mail server troubles because of spammer

**anand** · 12-11-2002 12:52 PM

Some one is using my server to send spams around. Now i have found out that this is not my internal user. Some one is using my different user accounts and sending spams around. At present there are over 19000 mails queued up on the server.

I know that cpanel-exim runs as authenticated SMTP server, but recently i ran an experiment at one of my clients place with a software called Pegasus Mail. Its a mail server for Windows (and its free). Now after setting this mail server i was able to relay mails through my server from Pegasus without using authenticated SMTP.

Any help would be appreciated.

regards,

Anand

**techark** · 12-11-2002 10:11 PM

Yep and I have seen this also and even tho antirelyd is running it still allows you to relay, this just started recently I submited a trouble ticket but does not seem to be a resolve to it or not enough people have noticed it yet. But if word hits the street that cpanel is an open relay we are going to get hammered.

**anand** · 12-11-2002 10:50 PM

[quote:338f3bb640][i:338f3bb640]Originally posted by techark[/i:338f3bb640]

Yep and I have seen this also and even tho antirelyd is running it still allows you to relay, this just started recently I submited a trouble ticket but does not seem to be a resolve to it or not enough people have noticed it yet. But if word hits the street that cpanel is an open relay we are going to get hammered.

[/quote:338f3bb640]

Nick can we please get a solution to this prob asap ??

I am facing with overloading mail server from the past 4-5 days. If something is not done very soon, i don't know what would happen. Because of this the other user mails are being delayed for hours together.

regards,

Anand

**Website Rob** · 12-12-2002 12:50 AM

It would seem some very specific methods are being used, namely, any old Email program. I've just finished having my Server checked for open relays, by ORDB.org, and it passed with flying colours -- Relaying is blocked -- using WHM E90. The service is free, but takes a couple of days. Might be something to check into. Sort of defeats the purpose though, when anyone can use any Email program, slap in a SMTP address and away they go, [b:638d8b0323]at our expense![/b:638d8b0323]

Some quick testing has shown that Exim does not require authentication for &outbound& Email??? [b:638d8b0323]That's just not right.[/b:638d8b0323] If there was something missed in the Server or Control Panel setup, I would sure like to know about it?

This also is another reason for making -- at least part of this Forum -- accessable by permission only. Although postings like this one are necessary, it leaves open a Security breach for all WHM/Cpanel users, which can be read about and used by, anyone visiting this Forum.

What would it take, to make some/all of this Forum a Members only accessable area?

**anand** · 12-12-2002 12:58 AM

[quote:1c6d579b2f][i:1c6d579b2f]Originally posted by Website Rob[/i:1c6d579b2f]

It would seem some very specific methods are being used, namely, any old Email program. I've just finished having my Server checked for open relays, by ORDB.org, and it passed with flying colours -- Relaying is blocked -- using WHM E90. The service is free, but takes a couple of days. Might be something to check into. Sort of defeats the purpose though, when anyone can use any Email program, slap in a SMTP address and away they go, [b:1c6d579b2f]at our expense![/b:1c6d579b2f]

Some quick testing has shown that Exim does not require authentication for &outbound& Email??? [b:1c6d579b2f]That's just not right.[/b:1c6d579b2f] If there was something missed in the Server or Control Panel setup, I would sure like to know about it?

This also is another reason for making -- at least part of this Forum -- accessable by permission only. Although postings like this one are necessary, it leaves open a Security breach for all WHM/Cpanel users, which can be read about and used by, anyone visiting this Forum.

What would it take, to make some/all of this Forum a Members only accessable area?[/quote:1c6d579b2f]

Not just at our expense, mail servers around the world would ban our servers thinking we are the spam culprits. AOL has already banned my server, SPAMCOP already has my server ip address inside its blocked list.

More like this is to follow unless we get some solution fast.

regards,

Anand

**moronhead** · 12-12-2002 06:17 AM

Guys, have you tried this?

/etc/rc.d/init.d/antirelayd restart

Do this at the command prompt and then see if the open relay is still there.

