# sendmail getting 'strange' messages in Mail Queue



## scubafly (Oct 19, 2012)

I'm an average *nix user but I'm having trouble with my sendmail server.

First I noticed my gmail box was filling up with a lot of mail ( since my gmail account is the postmaster )
I looked on the server trough webmin and noticed My mail Queue is filling with messages for my postmaster with "Returned mail: see transcript for details"
I'm thinking my server is being used to send spam.

Yes port 25 is open, but I use authentication. I've tested for open relay on http://www.mailradar.com/openrelay/ no errors there. Not sure if this is a good open relay checker?

For now I've set sendmail to queue-only since it's there are only like 10 valid mails a day that go trough this server for now.

But how and or what do I need to check to prevent the spammers from using my mail server?
I've looked through the FAQ, on serverfault and searched trough some tutorials but I need a little help setting this up since it is my first mail server.

Also i know only basic authentication on the smtp isn't good enough, could that be the cause of it ?
my mail client says I'm using MD5 Challenge-response for Authentication.

Thanks!


----------



## SirDice (Oct 19, 2012)

scubafly said:
			
		

> Also I know only basic authentication on the smtp isn't good enough, could that be the cause of it?



It's quite possible it's been bruteforced. Simply setting up a service on the internet is enough and they will find you. They'll then try hundreds of username/password combinations until something works. When you have users with easily guessed passwords this might be the reason. 

As for the open relay check, it's probably not able to test properly because of the authentication. But as soon as somebody is authenticated it might still be possible.


----------



## scubafly (Oct 19, 2012)

actually I made all the passwords and there are all random generated string ascii characters so it's not easily guessed.
Nevertheless I will change all passwords then how to i permanently fix this? setting up ssl on the smtp? any good tutorials how to do this? Everything I have found didn't work or was outdated 

I'm using Sendmail version 8.14.5, config V10/Berkeley and FreeBSD 8.2


----------



## kpa (Oct 19, 2012)

Can you post some examples of the messages that you're getting on the postmaster account. It's possible that someone is sending spam using your email address as the faked sender address and when the spam gets rejected it's returned to you.


----------



## SirDice (Oct 19, 2012)

scubafly said:
			
		

> setting up ssl on the smtp?


SSL will only protect the data from eavesdroppers, it'll do nothing to protect your accounts. Have a look at security/sshguard or security/py-fail2ban. Both should be able to protect your SMTP against bruteforce attacks.



> any good tutorials how to do this? Everything I have found didn't work or was outdated


Outdated shouldn't really matter. The techniques used by hackers hasn't changed much.



> I'm using Sendmail version 8.14.5, config V10/Berkeley and FreeBSD 8.2


Plan some time to upgrade to 8.3. FreeBSD 8.2 is End-of-Life.


----------



## scubafly (Oct 19, 2012)

This is an example of one of the messages I get back.
I'm thinking they are using my vps to send spam and some addresses are just wrong.


```
Mail Delivery Subsystem <MAILER-DAEMON@vps-***.nl>
To: contact@centraltelecom.fr, postmaster@vps-***.nl
Returned mail: see transcript for details

The original message was received at Fri, 19 Oct 2012 15:08:42 +0200 (CEST)
from [78.129.201.6]

  ----- The following addresses had permanent fatal errors -----
<vera68@hotmil.fr>
   (reason: 553 5.3.5 system config error)
<vera.lucia01@live.fr>
   (reason: 550 Requested action not taken: mailbox unavailable)

  ----- Transcript of session follows -----
553 5.3.5 hotmil.fr. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error
... while talking to mx2.hotmail.com.:
DATA
<<< 550 Requested action not taken: mailbox unavailable
550 5.1.1 <vera.lucia01@live.fr>... User unknown
Reporting-MTA: dns; vps-***.nl
Received-From-MTA: DNS; [78.129.201.6]
Arrival-Date: Fri, 19 Oct 2012 15:08:42 +0200 (CEST)

Final-Recipient: RFC822; vera68@hotmil.fr
Action: failed
Status: 5.3.5
Diagnostic-Code: SMTP; 553 5.3.5 system config error
Last-Attempt-Date: Fri, 19 Oct 2012 15:08:44 +0200 (CEST)

Final-Recipient: RFC822; vera.lucia01@live.fr
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mx2.hotmail.com
Diagnostic-Code: SMTP; 550 Requested action not taken: mailbox unavailable
Last-Attempt-Date: Fri, 19 Oct 2012 15:08:45 +0200 (CEST)

From: "Central Telecom"<contact@centraltelecom.fr>
Subject: Votre Paiement Central Telecom
Date: 19 oktober 2012 15:08:44 CEST
To: undisclosed-recipients:;
Reply-To: <noreplys@centraltelecom.fr>

Bonjour ,
ReÃ§u pour votre paiement d'un montant de â‚¬ 100,00 EUR 
----------------------------------
NumÃ©ro de Transaction : 0935820502 
Commande NumÃ©ro : 956487 
----------------------------------
Description : TonÃ©o 100 â‚¬
----------------------------------
zour annuler cet ordre s'il vous plaÃ®t aller Ã  : http://www.centraltelecom.fr/transaction/numero/0935820502
Central TÃ©lÃ©com vous remercie pour votre confiance.

Acceder au site de Central Telecom
```

SirDice thanks for the tips!


----------



## SirDice (Oct 19, 2012)

I think kpa is correct. That does look like an NDR. 

