Spamming Troubleshotting - Qmail ( Plesk Server )

Firstly we should look at the server’s queue:

# /var/qmail/bin/qmail-qstat
messages in queue: 758
messages in queue but not yet preprocessed: 0
We do have 758 mails in the queue. Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.

# /var/qmail/bin/qmail-qread
You can examine the email content of the emails in the queue using Plesk interface or just less command. Firstly we should find message’s id using qmail-qread, then find the file holding the email in /var/qmail/queue with find command.

# /var/qmail/bin/qmail-qread
18 Jul 2008 02:01:11 GMT #22094026 1552 <>
remote user@yahoo.com

# find /var/qmail/queue/ -name 22094026
/var/qmail/queue/mess/19/22094026
/var/qmail/queue/remote/19/22094026
/var/qmail/queue/info/19/22094026

# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 22 Jul 2008 19:40:46 +0300
Received: from unknown (HELO User) (86.107.221.138)
by domain.com with SMTP; 22 Jul 2008 19:40:46 +0300
Reply-To: <support@PayPal.Inc.com>
From: "PayPal"<support@PayPal.Inc.com>
Subject: Dispute Transaction
Date: Tue, 22 Jul 2008 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
[...]


Oops, we do have some spam in the queue that’s received from the network (IP: 86.107.221.138). We should remove spam from the queue or the server IP address will finish listed in the RBLs, qmail-remove is the right tool for this job.

Check the number of the spams with the spam pattern (”PayPal.Inc.com” in this case):

# qmail-remove -p 'PayPal.Inc.com'

Now, remove spams (notice the ‘-r’ switch), they all will end up in the /var/qmail/queue/yanked directory. Don’t forget to stop qmail daemon before (/etc/init.d/qmail stop) :

# qmail-remove -r -p 'PayPal.Inc.com'

In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdump and wait a few minutes.

# tcpdump -i eth0 -n src 86.107.221.138 \or dst 86.107.221.138 -w smtp.tcpdump -s 2048
Examining log file with less or vi we found that spammer is sending spam using LOGIN authentication:
220 ulise.domain.com ESMTP
ehlo User
250-ulise.domain.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
MTIzNDU=
235 go ahead

Interesting, let’s decode the user/pass to see which account is used:

# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’
test

# perl -MMIME::Base64 -e 'print decode_base64("MTIzNDU=")'
12345

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let’s find the domain owning of the mailbox:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

 
mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='test' AND a.password='12345';

+-----------+------------+----------+
| mail_name | name | password |
+-----------+------------+----------+
| test | example.com | 12345 |
+-----------+------------+----------+
1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to client.

To improve your server’s security you’ll need to enable:
 
Server -> Mail -> Check the passwords for mailboxes in the dictionary

07:09 | Category: | 3 comments

Spamming Troubleshotting - Qmail

Find and Stop the Spamming in Qmail


Check how many messages are in the queue with

Qmail: # /var/qmail/bin/qmail-qstat messages in queue: 27645 messages in queue but not yet preprocessed: 82 If the queue has too many messages, try to discover the source of SPAM.

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have the 'SMTP authorization' activated on the server to see these records:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n

The path to 'maillog' may differ depending on the OS you are using. The next step is to use "qmail-qread," which can be used to read the message headers:

# /var/qmail/bin/qmail-qread 18 Jul 2005 15:03:07 GMT
#2996948 9073 bouncing done remote user1@domain1.com done remote user2@domain2.com done remote user3@domain3.com .... This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID ( # 2996948 in our example):

# find /var/qmail/queue/mess/ -name 2996948 Examine the message and find the line "Received" to find out from where it was sent for the first time. For example, if you find: Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700 it means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information).

It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

You can also apply this which describes the procedure of discovering which domains are sending mail through PHP scripts. Lines in Received section like Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700 Received: from external_domain.com (192.168.0.1) Means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.

Many email messages are sent from PHP scripts on the server. How can we find the domains on which these scripts are running? There is a way to determine from what folder the PHP script that sends mail was run. Note: Depending on your OS and Plesk version, the paths can slightly differ from those listed below.

1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:
#!/bin/sh (echo X-Additional-Header: $PWD ;cat | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
Note, it should be two lines including '#!/bin/sh'.

2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper: ~

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

3) Wait for an hour and change back sendmail:

# rm -f /var/qmail/bin/sendmail
# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located. You can see all the folders from where mail PHP scripts were run with the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' ` If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.
SPAM CHECK
07:05 | Category: | 3 comments

To Remove Mail Queue in Qmail
Easy way to remove your Qmail Mail Queues.

Before attempting this please don't forgot the stop the qmail service.

