Hi 2gether

I have noticed a big traffic on my server network interface, so I examined the connections. There were a extraordinary load of mails. So I shut down SMTP Service and checked postfix's mail queue. There were over 500 mails in the queue...actually this was very strange, because for domain e-mail I use an external mailserver, not the ISPConfig Mailserver. I need the ISPConfig Mailserver only for delivering mails out of the users pages, like from contact formulars etc (mostly via php mail on the users webpages).

I discovered that the 500 mails in the queue were all SPAM-Mails. They should be sent over the virtual network interface configured during install procedure on perfect how-to for Debian 3 for SSL...:confused: How was it possible to inject these SPAM e-mails in my ISPConfig SMTP Server? It shouldn't be an open-relay mail-server in standard configuration, but somebody could use as it?! Recently I installed a webpage on "drupal 5.1" with contact form. I guess it was send via an security hole on that page. But it shouldn't be possible, shoud it? ISPConfig Server should block that? Otherwise I'm always exposed to the risk of the webpages of my users? Perhaps I should solve that with more restrictive rules.. ? :-)

I checked also /var/mail/ and there is a very big file for "www-data", it's about 250 MB. I guess this is the mailbox for user "www-data". I don't know who or what should be in there, in that mailbox for user "www-data"...I guess returned e-mails or something like that?

How can I a) access the "www-data" mailbox (what password?) and delete these e-mails?

And b) WHY is there that much data in? As far as I can see, "www-data" is my apache user which is used everytime an user of a users-page sends a e-mail via e.g. a web form like contact or similar. Can I change this? Is it possible each user has to authenticate or that I can see which of my users/customers has send out certain mails or which website was (mis)used for that? (instead of "www-data"). Does "suexec" also works for that? I guess it's only for CGI...actually I don't have checked "suexec" in my ISPConfig config.

How can I bring ISPConfig Server to send out mails from a domain that is hosted on that server, but e-mails are processed by an other, external e-mail server in my DMZ? Can I just choose Mailserver: External Mailserver under "options" of my ISP Web settings? Otherwise mails via an customers contact formular are not send out, because DNS reports the same external IP for my web and mail server (it's in the same LAN/DMZ), so ISPConfig Server tries to send it locally. But there is no such e-mail-user on ISPConfig Server, because I want to send those e-mails to my mailserver who's handling these e-mails for that domains...

Thanks so much for any help in advance,
p@sco

by the way: it's very strange, that the mails have sent out from my virtual network interface, isn't it? Now I "discovered" also "man" in my /var/mail directory. I don't have an user/mailbox called "man". Is this a trace from a hacker?

my "external-mail-server"-Problem is related to my dns entries I guess. I use the webserver also as primary dns server. So the mx record points to the external IP. Port 25 is forwarded to my mailserver, Ports 53 and 80 to my web-/dns-ISPConfig-Server.

Now the mails dont leave the ISPConfig Server, it tries to send them locally. I tried to take "use external mailserver". Does perhaps an entry to the hosts file solve the problem? Or do I need to configure an alias in postfix?

Your problem might be caused by a form script e.g. written in PHP that does not check all parameters correctly and so allows spam mail injection. Even some older versions of common CMS systems have these problems.

Thx. Yes, I have three different CMS installed. So it might be a security hole in one of them. But why are mails sent out on the virtual network interface?

And how can I prevent that my server will get misused? Now, there are only my pages hosted on my server, but if I have a lot of users, and I don't know exactly what kind of form scripts they have on their sites?

Is there a possibility to prevent this?

And can you give me a hint please, how I can access "www-data"'s, root's and others mailboxes? I even don't know the password for "www-data"...

As far as I know, here is no 100% solution to prevent misuse of mail forms. If you run PHP under different users with e.g. suphp, you will at least be able to see which website has the vulnerable script. One other option might be to configure your postfix so that outgoing emails are scanned by a spamassassin instance, but this may lead to undelivered mails if a false positive is rejected.

You can access the mailboxes of the users by switching with su to the user and then use a commandline program like elm to read the mails. But in most cases it might be enough to just delete the complete mailbox file.

OK. I'll install SuPHP in that case. I just want to prevent that my server/IP will be listet on SPAM BlackLists and that people can send out unsoliced mail.

Thx for the hint for accessing the mailboxes. Can I just delete the mailbox file and postfix will create a new one, if mail will be delivered to that user again? Anyhow, is there a way to access mailbox of www-data via IMAP? And what is the password then for user "www-data"? I don't know if I had configured that?!

Is it possible that somebody has created a new mailbox-user on my system without my knowledge? There seems to be the mailbox-user "man" on my box, who I don't know...

Can I just delete the mailbox file and postfix will create a new one, if mail will be delivered to that user again?
There's an easier way to delete mails in an mbox file:
cat /dev/null > /path/to/mbox

Anyhow, is there a way to access mailbox of www-data via IMAP? And what is the password then for user "www-data"? I don't know if I had configured that?!
You 'd have to give www-data a password first (normally that user has no password):
passwd www-dataBut this might be a security risk. It's better to create an alias for www-data in /etc/aliases so that the mails go to another account. Don't foret to run newaliases afterwards and restart Postfix.

cool. thx for your help.

(normally that user has no password)

That means, nobody can log-in with this user, right?

I deleted all the crap in www-data mailbox now :D. Thx. And I found the contact form that was misused and took it off the public web content. It was a self-made CMS System (not by me :cool:) ...pfff.. Let's see if the SPAM stops now, but I'm pretty sure.

Can you tell me, why the unwanted mail was sent out on the virtual network interface, that was configured for SSL?

That means, nobody can log-in with this user, right? Right.


Can you tell me, why the unwanted mail was sent out on the virtual network interface, that was configured for SSL?
Is it the same IP address than the one where the Apache vhost with the vulnerable web form is listening on?

Is it the same IP address than the one where the Apache vhost with the vulnerable web form is listening on?
No, not one of the Apache vhosts uses the virtual ip adress actually...

Hm, then I don't know why this happens... :confused: