Spam über eigenen Server

[kamikaze]

Hallo,

ich hoffe mir kann einer weiterhelfen,
ich finde seid neustem folgende Emails in meiner Queue:

X-Apparently-To: sophe_619@yahoo.com.tw via 203.188.201.34; Sun, 17 Jun 2007 04:05:25 +0800
X-Originating-IP: [217.160.75.28]
Return-Path: <fhk@s15172175.rootmaster.info>
Authentication-Results: mta159.mail.tp2.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 217.160.75.28 (EHLO s15172175.rootmaster.info) (217.160.75.28)
by mta159.mail.tp2.yahoo.com with SMTP; Sun, 17 Jun 2007 04:05:25 +0800
Received: (qmail 695 invoked from network); 16 Jun 2007 22:05:22 +0200
Received: from 1.198.132.202.dynamic.ttn.net (HELO kuro.com.tw) (202.132.198.1)
by s15172175.rootmaster.info with (DES-CBC3-MD5 encrypted) SMTP; 16 Jun 2007 22:05:21 +0200
Message-ID: <20070619040136167010@kuro.com.tw>
Return-Path: <c320056@yahoo.com.tw>
Date: Tue, 19 Jun 2007 04:01:36 +0800
From: =?big5?B?p1akT6R1p0ClaaVIwci/+iylzrijpGykdadAq2+laaVIwcikar/6?= <>
To: <hcs1757@yahoo.com.tw>,
<sunkist3451@yahoo.com.tw>,
<chyuchun@yahoo.com.tw>,
<nono162675@yahoo.com.tw>,
<lion123650@yahoo.com.tw>,
<mavis826@yahoo.com.tw>,
<lanny_0605@yahoo.com.tw>,
<nokia58906234@yahoo.com.tw>,
<sophe_619@yahoo.com.tw>,
<jon80192000@yahoo.com.tw>,
<edc0011@yahoo.com.tw>
Subject: =?big5?B?pKO63sLFuvEswci/+r5prKGm26R2s8y56rvaISE=?=
X-mailer: JZgsaict 2
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_0EE7_0100282B.1FA0CCB0"
Content-Length: 3071


This is a multi-part message in MIME format.

------=_0EE7_0100282B.1FA0CCB0
Content-Type: text/plain;
charset="big5"
Content-Transfer-Encoding: base64

ZXhwZWN0aW5nIHRoZSBlbmVteSBpbiB0aGVpciByZWFyIGFuZCBub3QgaW4g
ZnJvbnQsIHRoZSBmcmVuY2ggcmFuLCBzdHJhZ2dsaW5nIG91dCwgYW5kIGdl
dHRpbmcgc2VwYXJhdGVkIGFzIGZhciBhcyB0d2VudHktZm91ciBob3Vyc6Gv
IG1hcmNoIGZyb20gb25lIGFub3RoZXIuIGluIGZyb250IG9mIGFsbCBmbGVk
IHRoZSBlbXBlcm9yLCB0aGVuIHQgIG5vIG9uZSByZXBsaWVkLiA=

------=_0EE7_0100282B.1FA0CCB0
Content-Type: text/html;
charset="big5"
Content-Transfer-Encoding: base64

