Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th July 2010, 03:50
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
Question Postfix Problem (Possible Trojan/Spam)

Hi,

I have installed Virtual Users And Domains With Postfix, Courier And MySQL (+
SMTP-AUTH, Quota, SpamAssassin, ClamAV) in Debian Lenny for my mail server. At first, I had no problems, I can actually send and receive emails to/from the server.

Yesterday, one of my users reported that his friend did not receive his email, and that said email was sent 3 weeks ago. So I made a test email from my server, sending it to my yahoo, gmail and hotmail accounts. For more than 24 hours already, I never received the said email.

I checked the mail logs and this is what I saw:

Code:
Jul 27 09:15:23 mail postfix/qmgr[5210]: 9020E4502DF: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:15:23 mail amavis[4964]: (04964-08) Passed CLEAN, LOCAL [192.168.101.2] [192.168.101.2] <rtjuarez@cpu.edu.ph> -> <royski_it2004@yahoo.com>, Message-ID: <4C4E3326.5000605@cpu.edu.ph>, mail_id: 9It6Tl2pxI1C, Hits: -2.846, size: 639, queued_as: 9020E4502DF, 6175 ms
Jul 27 09:19:51 mail postfix/qmgr[5210]: CF7224502E6: from=<rtjuarez@cpu.edu.ph>, size=1165, nrcpt=3 (queue active)
Jul 27 09:19:52 mail postfix/qmgr[5210]: 7650D4502E5: from=<rtjuarez@cpu.edu.ph>, size=868, nrcpt=1 (queue active)
Jul 27 09:19:54 mail postfix/qmgr[5210]: BE2EA4502DA: from=<rtjuarez@cpu.edu.ph>, size=1144, nrcpt=2 (queue active)
Jul 27 09:24:54 mail postfix/qmgr[5210]: 536494502EA: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:25:04 mail postfix/smtp[5415]: BE2EA4502DA: to=<rtjuarez@gmail.com>, relay=none, delay=14587, delays=14278/190/120/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection timed out)
Jul 27 09:25:21 mail postfix/smtp[5243]: CF7224502E6: to=<rtjuarez@gmail.com>, relay=none, delay=3398, delays=3068/297/33/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: No route to host)
Jul 27 09:29:18 mail imapd: LOGIN, user=rtjuarez@cpu.edu.ph, ip=[::ffff:192.168.101.2], port=[2262], protocol=IMAP
Jul 27 09:29:53 mail postfix/qmgr[5210]: 9020E4502DF: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:35:26 mail postfix/qmgr[5210]: 70EA04502EE: from=<rtjuarez@cpu.edu.ph>, size=534, nrcpt=1 (queue active)
Jul 27 09:35:46 mail amavis[8248]: (08248-07) Blocked SPAM, [189.6.206.136] [189.6.206.136] <rtjuarez@cpu.edu.ph> -> <rtjuarez@cpu.edu.ph>, quarantine: V/spam-VQnNS8RP9KZX.gz, Message-ID: <20100727013525.70EA04502EE@mail.cpu.edu.ph>, mail_id: VQnNS8RP9KZX, Hits: 8.26, size: 534, 20011 ms
Jul 27 09:35:46 mail postfix/smtp[8177]: 70EA04502EE: to=<rtjuarez@cpu.edu.ph>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=1.2/0/0/20, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=08248-07, BOUNCE)
Jul 27 09:35:46 mail postfix/virtual[8321]: 341814502F4: to=<rtjuarez@cpu.edu.ph>, relay=virtual, delay=0.26, delays=0.07/0.04/0/0.15, dsn=2.0.0, status=sent (delivered to maildir)
Jul 27 09:39:53 mail postfix/qmgr[5210]: 536494502EA: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:39:53 mail postfix/qmgr[5210]: 9115B4502E8: from=<rtjuarez@cpu.edu.ph>, size=1108, nrcpt=1 (queue active)
The given samples were log records from my own email only.

