March 5th, 2011, 05:51 AM
[SOLVED] Clamav sending spam - invoked by uid 509 (qscand == clamd)
I am having a big problem with my qmail server.
The mail server keeps getting locked up with tens of thousands of spam emails.
So, i followed some instructions to find out what one of the spam queue mail looks like:
I can clear the queue spams, easy, but after an hour or so the server is dead again.. not receiving emails and not sending out emails. And in few hours, the queue emails rack up to ~43000 spams.
/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> | grep Received
So here, one example of the queue header. From the previous link, they say if it was Apache, means PHP script is compromised, etc. But for my case, UID 509 is qscand, which is clamav.
Received: (qmail 356 invoked by uid 509); 4 Mar 2011 21:39:10 +0800
Received: from 184.108.40.206 by host1.wemotor.com (envelope-from <email@example.com>, uid 508) with qmail-scanner-1.25-st-qms
Received: from unknown (HELO 220.127.116.11) (18.104.22.168)
Received: from oxtso8.yahoo.com (oxtso8.yahoo.com [22.214.171.124]) by with SMTP;
qscand 3112 0.6 9.6 152164 100240 ? Ssl 20:12 1:03 /usr/local/sbin/clamd
Does anyone know what is happening? I mean why clamav is spamming..? all spams domain reads something like 'msa.hinet.net' .
[root@host1 ~]# egrep -i "^qscand" /etc/passwd
Some tutorial is saying that I should pay attention to "(envelope-from <firstname.lastname@example.org>, uid 508)" which is UID=508 and that is vpopmail. So i really have no idea how someone can access to use the server as a relay to spam out.
note: latest clamav 0.97, spamassassin 3.2.4
March 7th, 2011, 08:30 PM
After a week of working on this, i found out that the effective way to solve this problem is to block the ip.
Focus on "Received: from 126.96.36.199" so that's the ip that you should block.
Blocking the ip from iptables (firewall) doesnt work for me. What i did, i edited my "/etc/tcp.smtp" to look something like:
I get spams from two IP range, and I'd like to totally block the whole range (these are known spammers).
IMPORTANT: dont forget to do reload the cdb (else it wont work, i learnt it the hard way):
> qmailctl cdb
note: I think the way they manage to do this is by sending a virus/malware together with huge CC list. Clamav will try to reply to all with the original message without the malware/virus, achieving their intention to use the server as a relay. This is just my guess after a week of primitive "wire tapping" and bunch of virus notification from the spammer host in my postmaster [at] domain.com.