[Tfug] Qmail and Open Relay
Brian Murphy
murphy+tfug at email.arizona.edu
Fri Jun 8 17:39:38 MST 2007
Quoting Andrew Ayre <andy at britishideas.com>:
> I'm hoping someone can give me a couple of pointers on this.
>
> We have a server running Debian Sarge and Qmail. The server uses rcpthosts
> to restrict incoming mail to only those domains that exist on the server.
>
> We have noticed in the log files that people appear to be sending spam
> through our server. The headers indicate the spam is coming from outside the
> server via SMTP. However when we try to duplicate the method ourselves we
> always get the rcpthosts rejection message. It seems to us that our server
> is not running as an open relay. It also passed all the tests at
> http://www.abuse.net/relay.html.
>
> If we reboot the server and empty the qmail send queue the spamming stops
> for an unknown period of time then starts again. We don't know how long this
> period is but it's longer than half an hour. This seems strange to us.
>
> Here is an example set of headers. We've changed the identifying
> name/location of our server so the details arn't archived on the TFUG
> website for everyone to see. We've also changed the email address of the
> spam victim (but not the domain).
>
> ---------------------
> Received: (qmail 3081 invoked by uid 64020); 7 Jun 2007 21:13:13 +0200
> Received: from 202.99.204.66 by h0000000 (envelope-from <>, uid 64011) with
> qmail-scanner-1.25st
> (spamassassin: 3.0.3. perlscan: 1.25st.
> Clear:RC:0(202.99.204.66):.
> Processed in 1.466053 secs); 07 Jun 2007 19:13:13 -0000
> Received: from unknown (HELO WANGDONGVPS) (info at 202.99.204.66)
> by mydomain.com with SMTP; 7 Jun 2007 21:13:11 +0200
> From: "Ionspb" <>
> To: "someuser" <someuser at sohu.com>
> Subject: =?GB2312?B?h/jrSLHctpDFY7/nh/i2kMrVu0mEnTgzMjc1?=
> Date: Fri, 8 Jun 2007 03:12:42 +0800
> MIME-Version: 1.0
> Content-Type: text/plain
> Content-Transfer-Encoding: base64
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> X-Qmail-Scanner-Message-ID: <11812435929223074 at h1105258>
> ---------------------
>
> In this example there is no from address, but other spam emails do have one.
> Any ideas?
This looks like a local delivery, not a relay.
Brian
The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.
More information about the tfug
mailing list