Are you sure that they have actually hijacked your server or are they just spoofing your domain and you are getting the bounce backs.

We get all sorts of these from our domains however they are not coming from our servers.

They seem to be clogging up the real emails that go through our server (it takes a long time to receive an email).

I have had the scenario Tropical Island is describing happen to me

tons of emails sent with my address as the Return-path and Reply-to address

this does cause a ton of emails going through the mail server and can slow it down.

The first thing you need to figure out s what exactly is happening. Is it as we described or have they found another way to send emails using your server. Mail logs should help track it down.

How do you read a maillog? From what I can decifer it looks like I am just receiving the bounces. I changed my preferences to block the bounces on unkown addresses.

Unless you have a formmail script installed on your system, it is almost certain that they are simply spoofing the return-path. The only thing that can be done is to close the mailbox.

If the emails are genuinely originating on your server, you'll need to adjust the security settings on your formmail script.

Kaled.

Look in
/var/log
for the mail log which may be maillog or exim_*
You might try
tail -n100 maillog
or something like that.

Also use
$top
and/or
$ps auxw ¦ less

To look at the running processes. If someone is sending tons of mails you may see the culprit program.

Also maybe try
$cd /usr/local/apache/logs
$grep -i formmail access_log

or something like that to see if someone has hijacked one of your online mail forms. If so you might just delete the formmail program or disable it somehow.

I don't mean to sound rude, but what you should really do is hire someone competent to manage your server.

Maybe you're domain is just being spoofed, but it's only a matter of time before some disaster happens if you don't have someone keeping up with things and keeping things locked down.

The last thing you need is a real hack on your hands, and most of that is not being the easiest target.

Just another in agreement on the above - I would go to the mail log files (on my server it's in /var/log/mail/info). Once you've found the log file I would enter the following command:

tail -f /path/to/log/file

The -f means it continues to spew out the log file to the screen, realtime. It's a great way to watch the logs 'live'.

You should also be able to see what's happening a bit better. For example, if your server is opening a connection to a remote server and delivering mail (very bad news - your server is either generating the spam or is relaying it) or your server is receiving the email (which means someone has spoofed the reply to address and the spam isn't coming from your server, all you're seeing is the bounces).

What exactly does relaying email mean? I'm considering just turning this option off.

I had a similar scenario where something was sending e-mails from support@mydomain.com, to my actual e-mail adress saying I needed to check some files and it was sent from the support department. Needless to say I didn't open the attachment. They carried on for about 1 month and now have stopped. I set up my spam to not show e-mails from support@mydomain.com so they didn't clog up my e-mail inbox.

Not sure how to solve it, maybe time and it will go away?

>> What exactly does relaying email mean? I'm considering just turning this option off.

Google on 'open relay'. There are websites that will test your server. You shouldn't be an open relay - and you likely aren't.

Basically it means if your server receives an email from an external source it will forward it on. Spammers can use open relays to bounce emails all over the place and obscure their origin.

I got hammered once by some spammers. They were taking advantage of a hole in one of my scripts. The script would only send to a defined 'to' field - the domain owner. Howoever the spammers figured out a way to put a list of addresses in the 'from' field which the script let pass - but the email program took as becoming part of the 'to' field. They were sending out a ton of spam off my machine and I had a heck of a time figuring out what they were doing. Cost me a good pile of money in bandwidth.