Forum OpenACS Q&A: unwanted spam from my server... help.

I have never really bothered with qmail configuration, because it has always worked for me... I just got an email from my provider saying that my server was sending spam and if it continues doing so they will shut down the IP-address, which would suck. He also sent me this spamcop url naming my server as sending spam:

How can somebody use my qmail in order to send spam? Could my qmail incidently have an open relay? How can I check on that and close it?

Before I stopped qmail via daemontools I had this suspicious netstat:

tcp        0      0 dialin-145-254-191:3199 SYN_RECV
tcp      24      0 ipx10231.arasis.d:10000 p508DBF81.dip.t-di:4485 CLOSE_WAIT
tcp        0      0 ipx-132-247-190-80:http p508DBF81.dip.t-di:4986 TIME_WAIT
tcp        0      0 crawler2.googlebo:38592 TIME_WAIT
tcp        0      1 ipx10231.arasis.d:49847 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49828 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49830 angel-mta6.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49845 angel-mta5.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49827 angel-mta5.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49811 angel-mta5.whowher:smtp SYN_SENT
tcp        0      0 dialin-145-254-191:3179 TIME_WAIT
tcp        0      1 ipx10231.arasis.d:49832 angel-mta4.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49782 angel-mta4.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49846 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49810 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49819 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49783 angel-mta3.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49781 angel-mta2.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49831 angel-mta1.whowher:smtp SYN_SENT
tcp        0      1 ipx10231.arasis.d:49812 angel-mta1.whowher:smtp SYN_SENT

I just checked again and this angel-mta3.whowher:smtp is still hitting on my server...

What else is weird is that my webmin cannot load the qmail configuration index anymore although it can load i.e. the sendmail configuration index...

And I just checked out how many qmail processes are running... wow there are couple qmail-remote processes:

[root@ipx10231 root]# ps auxww | grep qmail
root      637  0.0  0.0  1372  252 ?        S    2003  0:00 supervise qmail-smtpd
qmaill    643  0.0  0.0  1388  204 ?        S    2003  0:00 /usr/local/bin/multilog t /var/log/qmail
qmaill    649  0.0  0.0  1392  256 ?        S    2003  0:00 /usr/local/bin/multilog t /var/log/qmail/smtpd
qmails  10543  0.0  0.0  1860  452 ?        S    Feb18  0:58 qmail-send
qmaill  10544  0.0  0.0  1392  432 ?        S    Feb18  0:25 splogger qmail
root    10545  0.0  0.0  1392  280 ?        S    Feb18  0:01 qmail-lspawn ./Maildir/
qmailr  10546  0.0  0.0  1400  304 ?        S    Feb18  0:31 qmail-rspawn
qmailq  10547  0.0  0.0  1384  292 ?        S    Feb18  0:05 qmail-clean
root      1417  0.0  0.0  1372  252 ?        S    Mar08  0:01 supervise qmail-send
qmailr  16872  0.0  0.0  1472  444 ?        S    11:45  0:00 qmail-remote
qmailr  16873  0.0  0.0  1472  444 ?        S    11:45  0:00 qmail-remote
root    17513  1.2  6.8 40324 34888 ?      S    11:48  0:05 /usr/libexec/webmin/qmailadmin/index.cgi
root    17516  2.1  0.0  1396  300 ?        D    11:48  0:10 /var/qmail/bin/qmail-qread
qmailr  18452  0.0  0.0  1468  460 ?        S    11:50  0:00 qmail-remote
qmailr  19137  0.0  0.0  1472  464 ?        S    11:51  0:00 qmail-remote
qmailr  20160  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote
qmailr  20161  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote
qmailr  20171  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote
qmailr  20181  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote
qmailr  20194  0.0  0.0  1476  464 ?        S    11:53  0:00 qmail-remote
qmailr  20201  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote
qmailr  20202  0.0  0.0  1468  460 ?        S    11:53  0:00 qmail-remote
qmailr  20204  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote
qmailr  20336  0.0  0.0  1472  464 ?        S    11:53  0:00 qmail-remote
qmailr  20346  0.0  0.0  1476  468 ?        S    11:53  0:00 qmail-remote
qmailr  20509  0.0  0.0  1476  468 ?        S    11:54  0:00 qmail-remote
qmailr  20510  0.0  0.0  1476  468 ?        S    11:54  0:00 qmail-remote
qmailr  20511  0.0  0.0  1468  460 ?        S    11:54  0:00 qmail-remote
qmailr  20532  0.0  0.0  1468  460 ?        S    11:55  0:00 qmail-remote
qmailr  20533  0.0  0.0  1468  460 ?        S    11:55  0:00 qmail-remote
qmailr  20546  0.0  0.0  1472  464 ?        S    11:55  0:00 qmail-remote

