#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0

    [SOLVED] Clamav sending spam - invoked by uid 509 (qscand == clamd)


    Hi,
    I am having a big problem with my qmail server.

    The mail server keeps getting locked up with tens of thousands of spam emails.

    So, i followed some instructions to find out what one of the spam queue mail looks like:

    Code:
    /usr/bin/qmhandle.pl -m<MESSAGE NUMBER> | grep Received
    I can clear the queue spams, easy, but after an hour or so the server is dead again.. not receiving emails and not sending out emails. And in few hours, the queue emails rack up to ~43000 spams.

    Code:
    Received: (qmail 356 invoked by uid 509); 4 Mar 2011 21:39:10 +0800
    Received: from 125.110.124.51 by host1.wemotor.com (envelope-from <oiazfkdvd@yahoo.com.tw>, uid 508) with qmail-scanner-1.25-st-qms
    Received: from unknown (HELO 202.46.116.119) (125.110.124.51)
    Received: from oxtso8.yahoo.com (oxtso8.yahoo.com [185.46.188.246]) by  with SMTP;
    So here, one example of the queue header. From the previous link, they say if it was Apache, means PHP script is compromised, etc. But for my case, UID 509 is qscand, which is clamav.

    Code:
    qscand    3112  0.6  9.6 152164 100240 ?       Ssl  20:12   1:03 /usr/local/sbin/clamd
    Code:
    [root@host1 ~]# egrep -i "^qscand" /etc/passwd
    qscand:x:509:509:Qmail-Scanner Account:/home/qscand:/bin/false
    [root@host1 ~]#
    Does anyone know what is happening? I mean why clamav is spamming..? all spams domain reads something like 'msa.hinet.net' .

    Some tutorial is saying that I should pay attention to "(envelope-from <oiazfkdvd@yahoo.com.tw>, uid 508)" which is UID=508 and that is vpopmail. So i really have no idea how someone can access to use the server as a relay to spam out.

    note: latest clamav 0.97, spamassassin 3.2.4
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0
    After a week of working on this, i found out that the effective way to solve this problem is to block the ip.

    Focus on "Received: from 125.110.124.51" so that's the ip that you should block.

    Blocking the ip from iptables (firewall) doesnt work for me. What i did, i edited my "/etc/tcp.smtp" to look something like:

    127.:allow,RELAYCLIENT=""
    192.168.0.2:allow,RELAYCLIENT=""
    :allow,SMTPAUTH=""
    125.110.:deny
    60.181.:deny
    :deny

    I get spams from two IP range, and I'd like to totally block the whole range (these are known spammers).

    IMPORTANT: dont forget to do reload the cdb (else it wont work, i learnt it the hard way):
    > qmailctl cdb

    good luck.

    note: I think the way they manage to do this is by sending a virus/malware together with huge CC list. Clamav will try to reply to all with the original message without the malware/virus, achieving their intention to use the server as a relay. This is just my guess after a week of primitive "wire tapping" and bunch of virus notification from the spammer host in my postmaster [at] domain.com.

IMN logo majestic logo threadwatch logo seochat tools logo