiss99.com[/email] denied
  3 550 check_rcpt [email]bxuydd07944@yahoo.com.tw[/email] [123.64.86.219]
  3 550 check_rcpt [email]btbb43931@yahoo.com.tw[/email] [123.64.86.219]
  2 550 check_rcpt [email]zciozsa19159@yahoo.com.tw[/email] [123.64.86.219]
  2 550 check_rcpt [email]mtnyly8445@yahoo.com.tw[/email] [123.64.86.219]
  2 550 check_rcpt [email]lnsfysme4732@yahoo.com.tw[/email] [123.64.86.219]
  2 550 check_rcpt [email]ilotom6293@yahoo.com.tw[/email] [123.64.86.219]
  1 553 check_mail rzgqpkgsgvqk.com exist
  1 553 check_mail ms09.hinet.net exist
  1 550 check_rcpt [email]xbernardo@irc.virtualife.com.br[/email] denied
  1 550 check_rcpt [email]mvdnfqx6754@yahoo.com.tw[/email] [123.64.86.219]
  1 550 check_rcpt [email]jfwhxta63740@yahoo.com.tw[/email] [123.64.86.219]
  1 550 check_rcpt [email]ivolk6254@yahoo.com.tw[/email] [123.64.86.219]
```

I am afraid someone is using my sendmail and my e-mail to send spam, and I'm going to get in trouble..

Can somebody help me?

Thank you.


----------



## SirDice (Apr 13, 2011)

Is your mail server accessible from the internet? Most importantly port 25.

If it is accessible from the internet, why? Does your mail server accept mail from other hosts? If not, block access from the internet to port 25.

If you do accept mail make absolutely sure you are not an open relay. If you are an open relay it's quite possible your mailserver is being abused.

Also note that the "From:" address in an email is incredibly easy to fake. The only way to know for sure you are the one that's sending it is by looking at the "Received:" headers.


----------



## gordon@ (Apr 13, 2011)

If you have your email address somewhere on the internet, spammers will use it as a From address. As SirDice points out, what is important is the Received headers, if your server is listed in the Received header, then check your configuration. You can also use a tool like http://www.checkor.com/ which will probe your mailserver to see if it is running as an open relay.


----------



## DutchDaemon (Apr 13, 2011)

As old as the (Internet) hills: http://en.wikipedia.org/wiki/Joe_job


----------



## BernardoCR (Apr 14, 2011)

Thank you for the replies. I have checked and my mail server is not open relay. I am concerned about some malicious php script doing the job.

So, I have 2 questions. All mail sent by sendmail would be stored in the /var/log/maillog, right? And all files accessed by php, if I have the lines,


```
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/httpd-access.log" common
```

would be stored in the mentioned files, right?

Thank you.


----------



## SirDice (Apr 14, 2011)

Yep, that should at least give you an idea where to look.

As for the PHP scripts, you need to make sure ALL user input is filtered before using it. Input validation is the key.


----------