  #qmailctl stop

find /var/qmail/queue/mess -type f -exec rm {} \;
find /var/qmail/queue/info -type f -exec rm {} \;
find /var/qmail/queue/local -type f -exec rm {} \;
find /var/qmail/queue/intd -type f -exec rm {} \;
find /var/qmail/queue/todo -type f -exec rm {} \;
find /var/qmail/queue/remote -type f -exec rm {} \;

#qmailctl start


Thank you,
07:00 | Category: | 1 comments

What is Dedicated, VPS and Shared Web Hosting - copypastelinux.blogspot.com

'Virtual' means that it is not real. Basically, it is still a shared hosting account but unlike a normal shared hosting account, each VPS has its own dedicated slice of the CPU, RAM and disk space. So basically, what you do will not affect the other VPS on the machine. You can reboot your VPS anytime you want and you will have root access. 

Think of it this way. A Dedicated Server is like owning and living in your own mansion, you can share or use it completely yours, it is up to you. 

A Virtual Private Server is like living in an apartment or a hotel room. You have your own doors, walls and private bathroom. You have the privacy of your own room and you more or less can do anything you want. Of course, you will share the infrastructure with the other residence in the apartment building. 

A Virtual Hosting/Shared Account is like having a bed in a dormitory. You basically share a bathroom, common area and so on. 

Of course, in a virtual hosting account, if you are the only customer on the machine, you can more or less use all the resources there is. If you share, as long as all the customers do not use more than what the server can handle, it does not matter. 

A VPS on the other hand has stricted defined slice of the CPU/RAM and Diskspace and most of the time, unless permitted, you cannot go beyond that allocation. The good news is that no matter how crowded the server is, you still have your minimum allocation. The bad news is that if your site requires more than what the VPS slice can handle, you will bare with it even if there are more resources that is unused on the server. Of course some VPS application allow bursting to a reasonable limit but some don't.
03:02 | Category: , , | 245 comments

What Is A Mail Header ? Things You Should Remember While Troubleshooting ! - copypastelinux.blogspot.com

*) What is happening while sending a mail by referring that mail header.

Return-path:<georgek@admin-ahead.com>Envelope-to:shijuc@admin-ahead.comDelivery-date:Fri, 07 Jun 2013 16:49:32 +0530Received:from t1.admin-ahead.com ([14.140.176.234]:13182 helo=w10.office.admin-ahead.com)
by cpanel.admin-ahead.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80.1)
(envelope-from <georgek@admin-ahead.com>)
id 1Ukuhb-00062Y-Eu; Fri, 07 Jun 2013 16:49:28 +0530Message-ID:<51B1C1B5.2060807@admin-ahead.com>Date:Fri, 07 Jun 2013 16:49:17 +0530From:George Koshy <georgek@admin-ahead.com>Organization:Admin-Ahead Server TechnologiesUser-Agent:Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130330 Thunderbird/17.0.5MIME-Version:1.0To:shijuc@admin-ahead.com, nijina@admin-ahead.com,
rintus@admin-ahead.com, ashleyj@admin-ahead.com, giving@admin-ahead.com,
tensinj@admin-ahead.com, nikhiln@admin-ahead.com,
rahuln@admin-ahead.comCC:trainers@admin-ahead.comSubject:MailEnable assignmentContent-Type:multipart/signed;protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030101050807050906030809"


Every mail header will have all the necessary information about what was happened during the transfer of mail from one user to other or more likely one server to another. It shows the destination address form where it being processed the message ID.The message ID is unique for all mail, so this become very handy when troubleshooting.It also show from which organization it is sent. Which Browser does it uses and the operating system etc..,
07:43 | Category: | 4 comments

How To Create Mail Forwarders, Mail Group And Aliasing In Sendmail ? - copypastelinux.blogspot.com


Mail Forwarders, Mail Group, Aliasing
*) How to create mail forwarders,mail group and aliasing in Sendmail ?
    Mail forwading in sendmail can be done in 2 ways, locally and remotely.If you want to redirect a mail within the local domain you can make use of the /etc/aliases for remote domains set and entry on the virtusertable. 

    Mail group and aliasing
    ftp-group:root,user1,user2
    the above is an entry in the /etc/aliases file ,where ftp-group is your mail group and root,user1,user2 are your setted aliases. Which means mail sended to ftp-group will be recieved by all the three.

07:42 | Category: , , | 1 comments

What Is Spamming ? What Does It Do ? Types Of Spamming ? - copypastelinux.blogspot.com

*) What is spamming? Type of spamming and spamming prevention methods?

    Spamming involves sending unwanted electronic communication and is often considered junk e-mail. Spammers lure individuals to read e-mails through enticing words in the subject line. The majority of spam is related to commercial advertising promoting questionable products or services. Often, sending spam is an attempt to commit identity theft or other types of fraud over the Internet.

