mail server troubles because of spammer

[anand]

Some one is using my server to send spams around. Now i have found out that this is not my internal user. Some one is using my different user accounts and sending spams around. At present there are over 19000 mails queued up on the server.

I know that cpanel-exim runs as authenticated SMTP server, but recently i ran an experiment at one of my clients place with a software called Pegasus Mail. Its a mail server for Windows (and its free). Now after setting this mail server i was able to relay mails through my server from Pegasus without using authenticated SMTP.

Any help would be appreciated.

regards,

Anand

 

[techark]

Yep and I have seen this also and even tho antirelyd is running it still allows you to relay, this just started recently I submited a trouble ticket but does not seem to be a resolve to it or not enough people have noticed it yet. But if word hits the street that cpanel is an open relay we are going to get hammered.

 

[anand]

[quote:338f3bb640][i:338f3bb640]Originally posted by techark[/i:338f3bb640]

Yep and I have seen this also and even tho antirelyd is running it still allows you to relay, this just started recently I submited a trouble ticket but does not seem to be a resolve to it or not enough people have noticed it yet. But if word hits the street that cpanel is an open relay we are going to get hammered.

[/quote:338f3bb640]

Nick can we please get a solution to this prob asap ??

I am facing with overloading mail server from the past 4-5 days. If something is not done very soon, i don't know what would happen. Because of this the other user mails are being delayed for hours together.

regards,

Anand

 

[Website Rob]

It would seem some very specific methods are being used, namely, any old Email program. I've just finished having my Server checked for open relays, by ORDB.org, and it passed with flying colours -- Relaying is blocked -- using WHM E90. The service is free, but takes a couple of days. Might be something to check into. Sort of defeats the purpose though, when anyone can use any Email program, slap in a SMTP address and away they go, [b:638d8b0323]at our expense![/b:638d8b0323]

Some quick testing has shown that Exim does not require authentication for &outbound& Email??? [b:638d8b0323]That's just not right.[/b:638d8b0323] If there was something missed in the Server or Control Panel setup, I would sure like to know about it?


This also is another reason for making -- at least part of this Forum -- accessable by permission only. Although postings like this one are necessary, it leaves open a Security breach for all WHM/Cpanel users, which can be read about and used by, anyone visiting this Forum.

What would it take, to make some/all of this Forum a Members only accessable area?

 

[anand]

[quote:1c6d579b2f][i:1c6d579b2f]Originally posted by Website Rob[/i:1c6d579b2f]

It would seem some very specific methods are being used, namely, any old Email program. I've just finished having my Server checked for open relays, by ORDB.org, and it passed with flying colours -- Relaying is blocked -- using WHM E90. The service is free, but takes a couple of days. Might be something to check into. Sort of defeats the purpose though, when anyone can use any Email program, slap in a SMTP address and away they go, [b:1c6d579b2f]at our expense![/b:1c6d579b2f]

Some quick testing has shown that Exim does not require authentication for &outbound& Email??? [b:1c6d579b2f]That's just not right.[/b:1c6d579b2f] If there was something missed in the Server or Control Panel setup, I would sure like to know about it?


This also is another reason for making -- at least part of this Forum -- accessable by permission only. Although postings like this one are necessary, it leaves open a Security breach for all WHM/Cpanel users, which can be read about and used by, anyone visiting this Forum.

What would it take, to make some/all of this Forum a Members only accessable area?[/quote:1c6d579b2f]

Not just at our expense, mail servers around the world would ban our servers thinking we are the spam culprits. AOL has already banned my server, SPAMCOP already has my server ip address inside its blocked list.

More like this is to follow unless we get some solution fast.

regards,

Anand

 

[moronhead]

Guys, have you tried this?

/etc/rc.d/init.d/antirelayd restart

Do this at the command prompt and then see if the open relay is still there.

Regards,

Norman

 

[anand]

[quote:5e79ca73b1][i:5e79ca73b1]Originally posted by moronhead[/i:5e79ca73b1]

Guys, have you tried this?

/etc/rc.d/init.d/antirelayd restart

Do this at the command prompt and then see if the open relay is still there.

Regards,

Norman[/quote:5e79ca73b1]

already tried.

regards,

Anand

 

[moronhead]

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to [email protected]

 

[anand]

[quote:62c926786e][i:62c926786e]Originally posted by moronhead[/i:62c926786e]

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to [email protected][/quote:62c926786e]

I just upgraded with upcp and now the problem seems to no longer exist. With the help of burst.net support people (thx dave) the prob was sorted and the excess mails on the server deleted. Btw just for info there over 9000 stuck on the mailserver.

regards,

Anand

 

[euroxsw]

[quote:83292b791b][i:83292b791b]Originally posted by anand[/i:83292b791b]

[quote:83292b791b][i:83292b791b]Originally posted by moronhead[/i:83292b791b]

& already tried...