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBU
cmFuc2l0aW9uYWwvL0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1l
cXVpdj1Db250ZW50LVR5cGUgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0
PWJpZzUiPjwvSEVBRD4NCjxCT0RZPmV4cGVjdGluZyB0aGUgZW5lbXkgaW4g
dGhlaXIgcmVhciBhbmQgbm90IGluIGZyb250LCB0aGUgZnJlbmNoIHJhbiwg
c3RyYWdnbGluZyBvdXQsIGFuZCBnZXR0aW5nIHNlcGFyYXRlZCBhcyBmYXIg
YXMgdHdlbnR5LWZvdXIgaG91cnOhryBtYXJjaCBmcm9tIG9uZSBhbm90aGVy
LiBpbiBmcm9udCBvZiBhbGwgZmxlZCB0aGUgZW1wZXJvciwgdGhlbiB0Jm5i
c3A7PEEgDQpocmVmPSJodHRwOi8vd3d3Lmdvb2dsZS5jb20vdHJhbnNsYXRl
X2M/JTZjJTYxJTZlJTY3JTcwJTYxJTY5JTcyJTNEZW4lN0NlbiZhbXA7dT0l
NjglNzQlNzQlNzAlM0ElMkYlMkYmI3gwMDAwNmU7JiN4MDAwMDY1OyYjeDAw
MDA3NzsmI3gwMDAwNzM7JiN4MDAwMDMxOyYjeDAwMDAzMDsmI3gwMDAwMzA7
JiN4MDAwMDMwOyYjeDAwMDA2NzsmI3gwMDAwNmY7JiN4MDAwMDJlOyYjeDAw
MDA2NTsmI3gwMDAwN2E7JiN4MDAwMDY0OyYjeDAwMDA2ZTsmI3gwMDAwMmU7
JiN4MDAwMDYzOyYjeDAwMDA2MzsmI3gwMDAwMmY7JiN4MDAwMDY0OyYjeDAw
MDA2MTsmI3gwMDAwNzQ7JiN4MDAwMDYxOyYjeDAwMDAyZjsmI3gwMDAwNmE7
JiN4MDAwMDc1OyYjeDAwMDA2MTsmI3gwMDAwNmU7JiN4MDAwMDY3OyYjeDAw
MDAyZjs/JTc5JTYxJTZmJTZmJTJlJTYzJTZmJTZkJS9leHBlY3RpbmcgdGhl
IGVuZW15IGluIHRoZWlyIHJlYXIgYW5kIG5vdCBpbiBmcm9udCwgdGhlIGZy
ZW5jaCByYW4sIHN0cmFnZ2xpbmcgb3V0LCBhbmQgZ2V0dGluZyBzZXBhcmF0
ZWQgYXMgZmFyIGFzIHR3ZW50eS1mb3VyIGhvdXJzoa8gbWFyY2ggZnJvbSBv
bmUgYW5vdGhlci4gaW4gZnJvbnQgb2YgYWxsIGZsZWQgdGhlIGVtcGVyb3Is
IHRoZW4gdG5vIG9uZSByZXBsaWVkLiIgDQp0YXJnZXQ9X2JsYW5rIHJlbD1u
b2ZvbGxvdz48SU1HIA0Kc3JjPSJodHRwOi8vd3d3Lmdvb2dsZS5jb20vdHJh
bnNsYXRlX2M/JTZjJTYxJTZlJTY3JTcwJTYxJTY5JTcyJTNEZW4lN0NlbiZh
bXA7dT0lNjglNzQlNzQlNzAlM0ElMkYlMkYmI3gwMDAwNmU7JiN4MDAwMDY1
OyYjeDAwMDA3NzsmI3gwMDAwNzM7JiN4MDAwMDMxOyYjeDAwMDAzMDsmI3gw
MDAwMzA7JiN4MDAwMDMwOyYjeDAwMDA2NzsmI3gwMDAwNmY7JiN4MDAwMDJl
OyYjeDAwMDA2NTsmI3gwMDAwN2E7JiN4MDAwMDY0OyYjeDAwMDA2ZTsmI3gw
MDAwMmU7JiN4MDAwMDYzOyYjeDAwMDA2MzsmI3gwMDAwMmY7JiN4MDAwMDY0
OyYjeDAwMDA2MTsmI3gwMDAwNzQ7JiN4MDAwMDYxOyYjeDAwMDAyZjsmI3gw
MDAwNmE7JiN4MDAwMDc1OyYjeDAwMDA2MTsmI3gwMDAwNmU7JiN4MDAwMDY3
OyYjeDAwMDAyZjsmI3gwMDAwNmE7JiN4MDAwMDc1OyYjeDAwMDA2MTsmI3gw
MDAwNmU7JiN4MDAwMDY3OyYjeDAwMDAyZTsmI3gwMDAwNjc7JiN4MDAwMDY5
OyYjeDAwMDA2Njs/JTc5JTYxJTZmJTZmJTJlJTYzJTZmJTZkJS9leHBlY3Rp
bmcgdGhlIGVuZW15IGluIHRoZWlyIHJlYXIgYW5kIG5vdCBpbiBmcm9udCwg
dGhlIGZyZW5jaCByYW4sIHN0cmFnZ2xpbmcgb3V0LCBhbmQgZ2V0dGluZyBz
ZXBhcmF0ZWQgYXMgZmFyIGFzIHR3ZW50eS1mb3VyIGhvdXJzoa8gbWFyY2gg
ZnJvbSBvbmUgYW5vdGhlci4gaW4gZnJvbnQgb2YgYWxsIGZsZWQgdGhlIGVt
cGVyb3IsIHRoZW4gdG5vIG9uZSByZXBsaWVkLiIgDQpib3JkZXI9MD48L0E+
IG5vIG9uZSByZXBsaWVkLiA8L0JPRFk+PC9IVE1MPg0K

Ich habe schon mal versucht den Webdienst über Plesk zu deaktivieren, die Emails befinden sich dennoch in meiner Queue. Ich benutze Qmail für den SMTP versand.
Habe ebenfalls mal bei DNSGoodies.com folgenden Open Relay Test durch geführt und folgendes Resultat erzielt:

<< 220 s15172175.rootmaster.info ESMTP
>> HELO 192.168.4.152
<< 250 s15172175.rootmaster.info

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<spammee@81.92.238.251>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<"spammee@81.92.238.251">
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:spammee@81.92.238.251
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer>
<< 250 ok
>> RCPT TO:<spammee@81.92.238.251>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<spammee%81.92.238.251@217.160.75.28>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<spammee@81.92.238.251@217.160.75.28>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<81.92.238.251!spammee@217.160.75.28>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<@217.160.75.28:spammee@81.92.238.251>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<81.92.238.251!spammee>
<< 250 ok


WARNING!
Our tests indicate your mail server allows open relay.