My other problem is, it seems that my server is sending emails that are not valid:
Code:
Jul 27 09:42:19 mail postfix/smtp[5412]: 6ADDC4504E4: to=<blascakb@cpva.saic.com>, relay=none, delay=351009, delays=348780/2118/111/0, dsn=4.4.1, status=deferred (connect to mx2.west.saic.com[198.151.12.25]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5303]: E0C20450386: to=<ahram@ahram.org.eg>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5380]: 50A46440183: to=<lllinares@arcadis-fr.com>, relay=none, delay=338899, delays=338155/683/61/0, dsn=4.4.1, status=deferred (connect to mail2.fcinternational.net[194.3.174.46]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5425]: connect to mail-mx4.its.unimelb.edu.au[128.250.118.136]:25: No route to host
Jul 27 09:42:19 mail postfix/smtp[5419]: connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out
Jul 27 09:42:19 mail postfix/smtp[5313]: D761245042A: to=<archive@israelipalestinianpeace.org>, relay=none, delay=351750, delays=349523/2166/61/0, dsn=4.4.1, status=deferred (connect to mx2.main.nc.us[74.207.237.203]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5327]: EB3DD440088: to=<ot@ark-mortensen.dk>, relay=none, delay=349549, delays=347603/1915/30/0, dsn=4.4.1, status=deferred (connect to mail.ark-mortensen.dk[62.243.229.238]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5337]: E523F450461: to=<ole@limal.dk>, relay=none, delay=351580, delays=349632/1944/3.4/0, dsn=4.4.1, status=deferred (connect to mail.limal.dk[195.128.174.71]:25: No route to host)
Jul 27 09:42:19 mail postfix/smtp[5399]: 21CE4440178: to=<l.lindelauf@prettel.nl>, relay=none, delay=338969, delays=336738/2149/82/0, dsn=4.4.1, status=deferred (connect to fallback2.csnet.nl[194.69.30.7]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5324]: connect to mail20.ixwebhosting.com[76.162.254.117]:25: Connection timed out
Jul 27 09:42:19 mail postfix/smtp[5343]: connect to continuumct.com[168.143.18.237]:25: No route to host
Jul 27 09:42:19 mail postfix/smtp[5449]: connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5303]: E0C20450386: to=<ahramdaily@ahram.org.eg>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5419]: E9D9144012C: to=<lkozrk@usmo.com>, relay=none, delay=339709, delays=337759/1910/40/0, dsn=4.4.1, status=deferred (connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5445]: connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b1.psmtp.com[64.18.7.13]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host
Jul 27 09:42:20 mail postfix/smtp[5303]: connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host
Jul 27 09:42:20 mail postfix/smtp[5413]: D761245042A: to=<arezoo@icciran.com>, relay=none, delay=351748, delays=349523/2165/61/0, dsn=4.4.1, status=deferred (connect to mail.icciran.com[216.12.205.115]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5343]: EC909440143: to=<llandry@continuumct.com>, relay=none, delay=339546, delays=337597/1927/21/0, dsn=4.4.1, status=deferred (connect to continuumct.com[168.143.18.237]:25: No route to host)
Jul 27 09:42:20 mail postfix/smtp[5329]: EB3DD440088: to=<otbeju@gladsaxe.dk>, relay=none, delay=349551, delays=347603/1920/27/0, dsn=4.4.1, status=deferred (connect to dkcphmx62.softcom.dk[213.150.52.217]:25: No route to host)
Jul 27 09:42:20 mail postfix/smtp[5442]: connect to ASPMX.L.GOOGLE.com[72.14.213.27]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5448]: connect to mx-adinet.adinet.com.uy[200.40.30.218]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5445]: 6ADDC4504E4: to=<blazer@blazeruae.com>, relay=none, delay=351012, delays=348780/2111/121/0, dsn=4.4.1, status=deferred (connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out)
Jul 27 09:42:21 mail postfix/smtp[5270]: 2D3C5450375: to=<ads@thesunnews.com>, relay=none, delay=353285, delays=351053/2140/92/0, dsn=4.4.1, status=deferred (connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host)
Jul 27 09:42:21 mail postfix/smtp[5303]: E523F450461: to=<ole@lunding.dk>, relay=none, delay=351582, delays=349632/1949/0.73/0, dsn=4.4.1, status=deferred (connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host)
Jul 27 09:42:21 mail postfix/smtp[5270]: connect to mailgate.cybercity.dk[212.242.43.248]:25: No route to host
Jul 27 09:42:21 mail postfix/smtp[5323]: connect to mx.club-internet.fr[93.17.128.7]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5449]: E0C20450386: to=<aiccom@aic.nuqul.com.jo>, relay=none, delay=353016, delays=351066/1890/60/0, dsn=4.4.1, status=deferred (connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out)
Jul 27 09:42:21 mail postfix/smtp[5362]: EB3DD440088: to=<otb@bib.sdu.dk>, relay=none, delay=349550, delays=347603/1917/30/0, dsn=4.4.1, status=deferred (connect to msec.sdu.dk[130.225.156.16]:25: Connection timed out)
I don't think that in just 1 second, there are several emails that are being sent. I have also discovered that even on an unholy hours in my local time, there are a lot of emails being sent also.

Can somebody help me on how to fix this problem?
Reply With Quote
Sponsored Links
  #2  
Old 27th July 2010, 07:12
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

I think you have a problem with port 25 being blocked outbound.

edit: that's not to say you don't have a problem with spam/trojans, but I tried connecting to a bunch of servers at random from the logs you posted and had no trouble connecting to any of them.