And then what, you still had open relay? Then you must have a problem somewhere else. I would suggest you submit a ticket to [email protected][/quote:83292b791b]

I just upgraded with upcp and now the problem seems to no longer exist. With the help of burst.net support people (thx dave) the prob was sorted and the excess mails on the server deleted. Btw just for info there over 9000 stuck on the mailserver.

regards,

Anand[/quote:83292b791b]

Sorry I'm kind of new this. What do you mean by &upgraded upcp&?

Thanks,

Shawn
:p

 

[anand]

[quote:ff855d9aad][i:ff855d9aad]Originally posted by euroxsw[/i:ff855d9aad]

Sorry I'm kind of new this. What do you mean by &upgraded upcp&?

Thanks,

Shawn
:p [/quote:ff855d9aad]

Ran /scripts/upcp on the shell which upgrades the cpanel build to the latest.



regards,

Anand

 

[Website Rob]

Further testing has shown me that POPAUTH has a default timeout of 60 min. IMO this is not good.

Once someone has checked their eMail, no Authorization is required (for the next 60 min.) and anyone can can use an eMail program to relay through the eMail account. There is a bit of supposition on my part as I do not have the facilities to test thoroughly. It's not hard to imagine, a Spammer with patience, or some particular software, testing every &X& number of minutes to see if eMail can be relayed. As most people check the eMail every 15 minutes or less, I feel a 60 minute timeout is way too long.

What I would like to do is decrease that timeout and would ask, if someone can point me to the correct file where the timeout can changed.

 

[anand]

[quote:8b14568653][i:8b14568653]Originally posted by Website Rob[/i:8b14568653]

Further testing has shown me that POPAUTH has a default timeout of 60 min. IMO this is not good.

Once someone has checked their eMail, no Authorization is required (for the next 60 min.) and anyone can can use an eMail program to relay through the eMail account. There is a bit of supposition on my part as I do not have the facilities to test thoroughly. It's not hard to imagine, a Spammer with patience, or some particular software, testing every &X& number of minutes to see if eMail can be relayed. As most people check the eMail every 15 minutes or less, I feel a 60 minute timeout is way too long.

What I would like to do is decrease that timeout and would ask, if someone can point me to the correct file where the timeout can changed.[/quote:8b14568653]

I can confirm that. I have tested this several times, once the emails checked there is no need for POPAUTH for the next 60 min. Now since the topic has been raised i would also like to know where to control it from.

regards,

Anand

 

[Website Rob]

Is there no one that knows how to change this?

I even did a FIND for any files in the &usr& dir/sub-dir with the word &POPAUTH& in it, but got nothing back. I know the people over at VDI are familiar with it, they have their's set to 15 minutes, but not sure if anyone from there visits these forums.

Any help would be appreciated as I would dearly like to change it.

 

[Juanra]

antirelayd I would say.

 

[anand]

[quote:f27a8db505][i:f27a8db505]Originally posted by Juanra[/i:f27a8db505]

antirelayd I would say.[/quote:f27a8db505]

What do you mean ?? Can you please explain ??

regards,

Anand

 

[Juanra]

I think it is antirelayd that updates /etc/relayhosts regularly. You may inspect its source code to see how it works, it's in Perl.

 

[Website Rob]

You are somewhat on the mark, Juanra. I have opened a ticket on this issue [ https://tickets.cpanel.net/review/?id=4727&secid=ILIPhivSDX ] and even though I've verified what a big security hole this is and how others have changed the POPAUTH settings, support respones todate, do not seem to see it that way.

I have done some testing with the &antirelayd& file and do get better results. I've been able to cut it down from 60 to 30 minutes and still looking for zero. The problem I'm running into though, everyday Cpanel is updated (at 11:23 MST) and overwrites the file.

Currently this file [ # /usr/sbin/antirelayd* ] is owned by &root& and 755 permission. Does anyone know how one would change/setup permissions, so Cpanel updates do not overwrite the file while still allowing it to work for all Server accounts?

 

[kensmith]

You can prevent update of any particular file with
chattr +i filename

However, reading through the other parts of this thread, I don't see this as a particularly big security problem. As it stands now, relaying is permitted from any IP address that has checked mail within the last 30 minutes. Unless a spammer has access to an IP address used by one of your email users, the 30 minutes is immaterial.

Right?

 

[Website Rob]

Thanks for the tip, but I wouldn't say it's immaterial.

As I pointed out in my submitted ticket, if this security hole becomes known to Spammers, they will start to actively seek out Domains hosted with Cpanel and use them for Spamming. They dont' need an IP address (since you cannot send eMail that way) and by using someone else's Domain Name to access their Mailbox, the Domain Name owner can be accused of Spamming and it would be a valid accusation -- even if the person has no knowledge of it.

Do the testing as I have done, and detailed in the ticket submission. See how easy it is to Spam your own eMail addresss. Then start asking about how to change the POPAUTH setting in WHM/Cpanel and you'll discover, it seems to be right up their with unraveling Mysteries of the Universe -- or so it seems anyway.