Die bisherige Hilfe die ich von meinen Provider erhalten habe dort wo dieser Server steht, den Server neu zu initialisieren. Aber ich hoffe es geben noch Hoffnung das Problem anders zu lösen.
Habt ihr eventuelle Tipps wie ich das Problem lösen kann. Oder wisst ihr schon die Antwort wo das Problem ist?

 

[Thorsten]

Hallo!
Als Admin in Plesk anmelden, Server, Email, Einstellungen wählen. Was steht dort bei Relaying?

mfG
Thorsten

 

[kamikaze]

Konfig. auf Plesk

Hallo,

also im Plesk habe ich folgende Konfiguration:

Relaying: Autorisierung nötig:
aktiv für pop3 Sperrzeit 10min und SMTP

Folgende MAPS-Spamschutz sind konfiguriert
bl.spamcop.net;rhsbl.ahbl.org;dnsbl.ahbl.org;sbl.spamhaus.org

Ich hoffe Sie können mir weiterhelfen.
schon mal vielen Dank im voraus

 

[Thorsten]

Hallo!
Jetzt wäre natürlich ein maillog interessant.

mfG
Thorsten

 

[kamikaze]

Maillog

Hallo,

der Spamversand geschieht in unregelmässigen abständen, zB für heute war noch keine Spammail dieser Art.

Ausschnitt aus den Logfiles von gestern:

