ronaldop Posted December 4, 2006 Posted December 4, 2006 Hi, My server is using qmail-toaster, last version, and my server getting blocked all the time. My mail server is small and consulting the log files don´t have any spam living my server. My IP is 200.181.62.242 and my DNS is bind using SPF ans DKIM. My domain is irmaospontual.com.br ans my host is servidor.irmaospontual.com.br. What is happend? why i´m blocked all time? i make all test (DNS stuff, open relay, SPF, DKIM) and my qmail server is aproved at all. i´m desesperated, please help-me.
Telarin Posted December 4, 2006 Posted December 4, 2006 200.181.62.242 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) System administrator has already delisted this system once Because of the above problems, express-delisting is not available Most often spamtrap hits without user reports are caused by misdirected bounces. What happens if someone sends an email to your server that is addressed to a non-existent address at your domain? Is it rejected with a 500 series error message, or is it bounced to the envenlope sender? If you are bouncing, then those bounces go to the forged from address on spam, and are considered spam themselves. If you tell me what domain you server should accept mail to, I can test and see exactly what it is doing. I can see that for a random domain, it does reject with a 553 error which is good, but the behavior for bad addresses on the domain it is configured for may be different.
Merlyn Posted December 4, 2006 Posted December 4, 2006 You have a trojan. See: http://psbl.surriel.com/evidence?ip=200.18...=Check+evidence saw an url in one of the spams and it pointed to Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov See: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL48485 This machine needs to be taken off the web until you can stop the spammers from using it.
ronaldop Posted December 5, 2006 Author Posted December 5, 2006 Thank´s telarin, my server accept domain of irmaospontual.com.br. Merlyn, I think that´s the real problem, how i fix this trojan problem on linux fedora core 2 server?
Merlyn Posted December 5, 2006 Posted December 5, 2006 Are you using any login or mail scripts on the site? Are they up to date?
ronaldop Posted December 5, 2006 Author Posted December 5, 2006 I´m using PHP nuke 7.8 wich have a mail() function. Have a way of the spammers use mail() function of PHP to send mails without log in qmail server´s log?
Wazoo Posted December 5, 2006 Posted December 5, 2006 PHP-Nuke has a long history of getting hacked. I have no idea what version is 'current' or the status of "today's" version .... http://secunia.com/advisories/23128/ details an exploit in version 7.9, posted 2006-11-28 .. so things don't seem to have changed much, although the update/upgrades keep coming ....
Merlyn Posted December 5, 2006 Posted December 5, 2006 Google is your friend: http://www.google.com/search?hl=en&lr=...8+vulnerability Looks like there are a few different vulnerabilities
Telarin Posted December 5, 2006 Posted December 5, 2006 Thank´s telarin, my server accept domain of irmaospontual.com.br. Merlyn, I think that´s the real problem, how i fix this trojan problem on linux fedora core 2 server? I agree, your mailserver rejects emails to bad addresses with a 500 error message just as it should, so misdirected bounces would not appear to be the problem. I would go the trojan or PHP Nuke vulnerability route for further troubleshooting.
ronaldop Posted December 5, 2006 Author Posted December 5, 2006 Thank´s for all help, you are showing me the right way. I attack the security problem of PHP-nuke using a security module for apache web server, your name is mod security and i find it in http://www.modsecurity.org. This module filter bad requests to PHP and other http requests. I make a few tests and the results is aparentely good. I will continuing testing...
Wazoo Posted January 5, 2007 Posted January 5, 2007 Been a month with no follow-up .. so making the assumption that all is well with this system and tagging this one as Resolved.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.