Possibly hacked or is it an open relay?

[netgeek]

I am using qmail 1.03 on freebsd-stable, this morning I noticed my server was not reachable from outside I then noticed qmail-remote was spewing out email at a very high rate. Here is a tail from my log:
it-werx# tail -f /var/log/mail/send/current
@400000004035a8dd22c8fdbc starting delivery 308: msg 3575 to remote brianclc@ms8
.hinet.net
@400000004035a8dd22cc0afc status: local 0/10 remote 255/255
@400000004035a8de0a0d0944 delivery 233: deferral: Connected_to_203.133.1.211_but
_sender_was_rejected./Remote_host_said:_450_<rose@24.42.91.64>:_Sender_address_r
ejected:_Domain_not_found/
@400000004035a8de0a128f54 status: local 0/10 remote 254/255
@400000004035a8de0a17d6e4 starting delivery 309: msg 3575 to remote lhweikc@ms9.
hinet.net
@400000004035a8de0a1ad484 status: local 0/10 remote 255/255
@400000004035a8de230f1af4 delivery 266: deferral: Connected_to_203.133.1.211_but
_sender_was_rejected./Remote_host_said:_450_<tom@24.42.91.64>:_Sender_address_re
jected:_Domain_not_found/
@400000004035a8de23149934 status: local 0/10 remote 254/255
@400000004035a8de231d7e8c starting delivery 310: msg 3627 to remote patty.2525@y
ahoo.com.tw
@400000004035a8de2320baac status: local 0/10 remote 255/255

Now what happens is qmail-remote starts several hundred proccesses crashing the server and flooding whoever it is being pointed at. I have noticed the ip# (203.133.1.211) in my logs before that clamav picked up:

This is some what i get when i do ps -axl |grep qmail
86  2164  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms69.hinet.net danny@24.42.91.64 mailto:hbs@ms69.hi" target="_blank">hbs@ms69.hi
  86  2165  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms65.hinet.net danny@24.42.91.64 cheerio@ms6
  86  2167  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms7.hinet.net danny@24.42.91.64 isaac829@ms7
  86  2168  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms8.hinet.net danny@24.42.91.64 8fchj62u@ms8
  86  2169  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms10.hinet.net rose@24.42.91.64 gracecho@ms1
  86  2170  1516   0   2  0  2104 1104 select S     p0    0:00.01 qmail-remote giga.net.tw rose@24.42.91.64 mailto:phyllis@giga.ne" target="_blank">phyllis@giga.ne
  86  2172  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote ms10.hinet.net rose@24.42.91.64 iilywel@ms10
  86  2173  1516   0   2  0  2104 1104 select S     p0    0:00.01 qmail-remote giga.net.tw rose@24.42.91.64 mailto:meichust@giga.n" target="_blank">meichust@giga.n
  86  2174  1516   0   2  0  2104 1124 sbwait S     p0    0:00.01 qmail-remote giga.net.tw rose@24.42.91.64 mailto:oneknife@giga.n" target="_blank">oneknife@giga.n

I also notice the file system getting stuffed up:
Filesystem    Size   Used  Avail Capacity  Mounted on
/dev/ad0s1a   126M    73M    43M    63%    /
/dev/ad0s1f   252M   180M    52M    78%    /tmp
/dev/ad0s1g    18G   1.8G    15G    11%    /usr
/dev/ad0s1e   252M   172M    59M    74%    /var
procfs        4.0K   4.0K     0B   100%    /proc

Also found over 10, 000 directories in /var/qmail/queue/remote all numbered. each directory contianed:
/var/qmail/queue/remote/1/9868
which contains:
mailto:Dppt11316@ms39.hinet.net^" target="_blank">Dppt11316@ms39.hinet.net^>@Tmariache>@ms5.hinet.net^>@Tppt13185>@ms47.hinet.net^>@Tjimiya>@ms53.hinet.net^@

They all had different email addresses in that format.

So basically I am looking for advice as to what to do, should I send this to some authority as a breakin or chalk it up as my stupidty?

[twa]

Looks like a spam run to me. If your users can relay through your box (with SMTP-AUTH) it could also be a virus infected client, but that's less likely since many mass mailer worms have their own SMTP engine.

What IP-address did the senders connect from? Be aware that your server might just be one in a string of relays, so whoever connects to you to send this might not be the spammer. You will find the originating IP-address in the header of one of the offending mails in the queue.
What's in your tcp.smtp file?
What's in rcpthosts?
What's the message body on the mail being sent?