Jul 12 05:18:14 s15172175 qmail-queue[22140]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jul 12 05:18:14 s15172175 qmail-queue[22140]: scan: the message(drweb.tmp.fXCYi6) sent by fhk@s15172175.rootmaster.info to rcpts should be passed without checks, because contains uncheckable addresses
Jul 12 05:18:14 s15172175 qmail: 1184210294.595924 starting delivery 11422: msg 16818240 to remote worldwidean5@phentermine.com
Jul 12 05:18:14 s15172175 qmail: 1184210294.596002 status: local 0/10 remote 2/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.596016 new msg 16809674
Jul 12 05:18:14 s15172175 qmail: 1184210294.596032 info msg 16809674: bytes 4169 from <fhk@s15172175.rootmaster.info> qp 22145 uid 2020
Jul 12 05:18:14 s15172175 qmail: 1184210294.643730 starting delivery 11423: msg 16809674 to remote dog.30102@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.643787 status: local 0/10 remote 3/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.643801 starting delivery 11424: msg 16809674 to remote ruby67yu@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.643814 status: local 0/10 remote 4/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.653999 starting delivery 11425: msg 16809674 to remote zoe_1206@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.654288 status: local 0/10 remote 5/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.689668 starting delivery 11426: msg 16809674 to remote allann_young@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.689938 status: local 0/10 remote 6/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.693342 starting delivery 11427: msg 16809674 to remote 0952648725@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.693610 status: local 0/10 remote 7/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.696884 starting delivery 11428: msg 16809674 to remote sputnik0528@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.697083 status: local 0/10 remote 8/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.700502 starting delivery 11429: msg 16809674 to remote mother350810@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.700731 status: local 0/10 remote 9/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.704187 starting delivery 11430: msg 16809674 to remote emote520@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.704455 status: local 0/10 remote 10/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.708652 starting delivery 11431: msg 16809674 to remote snake4125678@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.708881 status: local 0/10 remote 11/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.712249 starting delivery 11432: msg 16809674 to remote u605421@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.712523 status: local 0/10 remote 12/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.716321 starting delivery 11433: msg 16809674 to remote a0960559712@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.716581 status: local 0/10 remote 13/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.377736 delivery 11423: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:15 s15172175 qmail: 1184210295.377810 status: local 0/10 remote 12/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.379306 delivery 11429: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:15 s15172175 qmail: 1184210295.379353 status: local 0/10 remote 11/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.380158 delivery 11432: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:15 s15172175 qmail: 1184210295.380201 status: local 0/10 remote 10/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.380736 delivery 11428: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:18:15 s15172175 qmail: 1184210295.380768 status: local 0/10 remote 9/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.381366 delivery 11433: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:18:15 s15172175 qmail: 1184210295.381398 status: local 0/10 remote 8/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.381915 delivery 11427: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:18:15 s15172175 qmail: 1184210295.381951 status: local 0/10 remote 7/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.384852 delivery 11424: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:15 s15172175 qmail: 1184210295.384900 status: local 0/10 remote 6/20
Jul 12 05:18:15 s15172175 qmail: 1184210295.387609 delivery 11430: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:15 s15172175 qmail: 1184210295.387654 status: local 0/10 remote 5/20
Jul 12 05:18:17 s15172175 qmail: 1184210297.235199 delivery 11426: deferral: 203.188.197.9_failed_after_I_sent_the_message./Remote_host_said:_421_Message_temporarily_deferred_-_4.16.51._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:18:17 s15172175 qmail: 1184210297.235256 status: local 0/10 remote 4/20
Jul 12 05:18:17 s15172175 qmail: 1184210297.283138 delivery 11425: failure: 203.188.197.9_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_to_zoe_1206@yahoo.com.tw_cannot_be_delivered._This_account_has_been_disabled_or_discontinued_[#102]._-_mta191.mail.tp2.yahoo.com/
Jul 12 05:18:17 s15172175 qmail: 1184210297.283204 status: local 0/10 remote 3/20
Jul 12 05:18:17 s15172175 qmail: 1184210297.345408 delivery 11431: success: 203.188.197.9_accepted_message./Remote_host_said:_250_ok_dirdel/
Jul 12 05:18:17 s15172175 qmail: 1184210297.345461 status: local 0/10 remote 2/20
Jul 12 05:24:48 s15172175 qmail: 1184210688.801177 delivery 11459: success: did_1+0+2/did_0+0+1/