    Types of Spamming

    However, when averaged out over the course of the year, 50% of spam falls into the following categories:
    When you get spammed by others though it consumes your mail space apart from that it creates a traffic and let your server down at times due to low bandwidth.

    Prevention Methods
  • Spam Assassin
  • SPF record
  • DNS Blacklist
  • Disable open relay
  • Anti-Spamware

07:37 | Category: , , | 1 comments

SendMail Configuration Files Explained - copypastelinux.blogspot.com
SendMail Configuration Files  - Different Types

*) Explain the functions of each configuration files in Sendmail.
  • /etc/mail/access :The access database file is created to accept or reject mail from particular/selected domains.For eg., you may choose to reject all mail coming from known spammers, or to accept to relay all mail from your local network.since relaying is denied by default with the newer versions of sendmial.So this file is more like a anti-spam feature in sendmail.
    localhost.localdomain RELAY
    localhost RELAY
    192.168.1. OK
    spammer@aol.com                 REJECT
cyberspammer.com                REJECT
doctor.com           550        Doctor, whenever I eat Hormel products, 
    feel a strong urge to throw up violently.  What can I do about this?
     Note:By default we have OK which means it accept the particular domain. 

  • /etc/mail/aliases: An alias allows sendmail to redirect mail sent to given address. This mail can be redirected to another email address,a file, or piped through a program.Alias can only be set in local network.Any changes in this file will get updated after running make in /etc/mail to update your database.
    Eg:
    admin:root---> all mail sended to admin will be redirected to root.
    team1:shiju,rahul,ashley--->team1 is the mailbox which contain a set of alias list.
    So team1@example.com will redirect the mail to rahul,ashley and shiju.
  • /etc/mail/local-host-names:It has a list of domain and hostnames sendmail is to be receiving mail for.[all local-host-names and domains]
    Eg:shiju.com
    mail.shiju.com
    *.shiju.com

  • /etc/mail/mailer.conf:It specifies which MTA is used in the mail server.
    Eg:
    Exim,Postix

  • /etc/mail/mailertable:This file is used to route a domain to an different hosts or Simply for mail forwarding.For Example all mail coming from network 192.168. route to mail.shiju.com and all email for mydomain.com will be automatically forwarded to a mail server joe@mail.com
    Eg:
    192.168. smtp:mail.shiju.com
    mydomain.com smtp:joe@mail.com
  • /etc/mail/sendmail.cf:Main configuration file for sendmail.Keep your Hands off unless you know what you are doing.Do all editing in sendmail.mc. Use “m4 sendmail.mc>sendmail.cf” command to update the changes.
  • /etc/mail/virtusertable:The virtusertable maps mail addresses for virtual domains and mailboxes to real mailboxes. These mailboxes can be local, remote, aliases defined in /etc/mail/aliases or files.
    Eg:
    root@example.com root
    shiju@example.com joe@www.domain.net
    @example.com joe




19:47 | Category: , , , , , , | 1 comments

POP VS IMAP - copypastelinux.blogspot.com

What's the difference between POP and IMAP?

POPIMAP
Post Office ProtocolInternet Messaging Access Protocol
Best if you use only one computer to check emailBest if you use many different computers to check your email
Downloads your email to the particular computer you are checking it onYour mail is always on the server
Allows you to keep a large backlog of email messages only limited by the size of your computer.You are limited by your mailbox size quota for how many messages you keep, although you can archive old messages and save them onto your computer manually.
Does not have a web interface (Some webmail companies, such as Yahoo, will let you check POP mail)Has a web interface. If you are using NCF Webmail, you are using IMAP.
New messages are downloaded in their entirety, you have to wait for the message to download.New message headers are downloaded so you see all your mail faster, the message you want to read is not downloaded to your computer until you click on it.
20:01 | Category: | 3 comments

Interface IP address for Exim Mail Server - copypastelinux.blogspot.com

Changing interface IP address for exim mail server.

You can change the interface IP address for exim MailServer in the exim configuration file (/etc/exim.conf).

Open the configuration file of exim.
#vi /etc/exim.conf

Check for the following parameters.

remote_smtp:
driver = smtp
interface=

Change to like this:

remote_smtp:
driver = smtp
interface=x.x.x.x

Note: Replace x.x.x.x with your IP address.

Restart the mail service.