All the deferrals in your log is the spammer using either non-existent harvested or generated adresses. Their crappy address list is now your problem

203.133.1.211 is a mailserver in the giga.net.tw domain. hinet.net is also a Taiwanese domain. The IP-address 24.42.91.64 is a cable modem customer somewhere in the US (rogers.com). The latter is not listed in any of the usual RBLs.

Test yourself to see if you are an open relay: http://www.abuse.net/relay.html." target="_blank">http://www.abuse.net/relay.html.
Get qqtool.pl from Matt's site and clean out the queue. It's on http://www.tnpi.biz/internet/mail/qqtool/qqtool.pl" target="_blank">http://www.tnpi.biz/internet/mail/qqtool/qqtool.pl if you don't have it already.
If you indeed are an open relay, be prepared to spend some time getting yourself off all of the hundreds of RBLs out there.

Whether this is a break-in or you are an open relay, only you, your config files and your logs can tell. And find out what really happened before you report it to authorities.

[netgeek]

I have tested the server for relay and from thier site it is not considered an open relay.
Whats in my rcpthosts:
it-werx# more rcpthosts
localhost
mail.it-werx.org
flywebdesign.com
it-werx.org
stillwatermanagement.com

Whats in my tcp.smtp:
it-werx# more /usr/local/vpopmail/etc/tcp.smtp
## Allow localhost and qmail scanner ##
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
## end ##
### BEGIN QMAIL SCANNER VIRUS ENTERIES ###
### END QMAIL SCANNER VIRUS ENTERIES ###

I see nothing out of the ordinary in any of it, or nothing from what I have always used. The queue I rm -r. The IP# from cable host is mine, I run this server from home, I do this as a hobby and I write some web based applications as well. Most in PHP and SQL to control virtual users. http://www.it-werx.org/ftpmin" target="_blank">http://www.it-werx.org/ftpmin is the basis of the whole idea.
Sorry for that weee bit of spam Matt. =Þ

Anyhow I am still looking at logs ect trying to figure out what happened, I know now it was not open relay, so must be something wrong with qmail-remote?
Will keep you posted none the less.

[netgeek]

Found one of many bounced messages,

Hi. This is the qmail-send program at it-werx.org.
I tried to deliver a bounce message to this address, but the bounce bounced!

<@it-werx.org>:

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 28172 invoked for bounce); 19 Feb 2004 10:45:46 -0000
Date: 19 Feb 2004 10:45:46 -0000
From: mailto:MAILER-DAEMON@it-werx.org" target="_blank">MAILER-DAEMON@it-werx.org
To: ""
Subject: failure notice

Hi. This is the qmail-send program at it-werx.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<mailto:27sq@yahoo.com.tw" target="_blank">27sq@yahoo.com.tw>:
Connected to 202.1.238.251 but sender was rejected.
Remote host said: 501 Syntax error in parameters or arguments

<mailto:27sr@yahoo.com.tw" target="_blank">27sr@yahoo.com.tw>:
Connected to 202.1.238.251 but sender was rejected.
Remote host said: 501 Syntax error in parameters or arguments

<mailto:27ss@yahoo.com.tw" target="_blank">27ss@yahoo.com.tw>:
Connected to 202.1.238.248 but sender was rejected.
Remote host said: 501 Syntax error in parameters or arguments

<mailto:27st@yahoo.com.tw" target="_blank">27st@yahoo.com.tw>:
Connected to 202.1.238.248 but sender was rejected.
Remote host said: 501 Syntax error in parameters or arguments

--- Below this line is a copy of the message.

Return-Path: <"">
Received: (qmail 28166 invoked by uid 1005); 19 Feb 2004 10:45:45 -0000
Received: from  by it-werx.org by uid 89 with qmail-scanner-1.20
(clamscan: 0.65. spamassassin: 2.63.  Clear:RC:1(222.156.84.115):.
Processed in 3.293403 secs); 19 Feb 2004 10:45:45 -0000
Received: from unknown (HELO bach) (222.156.84.115)
 by cpe00c04fa0cce6-cm014310115402.cpe.net.cable.rogers.com with SMTP; 19 Feb 2004
10:45:41 -0000
From: "silas" <>
Subject: Hi Dear 27sq =?Big5?B?s2+sT6dBrW6n5Kq6TGludXggsdC+x6TlpfM=?= 5
To: "27sq" <mailto:27sq@yahoo.com.tw" target="_blank">27sq@yahoo.com.tw>
Content-Type: text/html;
       charset="BIG-5"
Sender: silas <>
Date: Thu, 19 Feb 2004 18:39:43 +0800
X-Priority: 2
X-Library: Indy 9.00.10
X-Mailer:Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000
Return-Path:
X-Qmail-Scanner-1.20: added fake MIME-Version header
MIME-Version: 1.0
X-Qmail-Scanner-Message-ID: <mailto:107718754365228160@it-werx.org" target="_blank">107718754365228160@it-werx.org>