Regards,

Norman

**anand** · 12-12-2002 06:30 AM

[quote:5e79ca73b1][i:5e79ca73b1]Originally posted by moronhead[/i:5e79ca73b1]

Guys, have you tried this?

/etc/rc.d/init.d/antirelayd restart

Do this at the command prompt and then see if the open relay is still there.

Regards,

Norman[/quote:5e79ca73b1]

already tried.

regards,

Anand

**moronhead** · 12-12-2002 06:39 AM

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to support@cpanel.net.

**anand** · 12-12-2002 07:30 AM

[quote:62c926786e][i:62c926786e]Originally posted by moronhead[/i:62c926786e]

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to support@cpanel.net.[/quote:62c926786e]

I just upgraded with upcp and now the problem seems to no longer exist. With the help of burst.net support people (thx dave) the prob was sorted and the excess mails on the server deleted. Btw just for info there over 9000 stuck on the mailserver.

regards,

Anand

**euroxsw** · 12-13-2002 12:47 AM

[quote:83292b791b][i:83292b791b]Originally posted by anand[/i:83292b791b]

[quote:83292b791b][i:83292b791b]Originally posted by moronhead[/i:83292b791b]

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to support@cpanel.net.[/quote:83292b791b]

I just upgraded with upcp and now the problem seems to no longer exist. With the help of burst.net support people (thx dave) the prob was sorted and the excess mails on the server deleted. Btw just for info there over 9000 stuck on the mailserver.

regards,

Anand[/quote:83292b791b]

Sorry I'm kind of new this. What do you mean by &upgraded upcp&?

Thanks,

Shawn

**anand** · 12-13-2002 01:36 AM

[quote:ff855d9aad][i:ff855d9aad]Originally posted by euroxsw[/i:ff855d9aad]

Sorry I'm kind of new this. What do you mean by &upgraded upcp&?

Thanks,

Shawn

[/quote:ff855d9aad]

Ran /scripts/upcp on the shell which upgrades the cpanel build to the latest.

regards,

Anand

**Website Rob** · 12-13-2002 03:33 PM

Further testing has shown me that POPAUTH has a default timeout of 60 min. IMO this is not good.

Once someone has checked their eMail, no Authorization is required (for the next 60 min.) and anyone can can use an eMail program to relay through the eMail account. There is a bit of supposition on my part as I do not have the facilities to test thoroughly. It's not hard to imagine, a Spammer with patience, or some particular software, testing every &X& number of minutes to see if eMail can be relayed. As most people check the eMail every 15 minutes or less, I feel a 60 minute timeout is way too long.

What I would like to do is decrease that timeout and would ask, if someone can point me to the correct file where the timeout can changed.

**anand** · 12-13-2002 06:12 PM

[quote:8b14568653][i:8b14568653]Originally posted by Website Rob[/i:8b14568653]

Further testing has shown me that POPAUTH has a default timeout of 60 min. IMO this is not good.

Once someone has checked their eMail, no Authorization is required (for the next 60 min.) and anyone can can use an eMail program to relay through the eMail account. There is a bit of supposition on my part as I do not have the facilities to test thoroughly. It's not hard to imagine, a Spammer with patience, or some particular software, testing every &X& number of minutes to see if eMail can be relayed. As most people check the eMail every 15 minutes or less, I feel a 60 minute timeout is way too long.

What I would like to do is decrease that timeout and would ask, if someone can point me to the correct file where the timeout can changed.[/quote:8b14568653]

I can confirm that. I have tested this several times, once the emails checked there is no need for POPAUTH for the next 60 min. Now since the topic has been raised i would also like to know where to control it from.

regards,

Anand

**Website Rob** · 12-17-2002 09:03 AM

Is there no one that knows how to change this?

I even did a FIND for any files in the &usr& dir/sub-dir with the word &POPAUTH& in it, but got nothing back. I know the people over at VDI are familiar with it, they have their's set to 15 minutes, but not sure if anyone from there visits these forums.

Any help would be appreciated as I would dearly like to change it.

**Juanra** · 12-17-2002 12:10 PM

antirelayd I would say.

LinkBack

Thread Tools