[Tfug] Qmail and Open Relay
Andrew Ayre
andy at britishideas.com
Fri Jun 8 10:45:37 MST 2007
I'm hoping someone can give me a couple of pointers on this.
We have a server running Debian Sarge and Qmail. The server uses rcpthosts
to restrict incoming mail to only those domains that exist on the server.
We have noticed in the log files that people appear to be sending spam
through our server. The headers indicate the spam is coming from outside the
server via SMTP. However when we try to duplicate the method ourselves we
always get the rcpthosts rejection message. It seems to us that our server
is not running as an open relay. It also passed all the tests at
http://www.abuse.net/relay.html.
If we reboot the server and empty the qmail send queue the spamming stops
for an unknown period of time then starts again. We don't know how long this
period is but it's longer than half an hour. This seems strange to us.
Here is an example set of headers. We've changed the identifying
name/location of our server so the details arn't archived on the TFUG
website for everyone to see. We've also changed the email address of the
spam victim (but not the domain).
---------------------
Received: (qmail 3081 invoked by uid 64020); 7 Jun 2007 21:13:13 +0200
Received: from 202.99.204.66 by h0000000 (envelope-from <>, uid 64011) with
qmail-scanner-1.25st
(spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:0(202.99.204.66):.
Processed in 1.466053 secs); 07 Jun 2007 19:13:13 -0000
Received: from unknown (HELO WANGDONGVPS) (info at 202.99.204.66)
by mydomain.com with SMTP; 7 Jun 2007 21:13:11 +0200
From: "Ionspb" <>
To: "someuser" <someuser at sohu.com>
Subject: =?GB2312?B?h/jrSLHctpDFY7/nh/i2kMrVu0mEnTgzMjc1?=
Date: Fri, 8 Jun 2007 03:12:42 +0800
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Qmail-Scanner-Message-ID: <11812435929223074 at h1105258>
---------------------
In this example there is no from address, but other spam emails do have one.
Any ideas?
Andy
More information about the tfug
mailing list