And I somehow cannot svc -u /service/qmail-* anymore... It tells me that it cannot connect or localhost:25

Help? I think I need it 😉

Posted by Ola Hansson on
Hmm, I think you should consider using relay-ctrl ( ). I'm certaily no mail expert but I think this app would help.

It's been ages since I configured this on my server but I dont't recall it being very hard to deal with (in great part thanks to the invaluable help from Dave Bauer).

FWIW, I made some notes from that session, but they may be obsolete by now:

Good luck!

Posted by Joel Aufrecht on
look for "/etc/tcp.smtp" in that document.
Posted by Tom Jackson on

The first think you should do as a responsible sysadmin is:

svc -d /service/qmail-*

Then figure out how to stop the open relay. However, probably most of the email messages are going to go to bad addresses, so your queue will be full of bad messages and qmail will continue to attempt deliver for about a week. If you don't have a bunch of email in your queue, you should consider figuring out how to delete all the messages in your queue before starting qmail again.

Posted by David Kuczek on
Hmmm... thanks everybody.

Tom, that's exactly what I did. I thought that qmail was still running, but it actually wasn't. I temporarily closed down port 25 through iptables (lokkit). The queue had over 40.000 emails in it. I found an instruction on google on how to delete them. Basically you can delete them manually but shouldn't delete folders.

Then I added all my domains to accepted domains (rcpthosts), which I must have deleted incidently. By the way: What is the difference of rcpthosts and locals? Should all domains be in both files or only in rcpthosts?

Posted by Deds Castillo on
rcpthosts contain the domains that you can send email to regardless of whether your box host that domain or not.  locals contain domains that are to be treated locally.  This means that on stock qmail, if you have a unix user "david" and your locals contain and, all emails addressed to and are to be treated as local and sent to the unix user "david"

I personally patch qmail with smtp-auth to take care of relaying.  relay-ctrl used to do the job but it allows relays via ip addresses...  this is bad news for NAT-based systems as one valid email user inside the network allows all others from that network to use your box as relay.

Posted by David Kuczek on
Hey Deds,

thanks for the reply. I am testing some settings now and I only have in rcpthosts, but I can still send emails to my address?! Why? Before that I didn't have anything written in my rcpthosts. Well I am not 100% sure because I was using the webmin interface to do it. I also restarted qmail after I mad the changes to rcpthosts.

My server is located in a hosting farm and I am the only one having access to it. How could somebody use it to spam other people and how can I test if the relay is still open?

Posted by Sam Snow on
Places you can check to see if you are an open relay:

Now, to your other question: You have done the correct thing with rcpthosts, but you also need to look at your /etc/tcp.smtp file (mine was really located at /etc/qmail/tcp.smtp)

See for more info about how to set up this file, but it pretty much defines which computers are inside your network and you are OK with sending any mail for them-- and which ones are not.

Mine looks like this:

The first line alows localhost to send whatever mail they want. The second line allows anyone on our internal network to send any mail they want.


Posted by James Thornton on
Are you running SMTP auth? If so it is possible that you forgot the hostname param in the qmail-smtpd startup script (very common). If that is the case, then anyone can authenticate using any username and password. Spammers know and exploit this issue.
Posted by David Kuczek on
Hey Sam,

my /etc/tcp.smtp (the only one I found on my system) apparently only allows localhost to send emails. Or am I wrong?


James: I am not sure if I installed smtp-auth... How can I check? How could I change this configuration now? If I remember correctly I first had qmail-1.03 installed and then switched to netqmail-1.04. That's at least what a locate for qmail-smtpd wants me to remember.

I just did a open relay test at:

and all but one test failed:


<<< 250 flushed
<blockquote>>>> MAIL FROM:
<<< 250 ok
<blockquote>>>> RCPT TO:
<<< 250 ok
<blockquote>>>> DATA
<<< 354 go ahead
<blockquote>>>> MESSAGE
<<< 250 ok 1079078546 qp 6283


Relay Accepted - final response code 250

If you dont recieve it then its not a relay (Its still a Bad Thing (TM) that it accepted)

Check your email


I didn't get an email, neither did I find this mail in my qmail queue...

Posted by Deds Castillo on
_ my /etc/tcp.smtp (the only one I found on my system) apparently only allows localhost to send emails. Or am I wrong? _

You are correct.

_ James: I am not sure if I installed smtp-auth... How can I check? How could I change this configuration now? _

I am not James, but... if you can send email through any client or through a telnet to port 25 without the system asking you for a username/password then you probably don't have it installed.  smtp-auth exists as a patch and so you can't just change the configuration.  You need to apply it and recompile qmail.  Look for any of the several smtp-auth patches that exist at

_ To: _

qmail doesn't relay addresses of this format.  If you want to reject even the probe, then patch qmail with the patch located here:


12: What is ip ? (response to 1)
Posted by Patrina Nasiron on

Im monitoring the IDS. It keeps detecting sources which the highest number of attack in most signatures. What is ip, how does it been generated, how to deal with it, does it harmful, what if I blocked it, whats gonna happen?

Does it generated from my own machine such as the firewall or router which doesn't have an ip, simply say it is generated because the IDS coudn't find any ip from the machine?

Or something else?

Please guide.

Thank you.

Posted by your treat on
As far as I know, is the address of the network you're on, and is typically used by servers to broadcast out messages.

It's not surprising that ppl chose to play games with it, but when vendors of Firewalls like ZoneAlarm (appear to) require you to accept whatever comes in on it as a valid message, after which a sequence of other Ports are sent messages to and from your PC, then I ask myself, why are these ppl writing Firewalls? Why not just send everyone some virus and be done with it? appears to have yet another purpose. Although localhost is, you'll find quite a few connections to your own PC via the address, even subsequent to having been assigned an IP.

It also is used as a "starting" address, before you're assigned an IP. However, what "bugs" me is that remains unchanged in your system (if you run XP), and legitimate messages are not only sent by you to countless remote sites, using that IP, but the damn IP continues to be used by some of the most "sensitive" services and DLL's in your entire System, e.g. SvcHost, and System (which is Kernel32.DLL).

Alls I can say is that I do block lots of incoming messages to various programs, but if you block too much of it, you're going to find that you will be unable to connect to various sites to send them messages, as well.

Assumably, one would expect ICMP to be amongst the first messages, as well as, the response from which is recommended to be blocked.

It would seem that there are too many cooks in the kitchen, and each vendor choses to you it for their own purposes and in their own ways, from O/S's to Firewalls.

BTW. By msgs, I'm not inferring E-Mail or anything of the sort. Nor am I suggesting only ICMP is sent over it.

When I was coding mid-level TCP code on a Corporate Intranet
it was understood by all that referred to an address used by the Network Server to make "announcments" to clients. However, that too, was by agreement, and I would not suggest that even then was listened to for other purposes.

As a prime example for screw-ups, unless you take some measures to restrict Ports 445 and 135 from getting msgs from the outside, you might find it problematic, as they too listen for messages from, which (I would think) they assume is your own PC, long after you're assigned in IP address. (If running windows be careful about blocking those Ports. Even though RPC is not required for any good reason, Microsoft made it a requirement, and if those ports are blocking your own PC from getting messages from your Keyboard, you'll have to reinstall your partition, or your entire system, if you have no decent stand-alone backup software.)

I would not pretend to portray myself as entirely knowledgeable about, in fact, a Google search for it's purposes lead me to this thread, and I just jumped in, although I don't have the ACS software, or even have bothered to look up what it's about.

