HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   ISPConfig 3 Priority Support (http://www.howtoforge.com/forums/forumdisplay.php?f=35)
-   -   My server is sending spam (http://www.howtoforge.com/forums/showthread.php?t=61738)

ressel 6th May 2013 16:13

My server is sending spam
 
Hello everyone,

I can see my server is being used for sending spam, but I really can't figure out how to close their way into my server, I can se they use multiple ip's to send spam with.

Until now they have only used 1 single customer mail addresse let's just call it webuser@companymail.tld

To prevent them to send more spam I have from ispconfig panel blocked the email in postfix blacklist as sender.

I have tried check for open relay with http://www.mailradar.com/openrelay/ and the result was All tested completed! No relays accepted by remote host!

I have tried disable the customers website and make sure its wasn't mail() by going through /var/log/phpmail.log and result is: spam is not from the website.

I have tried change password on the mail user, but spam was still going into mail queue (the customer don't even know the password atm.).

This is my postfix main.cf have following content:
Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

#SPF tjek (http://www.howtoforge.com/hardening-postfix-for-ispconfig-3)
policy-spf_time_limit = 3600s

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = myserver.domain.tld
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = myserver.domain.tld, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
#smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings


#helo restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname

#strift rfc fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
strict_rfc821_envelopes = yes

#data restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
smtpd_data_restrictions = reject_unauth_pipelining

#smtpd delay
smtpd_delay_reject = yes
message_size_limit = 0
inet_protocols = all

#anti spam fra http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
disable_vrfy_command = yes



#Mailman
virtual_maps = hash:/var/lib/mailman/data/virtual-mailman
owner_request_special = no
inet_protocols = all


authorized_submit_users = !root, static:anyone

this is my master.cf
Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#              (yes)  (yes)  (yes)  (never) (100)
# ==========================================================================
smtp      inet  n      -      -      -      -      smtpd
2525          inet  n          -            -            -              -        smtpd

submission inet n      -      -      -      -      smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps    inet  n      -      -      -      -      smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n      -      -      -      -      qmqpd
pickup    fifo  n      -      -      60      1      pickup
cleanup  unix  n      -      -      -      0      cleanup
qmgr      fifo  n      -      n      300    1      qmgr
#qmgr    fifo  n      -      -      300    1      oqmgr
tlsmgr    unix  -      -      -      1000?  1      tlsmgr
rewrite  unix  -      -      -      -      -      trivial-rewrite
bounce    unix  -      -      -      -      0      bounce
defer    unix  -      -      -      -      0      bounce
trace    unix  -      -      -      -      0      bounce
verify    unix  -      -      -      -      1      verify
flush    unix  n      -      -      1000?  0      flush
proxymap  unix  -      -      n      -      -      proxymap
proxywrite unix -      -      n      -      1      proxymap
smtp      unix  -      -      -      -      -      smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay    unix  -      -      -      -      -      smtp
        -o smtp_fallback_relay=
#      -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq    unix  n      -      -      -      -      showq
error    unix  -      -      -      -      -      error
retry    unix  -      -      -      -      -      error
discard  unix  -      -      -      -      -      discard
local    unix  -      n      n      -      -      local
virtual  unix  -      n      n      -      -      virtual
lmtp      unix  -      -      -      -      -      lmtp
anvil    unix  -      -      -      -      1      anvil
scache    unix  -      -      -      -      1      scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -      n      n      -      -      pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#  lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus    unix  -      n      n      -      -      pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -      n      n      -      -      pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -      n      n      -      -      pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -      n      n      -      -      pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp    unix  -      n      n      -      -      pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix        -        n        n        -        2        pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman  unix  -      n      n      -      -      pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}


amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1


policy-spf  unix  -      n      n      -      -      spawn
    user=nobody argv=/usr/bin/policyd-spf

after i have blocked the mail user in ispconfig I still see following in syslog
Code:

May  6 13:53:19 web2 postfix/smtpd[25077]: connect from unknown[***.***.128.138]
May  6 13:53:21 web2 postfix/smtpd[25319]: warning: ***.210.111.33: address not listed for hostname 81-210-111-33.ip.netia.com.pl
May  6 13:53:21 web2 postfix/smtpd[25319]: connect from unknown[***.210.111.33]
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<dpower@jhancock.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<wghrhzxi@jhbdjlvg.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<aunnfg@jhkmjh.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<ghpvbyif@jhxvvjas.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<rjjtgody@jkbgeqhb.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<vtkhdb@jkmyqu.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<josh@jlscustoms.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<ckmombyu@jnmhhyso.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<kwmnix@jnmtcf.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<k1aj@netzero.net> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<alshack@netzero.net> proto=ESMTP helo=<companymail.tld>
May  6 13:53:22 web2 postfix/smtpd[25326]: connect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]
May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<md052794@netzero.net> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<angieb12@netzero.net> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<xavierfernand.santos@neuf.fr> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25268]: lost connection after DATA from unknown[***.71.125.14]
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<salifou.savadogo@neuf.fr> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<dsin80@neuf.fr> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<contacto@neverland.com.ar> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<danny@newdisease.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<rmoore@newpi.com> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<legal@newstarsa.com.ar> proto=ESMTP helo=<companymail.tld>
May  6 13:53:23 web2 postfix/smtpd[25326]: NOQUEUE: reject: RCPT from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]: 450 4.7.1 <TX2EHSNDR002.bigfish.com>: Helo command rejected: Host not found; from=<> to=<webuser@companymail.tld> proto=ESMTP helo=<TX2EHSNDR002.bigfish.com>
May  6 13:53:24 web2 postfix/smtpd[25326]: disconnect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]

If you need more info or logs please tell me.
How can I prevent these spammers from sending mails through my server?

till 6th May 2013 16:43

Take a look into the spam emails in your queue, you should be able to see the delivery way in the header. Mails in the queue can be viewed with postcat command.

run

postqueue -p

identify one spam email and write down the ID of the mail. The ID looks similra to this "2979E2188345"

postcat /var/spool/postfix/deferred/2/2979E2188345

were the "/2/" directory in the path is the first number or char of the ID.

ressel 6th May 2013 18:50

Hello again,
I found this, in one of the email's
Code:

Received: from myserver.mycompany.tld ([127.0.0.1])
        by localhost (myserver.mycompany.tld [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 9I4pc0fK4JSs; Sun,  5 May 2013 07:16:00 +0200 (CEST)
Received: from companymail.tld (unknown [***.96.200.183])
        (Authenticated sender: webuser@companymail.tld)
        by myserver.mycompany.tld (Postfix) with ESMTPA id 9BE1E14AFE7;
        Sun,  5 May 2013 07:15:32 +0200 (CEST)

When the user is Authenticated sender, does this mean they are logged in to the server with username and password from my client?

till 7th May 2013 12:32

Quote:

When the user is Authenticated sender, does this mean they are logged in to the server with username and password from my client?
Yes. The header is added by postfix when a user is authenticated successfully with email address and password of this mailbox.


All times are GMT +2. The time now is 18:30.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.