Jul 12 05:24:48 s15172175 qmail: 1184210688.801263 status: local 0/10 remote 2/20
Jul 12 05:24:48 s15172175 qmail: 1184210688.801276 end msg 16818256
Jul 12 05:24:48 s15172175 spamd[1934]: prefork: child states: II 
Jul 12 05:24:54 s15172175 pop3d-ssl: Connection, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 pop3d-ssl: LOGOUT, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 pop3d: Connection, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 pop3d: LOGOUT, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 imapd-ssl: Connection, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 imapd-ssl: 1184210694.597823 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=310, maildir=/
Jul 12 05:24:54 s15172175 imapd: Connection, ip=[127.0.0.1]
Jul 12 05:24:54 s15172175 imapd: 1184210694.605627 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=308, maildir=/
Jul 12 05:24:55 s15172175 qmail: 1184210695.797579 starting delivery 11460: msg 16809674 to remote dog.30102@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.797655 status: local 0/10 remote 3/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.797671 starting delivery 11461: msg 16809674 to remote ruby67yu@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.797684 status: local 0/10 remote 4/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.797928 starting delivery 11462: msg 16809674 to remote allann_young@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.797947 status: local 0/10 remote 5/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.801764 starting delivery 11463: msg 16809674 to remote 0952648725@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.801820 status: local 0/10 remote 6/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.805620 starting delivery 11464: msg 16809674 to remote sputnik0528@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.805685 status: local 0/10 remote 7/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.807522 starting delivery 11465: msg 16809674 to remote mother350810@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.807580 status: local 0/10 remote 8/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.812663 starting delivery 11466: msg 16809674 to remote emote520@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.812730 status: local 0/10 remote 9/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.816847 starting delivery 11467: msg 16809674 to remote u605421@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.816951 status: local 0/10 remote 10/20
Jul 12 05:24:55 s15172175 qmail: 1184210695.820786 starting delivery 11468: msg 16809674 to remote a0960559712@yahoo.com.tw
Jul 12 05:24:55 s15172175 qmail: 1184210695.820837 status: local 0/10 remote 11/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.479615 delivery 11462: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:24:56 s15172175 qmail: 1184210696.479756 status: local 0/10 remote 10/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.479789 delivery 11465: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:24:56 s15172175 qmail: 1184210696.479801 status: local 0/10 remote 9/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.479818 delivery 11463: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:24:56 s15172175 qmail: 1184210696.479830 status: local 0/10 remote 8/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.483331 delivery 11461: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:24:56 s15172175 qmail: 1184210696.483386 status: local 0/10 remote 7/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.485010 delivery 11466: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:24:56 s15172175 qmail: 1184210696.485048 status: local 0/10 remote 6/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.488402 delivery 11468: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_421_Message_from_(217.160.75.28)_temporarily_deferred_-_4.16.50._Please_refer_to_http://help.yahoo.com/help/us/mail/defer/defer-06.html/
Jul 12 05:24:56 s15172175 qmail: 1184210696.488464 status: local 0/10 remote 5/20
Jul 12 05:24:56 s15172175 qmail: 1184210696.489941 delivery 11467: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_217.160.75.28_not_allowed_-_[90]/
Jul 12 05:24:56 s15172175 qmail: 1184210696.489987 status: local 0/10 remote 4/20
Jul 12 05:24:56 s15172175 spamd[6823]: spamd: got connection over /tmp/spamd_full.sock 
Jul 12 05:24:56 s15172175 spamd[6823]: spamd: bad protocol: header error: (closed before headers) at /usr/bin/spamd line 1671. 
Jul 12 05:24:56 s15172175 spamd[4357]: spamd: got connection over /tmp/spamd_light.sock 
Jul 12 05:24:56 s15172175 spamd[4357]: spamd: bad protocol: header error: (closed before headers) at /usr/bin/spamd line 1671. 
Jul 12 05:24:56 s15172175 spamd[2034]: prefork: child states: II 
Jul 12 05:24:56 s15172175 spamd[1934]: prefork: child states: II 
Jul 12 05:24:58 s15172175 qmail: 1184210698.460992 delivery 11464: deferral: 203.188.197.9_failed_after_I_sent_the_message./Remote_host_said:_451_Message_temporarily_deferred_-_[90]/
Jul 12 05:24:58 s15172175 qmail: 1184210698.461068 status: local 0/10 remote 3/20
Jul 12 05:24:58 s15172175 qmail: 1184210698.480157 delivery 11460: failure: 203.188.197.9_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_to_dog.30102@yahoo.com.tw_cannot_be_delivered._This_account_has_been_disabled_or_discontinued_[#102]._-_mta167.mail.tp2.yahoo.com/
Jul 12 05:24:58 s15172175 qmail: 1184210698.480212 status: local 0/10 remote 2/20

