Problem: server being used for sending spam

[darlanart]

Hello,
First sorry for my English, is the first time that I participate in the forum.

I have a serious problem with my mail server, it is being used for sending a large amount of spam. Everything has already been verified, they can be sure. What happens is that an external IP can somehow generate messages that are sent from localhost and send to multiple recipients. But there is no authentication whatsoever, it is as if the server had been hacked, just that even tools rootkit detect anything.
The server is a Debian with version 5 6.0.4_GA_2038.DEBIAN5 DEBIAN5 FOSS edition, is there any bug that allows it?

Thanks!

[phoenix]

Quote:

Originally Posted by darlanart

Hello,
First sorry for my English, is the first time that I participate in the forum.

I have a serious problem with my mail server, it is being used for sending a large amount of spam. Everything has already been verified, they can be sure. What happens is that an external IP can somehow generate messages that are sent from localhost and send to multiple recipients. But there is no authentication whatsoever, it is as if the server had been hacked, just that even tools rootkit detect anything.
The server is a Debian with version 5 6.0.4_GA_2038.DEBIAN5 DEBIAN5 FOSS edition, is there any bug that allows it?

Thanks!

Have you verified that your server is not an open relay by using one of the internet test sites? When you've done that you need to post some information about what exactly is happening and some headers from a spam email. You might also want to search the forums for some other posts on this topic.

[darlanart]

Quote:

Originally Posted by phoenix

Have you verified that your server is not an open relay by using one of the internet test sites? When you've done that you need to post some information about what exactly is happening and some headers from a spam email. You might also want to search the forums for some other posts on this topic.

Thanks for your reply Bill.

Yes, I tested the openrelay, but is not the problem. You can see the problem here:
PSBL spamtrap mail for 201.22.249.72

[phoenix]

Quote:

Originally Posted by darlanart

Thanks for your reply Bill.

Yes, I tested the openrelay, but is not the problem. You can see the problem here:
PSBL spamtrap mail for 201.22.249.72

Then you should check the log files (and check your daily admin mail report) to see if any of the accounts on your server are sending large numbers of email as you might have a compromised account. You could also take a look at some of these threads.

[darlanart]

Quote:

Originally Posted by phoenix

Then you should check the log files (and check your daily admin mail report) to see if any of the accounts on your server are sending large numbers of email as you might have a compromised account. You could also take a look at some of these threads.

Bill,

The first of senders is "Atendimento@bradesco.com.br", a user does not exist on my server, my server does not belong to this domain, and logs everything appears as if you were sending localhost.

[darlanart]

Any ideia?

[raj]

hi..spammer has compromised the password of one of your account and is using SMTP AUTH to login and then REALY as many as email they want.
the actual address used to AUTH will not show up in the MAIL HEADER..you need to research the maillogs or zimbra.log to see what user is connecting a lot and other log information.

Raj