My server got hacked and is being used to SPAM
 

Guys,
I really need some help with this and I'm very much a noob. I followed the out of the box instructions to get my ISPconfig server up and running. I am getting dozens of bounced spam emails that are either being sent through my server or spoofed through my domain.

How can I stop this? HELP

This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf

Also make sure that you have a correct SPF record setup for the domain to only use that server for outgoing email.

Another tip:
Verify your mail.log files and try to find out via which user sends the spam.

Also go to http://www.mxtoolbox.com/blacklists.aspx and check if your server is not blacklisted in te mean time.
To check if you have an open relay, you can use the site http://www.abuse.net/relay.html
If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser.
If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions.
If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.

Yes, but to go from zero to roughly 75 bounced emails in an hour it is an indication that SOMETHING changed and I have become a target. Successful or otherwise.

What's the location of my mail log and I'll post?

Please have a look at your directory /var/log/.

You can follow the activities within your log file with the command:

tail -f /var/log/mail.log

ctrl+C to exit your session.

main.cf contents
 

Here's the /etc/postfix/main.cf content. I have removed my domain references and replaced with xxx. I'm also working on getting the mail log when I figure out where it is.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = isp.xxx.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = isp.xxx.net, localhost.xxx.net, , localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _una$
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

mail log
 

Here is a excerpt from mail mail log. I tried to go back to when the problem was at it worst yesterday but appears the log doesn't retain information that long. The number of bounced spam messages has slowed quite a bit in the past 24 hours.

If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server. :(

Yes but I'm not certain that's all they are doing. Are you? It appeared from the logs that they attained one of the ISPconfig account names (ie: web2_bob) and were sending with that. That is not something that would typically be visible to someone that just tried spoofing an email address (ie: bob@bobsdomain.com).