My quest for more info on continues via the search engine, in a moment. If I'm mistaken in anything I've mentioned, I would be interested in knowing what you would have a comment or correction, or ideas on, pls feel free to comment back to me at: (No need to worry about writing to a spammer, unless this is considered to be spam, as some might think. Instead, I've been programming since 1980, and have done Programming under DOS and windows using C, C++, Java, and more, for the past 11 years.)

Regards - T2

Posted by your treat on
Sorry, but I had to share this bit of conversation with you. It reflects that ALL AROUND confusion about, which I've just described as not only being the Network, the Servers' Network Card's Default Address, but also your own default address at startup, and also after startup, EVEN THOUGH or a range of IP;s would have been enough (for at least many folks.), rather than the idiotic and now accepted standard that can be you or it COULD BE the entire network, just as in a Broadcast to

So get a kick out of this bit of conversation I located at another site, in which the exact same question about was posed, and you'll note that from the VERY FIRST response, there is ALREADY a hint of what is to come, and it just gets worse! (Before I paste it here for yuour amusement, let me just say that it's been my experience that could be you or could be a broadcast to the entire Network. There is NO DEFINITIVE ANSWER to the question of what (I would suggest/argue), as the MEANING AND USE of IS ENTIRELY DEPENDENT upon what context you are seeing it being used.) So, for the thread starter, whom runs a Server, and was attempting to post stuff out to the Net, but sent garbage out to, YOU would need to make as assumption, or better yet, a somewhat informed guess, that the mail was NOT being sent between ports in his machine. A last bit of info.... as an address that MAY IN SOME CONTEXTS mean your PC, IS ALSO USED AS THE ADDRESS OF THE ORIGIN OF POSTS that are NOT, I repeat ARE NOT IN FACT MADE TO THE ENTIRE NETWORK!!! And that is yet one more thing that "bugs" me about the geniouses that came up with most of the stuff about the net, but that's my own personal bias. 1 Last tidbit on two very good sites with very knowledgable people running them:
check out Castle Cops, and also Wilders or it might be Wilder's Web Sites. They are highly knowledgeable, and if you can get a Mode or Admin to respond to a question, you'll get a really good answer in all the cases I've seen. The focus of these sites is on Security, HOWEVER, to do that, they all understand the details about various Port Numbers, and common addresses that any spy or hacker would want to take advantage of, and they know plenty more. Both are free sites, and the best I've found, but don't assume that the members are as knowledgable as those that run the Site, as that is far from being true all the time. Anyways as promised, here's an amusing exchange from another site that I just found about the exact same topic of
SiliconJonFebruary 7th, 2005, 07:27 PM
I learned something new today. is the IP address for the internet is THE broadcast address (no matter what your network address).

I wonder if I will remember is tomorrow...better write it down.


GroundZero3February 7th, 2005, 07:31 PM
where did you learn this?


[Neo770]February 7th, 2005, 07:35 PM
Sounds abit far fetched to me.


GroundZero3February 7th, 2005, 07:38 PM
i found this


mazdarx7-64February 7th, 2005, 07:38 PM is the broadcast address, but only for your network or subnet, not for the whole internet.


RedwolfFebruary 7th, 2005, 07:39 PM


[Neo770]February 7th, 2005, 07:40 PM
I thought the braodcast for say would be and all 255's would be an not useable. Or do I need to go back to my CISCO books :)


mazdarx7-64February 7th, 2005, 07:42 PM
neo you are right, my bad.


Gait_KeeperFebruary 7th, 2005, 07:55 PM
all alien to me.......but I'm learning


SiliconJonFebruary 8th, 2005, 05:19 PM
I didn't mean the whole internet on the 255 one...but rather a usable broadcast address for your own network segment despite whatever accurate broadcast address may be appropriate for your network address.

My machine doesn't have a conflict with (Server 2003 & XP Pro), but seems to be using this address for the merky cloud of the internet. Or so class is teaching me.

Ah, RFC3330 (


SiliconJonFebruary 8th, 2005, 05:22 PM "This" Network - Addresses in this block refer to source hosts on "this"
network. Address may be used as a source address for this
host on this network; other addresses within may be used to
refer to specified hosts on this network [RFC1700, page 4].

Hmmm...RFC1700 (