I get them from time to time too. It happens when some moron spammer uses my email address as the sender. Any NDR will get sent to me. Nothing you can do about it unfortunately  (except tracking down the spammer and taking him out of the gene pool)


----------



## scubafly (Oct 22, 2012)

so to round things up there using postmaster@vps-***.nl to send mail as from address? Then I could easily fix it by changing the postmaster mail address?


----------



## scubafly (Oct 24, 2012)

Oke so now I've got a new mail queue and got messages like this in the queue:

```
Return-Path:	<Âg>
Received:	from User (85.13.210.42.reverse.coreix.net [85.13.210.42] (may be forged))(authenticated bits=0)by vps-***.nl (8.14.5/8.14.5) with ESMTP id q9N4at1P015601;Tue, 23 Oct 2012 06:36:56 +0200 (CEST)(envelope-from bank@danskebank.dk)
Message-Id:	<201210230436.q9N4at1P015601@vps-***.nl>
Reply-To:	<bank@danskebank.dk>
From:	"DanskeBank"<bank@danskebank.dk>
Subject:	Verified by Visa er nu suspenderet og dit kreditkort er spÃ¦rret
Date:	Mon, 22 Oct 2012 21:37:38 -0700
MIME-Version:	1.0
Content-Type:	text/html;charset="us-ascii"
Content-Transfer-Encoding:	7bit
X-Priority:	3
X-MSMail-Priority:	Normal
X-Mailer:	Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:	Produced By Microsoft MimeOLE V6.00.2600.0000
To:	undisclosed-recipients:;
```

Looking at multiple messages they all seam to be coming from 85.13.210.42


----------



## SirDice (Oct 24, 2012)

That looks like regular spam. Do a whois on that address.


```
inetnum:      85.13.192.0 - 85.13.255.255
netname:      UK-COREIX-20050405
descr:        Coreix Ltd
country:      GB
org:          ORG-CL32-RIPE
admin-c:      CLA13-RIPE
tech-c:       CLA13-RIPE
status:       ALLOCATED PA
remarks:      -------------------------------------------------------
remarks:      Network abuse reports:   abuse@coreix.net
remarks:      NOC and contact details: http://www.coreix.net/contact/
remarks:      -------------------------------------------------------
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    COREIX-MNT
mnt-routes:   COREIX-MNT
source:       RIPE # Filtered
```

You can send an abuse email to abuse@coreix.net. Use plain text and no attachments. Copy/paste the entire message (including the headers). Don't add any analysis, simply state it's a spammer.


----------



## wblock@ (Oct 24, 2012)

http://cbl.abuseat.org/lookup.cgi?ip=85.13.210.42


----------



## scubafly (Nov 21, 2012)

while having no issues for some time it now is starting again...


```
Mail headers	View basic headers
Return-Path:	<Âg>
Received:	from User ([198.144.153.137])(authenticated bits=0)by vps-***.nl (8.14.5/8.14.5) with ESMTP id qAJH7jSn047935;Mon, 19 Nov 2012 18:07:46 +0100 (CET)(envelope-from [email]Admin@ppmanager.com[/email])
Message-Id:	<201211191707.qAJH7jSn047935@vps-***.nl>
Reply-To:	<NoReply@ppmanager.com>
From:	"Admin@ppmanager.com"<Admin@ppmanager.com>
Subject:	Important Notification - Please Review
Date:	Mon, 19 Nov 2012 09:07:48 -0800
MIME-Version:	1.0
Content-Type:	multipart/mixed;boundary="----=_NextPart_000_00CF_01C2A9A6.44CDCB96"
X-Priority:	3
X-MSMail-Priority:	Normal
X-Mailer:	Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:	Produced By Microsoft MimeOLE V6.00.2600.0000
To:	undisclosed-recipients:;
```

does this mean someone is able to use my sendmail server?


----------



## wblock@ (Nov 21, 2012)

There is so little actual information about your system that it's hard to say.  And those headers may not be the real headers.  The "Mail headers  View basic headers" makes me think it's from an MUA that may or may not helpfully hide the real headers and could be easily fooled by fake headers.

My guess is that 198.144.153.137 is not your IP address.  What makes you think it came from your system?

http://cbl.abuseat.org/lookup.cgi?ip=198.144.153.137


----------



## scubafly (Nov 22, 2012)

After I noticed those emails I logged in on my server and found messages like these in the queue of my sendmail.

that's why I think those headers are real.

later when I just wanted to delete the whole mail queue ( since there where 10k messages in it an it not really used by anyone else then a few websites I'm running that are still in development )
when I logged into the ssh I also tailed the /var/log/maillog and noticed that same ip trying to send trough my server with a username that I had created for testing my mail.

So I did a couple of things:
first I set up a rule discarding all incoming mail. letting the spammer think the mail was accepted while I changed passwords.
changed all the passwords of my mail users to different random generated good passwords ( since they were all using the same pass which I think was compromised and needed to change anyway )
Then I added a ruleset to the check_relay rejecting all from that IP
around 10 minutes later it started to get quiet in the mail log after seeing 550 messages 

The only question I have left at the moment is if this is a good way to block a spammer ?

Yeah and as a site note I'm giving away that I blocked the spammer IP if the spammer reads this but I'll just keep on blocking any other IP he/she comes up with if that's what it takes :h But at least I hope this helps anyone else that's having trouble with this and finds this post.


----------