Last edited by matty; 27th July 2010 at 07:14.
Reply With Quote
  #3  
Old 27th July 2010, 07:33
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
Default

Quote:
Originally Posted by matty View Post
I think you have a problem with port 25 being blocked outbound.

edit: that's not to say you don't have a problem with spam/trojans, but I tried connecting to a bunch of servers at random from the logs you posted and had no trouble connecting to any of them.
I don't know, but I checked my firewall settings, the same settings was on the system, I have not done any adjustments on it, from the time I install the mail system. When I made an nmap from another server, it showed that port 25 is open.

Code:
Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-27 13:26 PHT
Interesting ports on 121.97.76.4.BTI.NET.PH (121.97.76.4):
Not shown: 1707 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
993/tcp open  imaps
995/tcp open  pop3s
...
On the URLs, yes, I can actually connect to them. But my concern is that why is it that my server seems to send so many emails to different addresses in just a matter of seconds. Is there a freeware tool to check if the system has indeed some sort of a malware?
Reply With Quote
  #4  
Old 27th July 2010, 07:43
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

Quote:
Originally Posted by bluegrass View Post
I don't know, but I checked my firewall settings, the same settings was on the system, I have not done any adjustments on it, from the time I install the mail system. When I made an nmap from another server, it showed that port 25 is open.
You need to check outbound. That is, can your server get out to the internet on port 25.

Try this from your mailserver: telnet mail20.ixwebhosting.com 25.

You should see their server respond. If the connection fails, have a look at your firewall again, but look at connections from inside to outside.

Edit: I just realised - it could be your ISP blocking port 25. Many of them do.

Quote:
On the URLs, yes, I can actually connect to them. But my concern is that why is it that my server seems to send so many emails to different addresses in just a matter of seconds. Is there a freeware tool to check if the system has indeed some sort of a malware?
You could try rkhunter to start with. It's in the Debian package system. It's possible that you've created an open relay which is related to your postfix config rather than malware.
Reply With Quote
  #5  
Old 27th July 2010, 08:15
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
Default

Thanks Matty,

I'll try to install first rkhunter. Then if I'm satisfied that the problem I have about the bulk mails that is being passed by/through my server then I'll check with my service provider. Maybe they blocked port 25.
Reply With Quote
  #6  
Old 27th July 2010, 08:54
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
Default

I was able to check with my service provider. They were able to trace some spam mails passing through my IP, that is why they blocked the SMTP service.

Now my problem is how do I check and block these emails passing through my server. I have already tested the server using rkhunter and chkrootkit, but there were no significant alerts that would say I have open relay.

I hate to do a fresh install/configuration of the mail server.
Reply With Quote
  #7  
Old 27th July 2010, 09:10
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

It could be some "PHP" page with a "form" mail function in it that is beeing abused.

To log all mail send by a PHP form page have a look here:
http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #8  
Old 27th July 2010, 09:27
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
Default

Quote:
Originally Posted by edge View Post
It could be some "PHP" page with a "form" mail function in it that is beeing abused.

To log all mail send by a PHP form page have a look here:
http://www.howtoforge.com/how-to-log...tect-form-spam
Hi, Edge.

I tried blocking incoming traffic through Port 25, and check whether the same type of traffic I found in my logs will stop. But unfortunately it did not, so, I assume that the problem is really on my server, it sends the spam mails from within, and not as a relay server. Am I right?

I'll check the link you sent.
Reply With Quote
  #9  
Old 28th July 2010, 14:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by bluegrass View Post
it sends the spam mails from within, and not as a relay server. Am I right?
Seems to be the case. Try the link that edge gave to you.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 2nd August 2010, 05:58
bluegrass bluegrass is offline
Member
 
Join Date: Jan 2006
Location: Pinas
Posts: 51
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via Yahoo to bluegrass
 
Default

Well, I made a clean install of my Mail Server. Tested the tutorial on the link provided by Edge, but did not work out, I mean, the script did not capture the test mail I sent from my other Web Server.

After I made the clean install to a separate server, and moved all emails from the previous server to the new one, I again encountered the same problems. My server was sending too many emails. In fact, a hostmaster of one site, emailed me, informing me that one of his email users have receive an email which was sent from my server. Upon thorough checking of the said email, the email originated from a different server, and was passed through my mail server via a valid email address of my service.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How cai remove amavis from postfix ? gabrix Server Operation 16 2nd October 2012 09:58
Email Could not send and receive piseth Installation/Configuration 16 17th July 2010 18:27
ERROR: Connection dropped by IMAP server. [Centos 5.4, courier imap,squirrel, etc] darevil HOWTO-Related Questions 7 9th June 2010 14:49
postfix multi bongo Installation/Configuration 2 28th October 2009 00:57
421 Unexpected failure Lizard King Installation/Configuration 20 7th July 2009 20:43


All times are GMT +2. The time now is 21:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.