Gruss,
Cédric

 

[Thorsten]

Hallo!
Als erstes bitte mal den MTA abschalten. Für den Fall das du tatsächlich ein offenes Relay bist, sollte das die Erstmaßnahme sein. Dann müssten wir mal die Logfiles untersuchen. Wie wird dein Server mißbraucht? Ist es ein fehlerhaftes Script oder eine Fehlkonfiguration des MTA? Dazu wäre mal die UID des Benutzers interessant, der die Mails verschickt. Wir brauchen etwas in der Art von:

Jul 11 09:33:11 hxxxx qmail: 1184139191.144155 info msg 5162074: bytes 791 from <anonymous@hxxxx.serverkompetenz.net> qp 27532 uid 112
Jul 11 09:33:11 hxxxx qmail: 1184139191.159578 starting delivery 2844: msg 5162074 to local keineAhnung@hxxxx.serverkompetenz.net
Jul 11 09:33:11 h5400 qmail: 1184139191.159976 status: local 1/10 remote 0/20

mfG
Thorsten

 

[kamikaze]

logfiles 2

Jul 12 04:15:16 s15172175 qmail: 1184206516.070014 info msg 16806008: bytes 3107 from <lyhwaguswun@wagus.de> qp 9435 uid 2020
Jul 12 04:15:16 s15172175 qmail: 1184206516.075284 starting delivery 11029: msg 16806008 to local 275-uxcivtsh@ury.lu
Jul 12 04:15:16 s15172175 qmail: 1184206516.075366 status: local 1/10 remote 0/20
Jul 12 04:15:16 s15172175 qmail: 1184206516.092158 delivery 11029: failure: This_address_no_longer_accepts_mail./
Jul 12 04:15:16 s15172175 qmail: 1184206516.092231 status: local 0/10 remote 0/20
Jul 12 04:15:16 s15172175 qmail-queue[9438]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jul 12 04:15:16 s15172175 qmail-queue[9438]: scan: the message(drweb.tmp.QFW5vt) sent by  to lyhwaguswun@wagus.de should be passed without checks, because contains uncheckable addresses
Jul 12 04:15:16 s15172175 qmail: 1184206516.168999 bounce msg 16806008 qp 9438
Jul 12 04:15:16 s15172175 qmail: 1184206516.169095 end msg 16806008
Jul 12 04:15:16 s15172175 qmail: 1184206516.170641 new msg 16818240
Jul 12 04:15:16 s15172175 qmail: 1184206516.170700 info msg 16818240: bytes 3657 from <> qp 9442 uid 2522
Jul 12 04:15:16 s15172175 qmail: 1184206516.174006 starting delivery 11030: msg 16818240 to remote lyhwaguswun@wagus.de
Jul 12 04:15:16 s15172175 qmail: 1184206516.174083 status: local 0/10 remote 1/20
Jul 12 04:15:30 s15172175 qmail-queue[9245]: scan: the message(drweb.tmp.49ufFb) sent by cooganh9p@hotmail.com to brever@mum.lu is passed
Jul 12 04:15:30 s15172175 qmail: 1184206530.238153 new msg 16806008
Jul 12 04:15:30 s15172175 qmail: 1184206530.238226 info msg 16806008: bytes 3327 from <cooganh9p@hotmail.com> qp 9531 uid 2020
Jul 12 04:15:30 s15172175 qmail: 1184206530.243111 starting delivery 11031: msg 16806008 to local 514-brever@mum.lu
Jul 12 04:15:30 s15172175 qmail: 1184206530.243187 status: local 1/10 remote 0/20
Jul 12 04:15:30 s15172175 qmail-queue[9534]: scan: the message(drweb.tmp.STiWhd) sent by cooganh9p@hotmail.com to info@brever.lu is passed
Jul 12 04:15:30 s15172175 qmail: 1184206530.341030 new msg 16818240
Jul 12 04:15:30 s15172175 qmail: 1184206530.341110 info msg 16818240: bytes 3429 from <cooganh9p@hotmail.com> qp 9535 uid 110
Jul 12 04:15:30 s15172175 qmail: 1184206530.345434 starting delivery 11032: msg 16818240 to local 602-info@brever.lu
Jul 12 04:15:30 s15172175 qmail: 1184206530.345498 status: local 2/10 remote 0/20
Jul 12 04:15:30 s15172175 qmail: 1184206530.345512 delivery 11031: success: did_0+1+1/qp_9534/
Jul 12 04:15:30 s15172175 qmail: 1184206530.345524 status: local 1/10 remote 0/20
Jul 12 04:15:30 s15172175 qmail: 1184206530.345536 end msg 16806008
Jul 12 04:15:52 s15172175 qmail-queue[9611]: scan: the message(drweb.tmp.JrkrBq) sent by vnbgidzuedu@rrhk.com to daniel@logomotif.lu is passed
Jul 12 04:15:52 s15172175 qmail: 1184206552.930911 new msg 16806008
Jul 12 04:15:52 s15172175 qmail: 1184206552.930986 info msg 16806008: bytes 2062 from <vnbgidzuedu@rrhk.com> qp 9613 uid 2020
Jul 12 04:15:52 s15172175 qmail: 1184206552.935847 starting delivery 11033: msg 16806008 to local 454-daniel@logomotif.lu
Jul 12 04:15:52 s15172175 qmail: 1184206552.935926 status: local 1/10 remote 0/20
Jul 12 04:15:53 s15172175 qmail-queue[9616]: scan: the message(drweb.tmp.UaucnY) sent by vnbgidzuedu@rrhk.com to info@logomotif.lu is passed
Jul 12 04:15:53 s15172175 qmail: 1184206553.020489 new msg 16818240
Jul 12 04:15:53 s15172175 qmail: 1184206553.020571 info msg 16818240: bytes 2170 from <vnbgidzuedu@rrhk.com> qp 9617 uid 110
Jul 12 04:15:53 s15172175 qmail: 1184206553.024835 starting delivery 11034: msg 16818240 to local 454-info@logomotif.lu
Jul 12 04:15:53 s15172175 qmail: 1184206553.024915 status: local 2/10 remote 0/20
Jul 12 04:15:53 s15172175 qmail: 1184206553.024929 delivery 11033: success: did_0+1+1/qp_9616/
Jul 12 04:15:53 s15172175 qmail: 1184206553.024941 status: local 1/10 remote 0/20
Jul 12 04:15:53 s15172175 qmail: 1184206553.024953 end msg 16806008
Jul 12 05:18:14 s15172175 qmail-queue[22140]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jul 12 05:18:14 s15172175 qmail-queue[22140]: scan: the message(drweb.tmp.fXCYi6) sent by fhk@s15172175.rootmaster.info to rcpts should be passed without checks, because contains uncheckable addresses