<!-- 2004/2/19 ¤U¤È 06:39:38-->
<!-- mailto:27sq@yahoo.com.tw--" target="_blank">27sq@yahoo.com.tw-->
<!-- 58iiCb-->

<!-- 2004/2/19 ¤U¤È 06:39:38-->
<!-- mailto:27sq@yahoo.com.tw--" target="_blank">27sq@yahoo.com.tw-->
<!-- Iky2jA-->

This is one of many many different messages that where sent. I have alot of different ones, what really gets me thinking that it was more then just spam it how it just happened that I got hit with several hundred all at once. I rarely got any kind of spam in the first place so for this to happen is rather strange. Also what helped stuff up the machine is the auto mail generated by the qmail scanner when it sends to the suposed email of the person who sent the email.
I am now disabling that option and just have it send to postmaster, perhaps that should be the default anyhow.

[Guest]

netgeek

Whats in my tcp.smtp: it-werx# more /usr/local/vpopmail/etc/tcp.smtp ## Allow localhost and qmail scanner ## 127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue" :allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ## end ## ### BEGIN QMAIL SCANNER VIRUS ENTERIES ### ### END QMAIL SCANNER VIRUS ENTERIES ###

Well, you allow relaying from all over the world using this. The offending config line

:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

should really be

:allow,RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

Do you see the difference?
I connected to your SMTP server and did the following:

# telnet 24.42.91.64 25Trying 24.42.91.64...Connected to CPE00c04fa0cce6-CM014310115402.cpe.net.cable.rogers.com.Escape character is '^]'.220 it-werx.org ESMTPHELO mailtoastercommunity-test-twa250 it-werx.orgMAIL FROM: mailadm@mydomain.org250 okRCPT TO: mailadm@mydomain.org250 okDATA354 go aheadtesting testing.451 qq temporary problem (#4.3.0)

Now, I don't know what you did just when I was testing, but the fact that qmail don't complain when I do this means that anyone can send anyone else mail through your mailserver.

That is btw the definition of an open relay.

[twa]

Sorry, I forgot to log in. The previous post was by me.

[twa]

netgeek

This is a permanent error; I've given up. Sorry it didn't work out. <mailto:27sq@yahoo.com.tw" target="_blank">27sq@yahoo.com.tw>: Connected to 202.1.238.251 but sender was rejected. Remote host said: 501 Syntax error in parameters or arguments <mailto:27sr@yahoo.com.tw" target="_blank">27sr@yahoo.com.tw>: Connected to 202.1.238.251 but sender was rejected. Remote host said: 501 Syntax error in parameters or arguments <mailto:27ss@yahoo.com.tw" target="_blank">27ss@yahoo.com.tw>: Connected to 202.1.238.248 but sender was rejected. Remote host said: 501 Syntax error in parameters or arguments <mailto:27st@yahoo.com.tw" target="_blank">27st@yahoo.com.tw>: Connected to 202.1.238.248 but sender was rejected. Remote host said: 501 Syntax error in parameters or arguments --- Below this line is a copy of the message. Return-Path: <""> Received: (qmail 28166 invoked by uid 1005); 19 Feb 2004 10:45:45 -0000 This is one of many many different messages that where sent. I have alot of different ones, what really gets me thinking that it was more then just spam it how it just happened that I got hit with several hundred all at once. I rarely got any kind of spam in the first place so for this to happen is rather strange. Also what helped stuff up the machine is the auto mail generated by the qmail scanner when it sends to the suposed email of the person who sent the email. I am now disabling that option and just have it send to postmaster, perhaps that should be the default anyhow.

The spammer is clearly using generated addresses in hopes of hitting real ones (27sr, 27st, 27ss etc.). Like I said, he does NOT care about the bounces since they are now technically your problem.

Whatever you do, you'll be stuck with the fallout of being used as an open relay with your domain in the from address.

By the way, the spam appears to come from 222.156.84.115, which is an IP inside a very large netblock. Sounds like a DSL or dialup IP pool. It could be a spoof though.

As for only sending reports to the admin regarding stuff like this, good idea

[netgeek]

Well I feel pretty stupid I should of seen that, considering I have installed matts toaster 3 times. DOH!
Thanks for the advice.