Is Our Server Being Used as a Relay?

[Jeff_Mash]

Hey Guys,

More and more lately, we are getting the following bounced emails sent to us:

-----------------------------------------


From: Mail Delivery Subsystem < [email protected]>
To: [email protected]
Subject: Returned mail: see transcript for details
Date: Sat, 30 Sep 2006 07:01:06 +0400 (MSD)

The original message was received at Sat, 30 Sep 2006 07:01:06 +0400
(MSD)
from mx.peterstar.ru [217.195.65.15]

----- The following addresses had permanent fatal errors -----
/d/mail/vodopad
(reason: Service unavailable)
(expanded from: < [email protected]> )

----- Transcript of session follows -----
550 /d/mail/vodopad... User mailbox quota exceeded, please send this
message later
554 5.0.0 Service unavailable

Date: Sat, 30 Sep 2006 12:00:54 +0900
From: Jerome Oliver < [email protected]>
To: [email protected]tar.ru
Subject: prejudge

-----------------------------------------

It appears that this email was sent FROM a user named " Jerome Oliver < [email protected]> " , but that user doesn't exist on our server!

Being a newbie when it comes to cPanel, is there any settings you can walk me through to Tweak in the root Control Panel which may prevent these from being sent out from non-existent users?

Here is a screenshot of my current Mail settings under cPanel: http://www.mjmmagic.com/images/cPanelMailSettings.jpg

 

[jayh38]

Go to whm > service configuration > service manager
enable the "antirelayd" service which will require pop authentication
prior to use smtp.

 

[Jeff_Mash]

Go to whm > service configuration > service manager
enable the "antirelayd" service which will require pop authentication
prior to use smtp.

Sorry for the long delay in responding. I DO have the antirelayd enabled in my configuration. For some reason though, someone seems to still be sending SPAM out from our domain using fictional users.

For example, our domain is mjmmagic.com

We are getting bounced messages back to us, showing that some fictional user like [email protected] is sending mail out to people.

I don't know how to stop this, or determine the script that might be the culprit. Any ideas?

 

[Spiral]

In all probability, you probably just have a spammer out forging the return
address on the emails as being from your server when it really isn't and
that's fairly common and not something to overly worry about.

The one thing you do want to rule out though and confirm is that your server
is not being used for spam and that is mainly a matter of digging into your
email and site logs, reviewing the mail queues, and auditing the relayers
to find out who has been sending mail and where they have been sending
those messages and that should give you a pretty good idea.

In the worst case, someone is using your server for spam, there are things
that can be done fairly easily to put a stop to that permanently.

Your first step though is finding out what is really going on and finding out
if you even have a real cause to be alarmed.