07:00 | Category: | 1 comments

Exim Basic Commands You Must Know - copypastelinux.blogspot.com

Exim Commands

Basic information

Print a count of the messages in the queue:
root@localhost# exim -bpc 

Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):
root@localhost# exim -bp

Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm

Print what Exim is doing right now:
root@localhost# exiwhat

Test how exim will route a given address:
root@localhost# exim -bt alias@localdomain.com user@thishost.com <-- alias@localdomain.com router = localuser, transport = local_delivery  

root@localhost# exim -bt user@thishost.com user@thishost.com router = localuser, transport = local_delivery root@localhost# exim -bt user@remotehost.com router = lookuphost, transport = remote_smtp host mail.remotehost.com [1.2.3.4] MX=0 

Run a pretend SMTP transaction from the command line, as if it were coming from the given IP address. This will display Exim's checks, ACLs, and filters as they are applied. The message will NOT actually be delivered.
root@localhost# exim -bh 192.168.11.22

Display all of Exim's configuration settings:
root@localhost# exim -bP 

Managing the queue

The main exim binary (/usr/sbin/exim) is used with various flags to make things happen to messages in the queue.

Start a queue run:
root@localhost# exim -q -v

Start a queue run for just local deliveries:
root@localhost# exim -ql -v

Remove a message from the queue:
root@localhost# exim -Mrm <message-id> [ <message-id> ... ]


View message log of a specific message by ID:
root@localhost# exim -Mvl messageID

View message body of a specific message by ID:


root@localhost# exim -Mvb messageID

View message header of a specific message by ID:

root@localhost# exim -Mvh messageID






06:47 | Category: | 1 comments

Exim Installation From Source Step By Step Explained - copypastelinux.blogspot.com

EXIM   

Install Exim from source

Install requirements
#yum install gcc -y
#yum install db4-devel -y 

Create user 

[root@vps exim-4.69]# vim /etc/passwd
Add the entry
exim:x:93:93::/var/spool/exim:/sbin/nologin 

[root@vps exim-4.69]# cat /etc/passwd|grep exim (you see the added entry)
exim:x:93:93::/var/spool/exim:/sbin/nologin
  
Then in /etc/group, add :
 exim:x:93:

[root@vps exim-4.69]# id exim uid=93(exim) gid=93(exim) groups=93(exim),10(mail)

Then execute the following commands to create your mail log and mail storage storage (MSA)

#mkdir -p /var/spool/mail 
#mkdir -p /var/log/exim 
#chown exim:exim /var/spool/mail 
#chown exim:adm /var/log/exim 
#chmod 1777 /var/spool/mail
#chmod 2750 /var/log/exim


Download and install Exim

#cd /usr/local/src
wget ftp://idcnetwork.org/pub/exim/exim/exim4/exim-4.69.tar.gz tar -zxvf exim-4.69.tar.gz
cd /usr/local/src/exim-4.69
sed -e 's,^BIN_DIR.*$,BIN_DIRECTORY=/usr/sbin,' \ -e 's,^CONF.*$,CONFIGURE_FILE=/etc/exim.conf,' \ -e 's,^EXIM_USER.*$,EXIM_USER=exim,' \ -e 's,^EXIM_MONITOR,#EXIM_MONITOR,' src/EDITME > Local/Makefile
make
make install 

Note: Though Exim have its own binaries to execute mail, I recommend to run the following.

#ln -s /usr/sbin/exim /usr/lib/sendmail 
#ln -s /usr/sbin/exim /usr/sbin/sendmail 
 
Creating a secure runtime configuration

All the functionality of Exim is controlled from /etc/exim.conf


Edit the new /etc/exim.conf and find the following entries:
 




primary_hostname = mail.example.com (mail domain) or hostname(localhost)



never_users = exim




host_lookup = * (reverse DNS lookup on all incoming  IP calls, in order to get the true host name.)




# Set this the the name that appears after the @ in your email address 



local_domains =



# Set this to localhost and the name that appears after the @ 




# in your email address separated by a colon.




# for example localhost:enterprise-hr.com for Patrick.




host_accept_relay = 127.0.0.1: 




# Add in the range used by machines on your LAN.  If you #do not have a




# LAN or are unsure, don't edit this.  Example: #for a LAN with IP




# Address range 192.168.0.0/24, you put #that in here:  




# host_accept_relay = 127.0.0.1:192.168.0.0/24






Everything else in /etc/exim.conf should just work nicely.
 
Starting Exim
 

killall sendmail
/usr/sbin/exim -bd -q15m 
 
Note:Use telnet to check whether exim runs in 25 port
telnet localhost 25
 
Exim is now listening on port 25 for mail from the machine itself or
from the address range you specified in /etc/exim.conf

To Send Mail 

exim - v user1@localhost 
Heloooo
.

Note:If you have configured properly you will see a Log message showing mail transfer completed. 
Check 
# tail /var/log/exim/[exim_maillog,exim_rejectlog,exim_paniclog] for log details.
# cat /var/spool/mail/user1 [To read the mail]


Thank You.

 


01:31 | Category: | 2 comments