Jul 12 05:18:14 s15172175 qmail: 1184210294.595924 starting delivery 11422: msg 16818240 to remote worldwidean5@phentermine.com
Jul 12 05:18:14 s15172175 qmail: 1184210294.596002 status: local 0/10 remote 2/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.596016 new msg 16809674
Jul 12 05:18:14 s15172175 qmail: 1184210294.596032 info msg 16809674: bytes 4169 from <fhk@s15172175.rootmaster.info> qp 22145 uid 2020
Jul 12 05:18:14 s15172175 qmail: 1184210294.643730 starting delivery 11423: msg 16809674 to remote dog.30102@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.643787 status: local 0/10 remote 3/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.643801 starting delivery 11424: msg 16809674 to remote ruby67yu@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.643814 status: local 0/10 remote 4/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.653999 starting delivery 11425: msg 16809674 to remote zoe_1206@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.654288 status: local 0/10 remote 5/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.689668 starting delivery 11426: msg 16809674 to remote allann_young@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.689938 status: local 0/10 remote 6/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.693342 starting delivery 11427: msg 16809674 to remote 0952648725@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.693610 status: local 0/10 remote 7/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.696884 starting delivery 11428: msg 16809674 to remote sputnik0528@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.697083 status: local 0/10 remote 8/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.700502 starting delivery 11429: msg 16809674 to remote mother350810@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.700731 status: local 0/10 remote 9/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.704187 starting delivery 11430: msg 16809674 to remote emote520@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.704455 status: local 0/10 remote 10/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.708652 starting delivery 11431: msg 16809674 to remote snake4125678@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.708881 status: local 0/10 remote 11/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.712249 starting delivery 11432: msg 16809674 to remote u605421@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.712523 status: local 0/10 remote 12/20
Jul 12 05:18:14 s15172175 qmail: 1184210294.716321 starting delivery 11433: msg 16809674 to remote a0960559712@yahoo.com.tw
Jul 12 05:18:14 s15172175 qmail: 1184210294.716581 status: local 0/10 remote 13/20
Jul 12 05:18:50 s15172175 qmail-queue[22188]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jul 12 05:18:50 s15172175 qmail-queue[22188]: scan: the message(drweb.tmp.2Jrh4X) sent by boaz8@ILOVEJESUS.NET to eugene.moutschen@emolux.com should be passed without checks, because contains uncheckable addresses
Jul 12 05:18:50 s15172175 qmail: 1184210330.390377 new msg 16818250
Jul 12 05:18:50 s15172175 qmail: 1184210330.390463 info msg 16818250: bytes 15924 from <boaz8@ILOVEJESUS.NET> qp 22196 uid 2020
Jul 12 05:18:50 s15172175 qmail: 1184210330.395949 starting delivery 11434: msg 16818250 to local 46-eugene.moutschen@emolux.com
Jul 12 05:18:50 s15172175 qmail: 1184210330.396029 status: local 1/10 remote 2/20
Jul 12 05:18:50 s15172175 qmail-queue[22199]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jul 12 05:18:50 s15172175 qmail-queue[22199]: scan: the message(drweb.tmp.j5RtTf) sent by boaz8@ILOVEJESUS.NET to eugene.moutschen@edishare.lu should be passed without checks, because contains uncheckable addresses
Jul 12 05:18:50 s15172175 qmail: 1184210330.465011 new msg 16818256
Jul 12 05:18:50 s15172175 qmail: 1184210330.465091 info msg 16818256: bytes 16040 from <boaz8@ILOVEJESUS.NET> qp 22200 uid 110
Jul 12 05:18:50 s15172175 qmail: 1184210330.469314 starting delivery 11435: msg 16818256 to remote eugene.moutschen@edishare.lu
Jul 12 05:18:50 s15172175 qmail: 1184210330.469395 status: local 1/10 remote 3/20
Jul 12 05:18:50 s15172175 qmail: 1184210330.469409 delivery 11434: success: did_0+1+1/qp_22199/
Jul 12 05:18:50 s15172175 qmail: 1184210330.469420 status: local 0/10 remote 3/20
Jul 12 05:18:50 s15172175 qmail: 1184210330.469432 end msg 16818250
Jul 12 05:18:50 s15172175 qmail: 1184210330.804328 delivery 11435: success: 195.238.0.205_accepted_message./Remote_host_said:_250_2.6.0__<001b01c7c47d$9c99a6e0$069eff54@main1>_Queued_mail_for_delivery/
Jul 12 05:18:50 s15172175 qmail: 1184210330.804416 status: local 0/10 remote 2/20
Jul 12 05:18:50 s15172175 qmail: 1184210330.804431 end msg 16818256
Jul 12 05:19:17 s15172175 qmail: 1184210357.922081 new msg 16818250
Jul 12 05:19:17 s15172175 qmail: 1184210357.922145 info msg 16818250: bytes 2789 from <vpskinner@winning.com> qp 22295 uid 2020
Jul 12 05:19:17 s15172175 qmail: 1184210357.927732 starting delivery 11436: msg 16818250 to local 482-erich.rauw@somarco.com
Jul 12 05:19:17 s15172175 qmail: 1184210357.927807 status: local 1/10 remote 1/20

