possible to spam when AUTH is ON?

Discussion in 'PSA 2.5 'How Do I' Questions' started by DarkHorizons, Aug 26, 2002.

  1. DarkHorizons

    DarkHorizons Tera Poster


    I just got through the fun process of cleaning out SPAM and I am trying to figure out how it got there in the first place.

    Relaying was never open and always on AUTH method. It is now CLOSED until I can figure this one out.

    I do have Matt's FormMail script but it is version 1.92, which I assume is supposed to be ok. However, the spam attack started well before FormMail was on the server so this can't be it.

    How can you get this spam **** when both POP3 and SMTP were set to AUTH mode?

    The logs showed people trying to spam with email addresses like steve@<my ip>.

    Any ideas?

  2. DarkHorizons

    DarkHorizons Tera Poster

    so here's what happened...... (in theory)

    somone tell me if this makes sense or if I am a crackhead..

    During initial testing the server was set as an open relay for like 30 minutes..

    Some spammer in taiwan found it IMMEDIATELY (based on IP)

    They swamped it with a bazillion emails and this was like 2 days ago

    I didn't notice because i didn't have a catch all email to show me the bounces to bad addresses until last night, when they started popping up

    The mail program (qmail) built up a HUGE queue of messages to be sent.

    Since it retries on bounces it kept doing them over and over again which is why I thought I was getting spammed last night, when it was actually left over from a few days ago, waiting in the queue.

    So I cleaned it all out and put the server back on AUTH for send and receive to now test to see if this is what really happened.
  3. eandron

    eandron Mega Poster


    keep me posted if you figure it out.

    i too had a spammer on my server and got into the formmail.pl (v1.9) now i have the newest formmail like the one you mentioned.... now so far no problems....
  4. DarkHorizons

    DarkHorizons Tera Poster

    everything seems fine now.

    It appears that what I described is what happened.

    Very surprising that if you set to an open relay even for a few minutes for testing you can get hammered with spam.
  5. Traged1

    Traged1 Guru

    There are many other ways for a spammer to send spam through your server, any clients using older versions of formail, which may be hard to detect because they rename them to different name to hide them from you.

    Also take special note of your php directives, if you have not limited the fopensock() in php.ini then a spammer can upload his own sendmail emulator written in php, and establish an open relay on your server, furthermore they can hide this from your syslogs very easily with the use of php too.

    I know this, cause it happened to us.

    The solutions:

    1. Mass spam sent through your server via cgi scripts.

    Either write a script that will detect emails sent and once they get over a certain number send an email to the admin letting you know of the spam, and the user/script that is responsible for sending them.

    Or, buy a script like it from http://www.webhosting-tools.com/view.cgi/MailMon
    or any other programmer/company that is availible.

    2. PHP smtp bypass.

    Edit your /etc/php.ini , scroll down to

    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-deliminated list of function names. This directive is
    ; *NOT* affected by whether Safe Mode is turned On or Off.
    disable_functions = phpinfo,fsocket,fsockopen,pfsockopen

    Without the use of the fsockopen function, the spammer cannot open a connection to your smtp port.

Share This Page