Navigation

svehex · #1 26th December 2009, 23:51

I really need your help. My Postfix server is sending out spam (I know it's real because I received one myself). It seem to have started on December 19 2009.

I've followed the howto's to set up a secure postfix server, as far as I could without limiting the options beyond my needs.

I'm sure I've got SSL, TLS and no relay running, but it still spews out spam.

I turned it back on for about an hour and got over 1000 lines in my mail.log.

I'm not an expert, so I could really use some help to stop this and secure my mailserver. I have a web shop, so www-data has to be able to send mail.

Please let me know what other info you need. The mail logs can be found here (since they're too large to upload):http://heksebua.com/logs/mail/

*Miguel* · #2 27th December 2009, 10:00

For one,

change the permissions on the files so that I can read them. I can see a listing of your logs, but have an access denied when I trie to read them.

I your server is sending out spam, than you also have to take into account the possibility of being blacklisted is when it is reported.

Do this online check to see I there might be an open relay on your server:

http://www.abuse.net/relay.html

Kind regards,

Miguel

svehex · #3 27th December 2009, 13:17

The permissions have been changed. (664)
I've already run the check. I isn't open for relay (as previously mentioned).

*Miguel* · #4 27th December 2009, 13:26

As far as I can tell from the log files, the mails are being send by the user www-data and errors that your db is older than the source file.

Send me your main.cf file to miguel.brams'at'wiedewaratje.be to look at.

From what I see is that postfix is not the culprit, but a script on your server that is sending out these mails.

Also install and run rkhunter (if you haven't done so) to see is there is a type of rootkit or other that is sending mails.

My best bet for the moment is that your webserver (one of the sites) is sending out the mails.

Kind regards,

Miguel

svehex · #5 27th December 2009, 14:31

My prime suspect is oscommerce, judging by who the mails are sent to.. I've sent you the main.cf. The database error is older than the spam.

I've run chkrootkit and rkhunter and nothing was found.

falko · #6 27th December 2009, 14:53

Are you running the latest version of OSCommerce, or is it an older one?

svehex · #7 27th December 2009, 14:56

I use v2.2rc2

falko · #8 28th December 2009, 16:15

I don't know if this helps, but I suggest you update to v2.2rc2a.

svehex · #9 28th December 2009, 21:40

I did so yesterday. The only differences are small changes to sessions and compatibility.

Other things that have been done so far:

main.cf:

smtpd_sasl_local_domain = $mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes --> Logs header information
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_unauth_destination

dovecot.conf.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Configured oscommerce to send e-mails from another address.

Navigation

Facebook

News

Recent comments

Newsletter