[NCLUG] spam problem with qmail

Bob Proulx bob at proulx.com
Mon Jan 12 19:20:11 MST 2004


mherndon wrote:
> I have a mail server running Slackware with qmail 1.03.

I know little of qmail and so will leave that to others.

> Over the last couple of days, the server has been compromised and appears to 
> be relaying spam.

Are you sure your server has been root compromised?  Or has the MTA
configuration just been messed up so that it is now an open relay?
The two are not the same thing and my response would certainly be
different in those cases.

> I'm stumped on what I need to exactly do now.  I would be greatful for any 
> help or suggestions.

If you really think you server has been root compromised then you
should bring the machine offline and make a copy of the disk and
reinstall clean from known good sources.  Then poke at the disk
offline to detect how they got in.  Trying to do forensics on a
running machine is not advised and can obscure the trail.
Reinstalling can be painful.  Which is why I ask if you are sure.

Personally I would run chkrootkit to see if it detects anything.  Note
that a good rootkit can hide and be completely undetectable.  But
usually they are not so good and will leave trails.  It is a tricky
thing for someone to crack a machine without really leaving a trail.
This is basically saying that a good burgler will never leave a trace
in your house but the local neighborhood kids (script kiddies?) are
usually not so good and will leave footprints.

  http://www.chkrootkit.org/

If your machine is just an open relay the spammers will have found it
and will likely have filled your queues with spam and bounces.
Statically that is probably more likely.  If so then you will probably
also be on various open relay lists.  Fix your MTA configuration first
then address the open relay lists second.

It is easier to detect these problems if you are proactive.  I
recommend all machines with incoming connections from the Evil
Internet be monitored with something like AIDE.  By now it is too late
to know what crackers may have changed.  Put this suggestion in the
proactive list for next time.

  http://www.cs.tut.fi/~rammer/aide.html

Hopefully you will have kept up with patches and have good versions of
software answering network connections (apt-get upgrade?  krud2date?
[what does slack use?]).  Your machine on the Internet should also be
either running a firewall or better yet live behind one (shorewall?).
You will have scanned it to crosscheck it (nmap?).  You will be
monitoring the system logs (logcheck? logwatch?).

I am sure others on the list will have better suggestions than these
poor ones of mine.

Bob



More information about the NCLUG mailing list