My first question on here...
I have a VPS which I have a few small websites on and also run my email services, every now and then I see messages in my mail queue that I did not send.
Firstly my setup:
Ubuntu 12.04
Latest Plesk Panel
qMail SMTP Server
Courier-imap
Using the Plesk panel I have set up qmail to not act as an open relay, and must use SMTP authentication to send to remote accounts, also short mailbox names are not allowed only the full account names.
Today I received bounced messages, upon checking my mail queue I have found again emails in there with multiple recipients that I have not sent.
These are not being sent by a script on my server as I would see different header information with uid 33 being specified, instead I see invoked from network in the mail header, an example below...
Received: (qmail 17710 invoked from network); 2 Feb 2016 11:34:10 +0000
Received: from unknown (HELO mx1.variationdesign.co.uk) (182.190.250.238)
by lvps212-67-205-193.vps.webfusion.co.uk with ESMTPA;
2 Feb 2016 11:34:09 +0000
From: Merel de Bruin - Van de Beek <[email protected]>
Content-Type: multipart/alternative;
boundary=Apple-Mail-29D34A60-FB4E-38B5-1BBF-7DDE23285FD2
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Subject: Re(4): Surprise
Message-Id: <[email protected]>
Date: Mon, 2 Feb 2016 12:33:59 +0000
To: "sanderdejong" <[email protected]>,
"Sanne van Roon" <[email protected]>,
"Sarah Dormaar" <[email protected]>,
"Sarah Tempelaar" <[email protected]>, "saskia middel" <[email protected]>,
"Saskia Roovers" <[email protected]>,
"sinta sinta ss" <[email protected]>,
"Sinta de Wildt" <[email protected]>,
"skizonespijkertje" <[email protected]>,
"spijkertje matrix" <[email protected]>,
"sroovers007" <[email protected]>, "sroovers75" <[email protected]>,
"stali n" <[email protected]>, "stingarts" <[email protected]>,
"suus rem" <[email protected]>, "svdbersselaar" <[email protected]>,
"teresa villalobos" <[email protected]>, "teresavs" <[email protected]>,
"Thomas Bollen" <[email protected]>
X-Mailer: iPad Mail (13A452)
X-PPP-Message-ID: <20160202113410.17689.25881@lvps212-67-205-193.vps.webfusion.co.uk>
X-PPP-Vhost: variationdesign.co.uk
The IP: 182.190.250.238 is nothing to do with me, I also never use mx1.variationdesign.co.uk.
Every time I want to send an email, I have to send my username and password to be able to send through this server.
My question is, how on earth is this person/people able to physically send emails through my VPS without authenticating?
I see in the logs around the same time "smtp_auth' for username [email protected], which is odd because that is actually just an alias and not an email account, the account itself uses my full name and a couple of numbers at the end, I did this to try and stop spammers from guessing the correct username.
My server is definitely sending these emails out and I can't figure out how they are doing it, what ma I missing here?
I appreciate any help you can give me on this matter.
Kind regards
Seth
qMail SMTP Server comes with a default configuration to be a open relay, make sure you disable that and only authenticaed users can send emails. And stop your server before you get into a blacklist for spam.
https://qmail.jms1.net/relay.shtml