Is das was in dieser Art was du meinst?

 

[Huschi]

>> MAIL FROM:<spammer@192.168.4.152>
<< 250 ok
>> RCPT TO:<81.92.238.251!spammee>
<< 250 ok

Dies ist leider bei Qmail normal. Der s.g. Percent-Hack greift hier erst später in der qmail-local und nicht schon im qmail-smtpd. D.h. eine solche Email wird angenommen und erst später auf Gültigkeit geprüft und dann ggf. ein Bounce erstellt.

Was Deine Emails angeht, so check mal bitte ob Du wirklich keinen User namens 'fhk' auf dem Server hast.

huschi.

 

[kamikaze]

Uid

Hallo,

kann es sein das unter /etc/passwd neben den Usern die UID steht? wenn ja dann hiesse es ja laut den Logfiles werden die SPAM über dem User qmaild und popuser gegründet.

Ich weiss echt nicht mehr wie ich weiter vorgehen soll.
besteht eine Möglichkeit die BOUNCE rückmeldungen in qmail zu deaktivieren?



Gruss,
Cédric

 

[Huschi]

grep UID /etc/passwd
bzw. less /etc/passwd

Die UID 2020 ist der qmaild. Also der User unter dem qmail-smtpd als Email-Empfänger läuft.
Konkret: Diese Emails werden per smtpd eingeschleust.
Die Frage ist immer woher sie kommen.

huschi.

 

[kamikaze]

wie könnte ich denn jetzt herausfinden woher die Emails kommen?

es hat ja jetzt nichts mit den POP Konten zu tun die auf unseren Server eingerichtet sind, das die spams über irgend ein Konto kommt?

 

[kamikaze]

Hat keiner von euch ein weiteren Rat wie ich vorgehn könnte um die Ursache zu finden?

 

[Huschi]

Wenn die Emails wirklich über SMTP reinkommen, dann würde ich mal ne Zeitlang tcpdump mitlaufen lassen um rauszufinden wie dies geschied.

huschi.

 

[mausi]

hi!

habe das gleiche problem. selbe einstellungen in plesk wie du.

gm

 

[Huschi]

Welches Problem quält denn Dich bzw. Deinen Server so sehr?

huschi.

 

[mausi]

... seit in paar Tagen bekommen Kunden ihre Mails zu spät. Gerade mal nach gesehen. Zichtausende Einträge alá:

Jul 26 17:35:48 dsXX-XXX-XXX-XX qmail: 1185464148.772820 delivery 277384: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_XX-XXX-XXX-XX_not_allowed_-_[90]/
Jul 26 17:35:48 dsXX-XXX-XXX-XX qmail: 1185464148.848048 status: local 0/10 remote 19/20
Jul 26 17:35:48 dsXX-XXX-XXX-XX qmail: 1185464148.923280 starting delivery 277386: msg 1386395 to remote [email]tan3505@yahoo.com.tw[/email]
Jul 26 17:35:49 dsXX-XXX-XXX-XX qmail: 1185464149.006828 status: local 0/10 remote 20/20
Jul 26 17:35:49 dsXX-XXX-XXX-XX qmail: 1185464149.096132 delivery 277385: deferral: Connected_to_203.188.197.9_but_greeting_failed./Remote_host_said:_453_Mail_from_XX-XXX-XXX-XX_not_allowed_-_[90]/
Jul 26 17:35:49 dsXX-XXX-XXX-XX qmail: 1185464149.174000 status: local 0/10 remote 19/20
Jul 26 17:35:49 dsXX-XXX-XXX-XX qmail: 1185464149.333966 starting delivery 277387: msg 1386395 to remote [email]icelove93@yahoo.com.tw[/email]

und uptime liegt bei 3-4 im Moment. Ich kenne mich mit der Serveradministration nicht wirklich gut aus, aber es reichte bisher immer um alle Probleme in den letzten 4 Jahren zu berwerkstelligen. Es sind fast 160 Domains und zighunderte-Mailaccounts drauf, eine Neuinstallation kommt 0% in Frage (allein schon wegen Plesk). Ich denke, dass es für alles eine Lösung gibt und nur praxisfremde Admins mit ihrem Küchenserver oder Highendkunden-sonstwas direkt alles platt machen würden ...

 

[bibabu]

Sieht so aus als würde der Empfänger Mails von deinem Server abweißen.

Überprüfe doch mal ob bei The Spamhaus Project - SBL deine IP gelisted ist.

 

[mausi]

urgh. Hier brennt gerade ein Dachstuhl in der Nachbarschaft. Melde mich später!

Server ist nicht gelistet ....

 

[Huschi]

urgh. Hier brennt gerade ein Dachstuhl in der Nachbarschaft. Melde mich später!

Gehste noch gucken ob noch jemand da oben ist?

Suche in den Logs nach dem passenden Eintrag "info msg 1386395".

Welches Plesk hast Du drauf? Wurde Dein Qmail irgendwann man upgedated?

huschi.

 

[mausi]

Echt krass! Ich dachte schon die ganz Zeit was das hier so stinkt. Der neue Farblaser war es nicht und im Ofen hatte ich auch nix. Nun ja. Habe ein paar Bilder geschossen. Machen konnte man da nix mehr. Zum Glück dank mehrer Einsatzwagen der Feuerwehr alles wieder ok, so wie es aussieht. Halt eine Lücke im Stadtviertel .... das wäre echt noch das Schlimmste was ich mir vorstellen könnte ... trotz externen Datensicherungen ...
Ah, höre gerade "Keine Verletzten" ... Allerdings soll man die Wohnung verlassen. Es stinkt hier auch erbärmlich ....
Bis später!