Postfix Problem (Possible Trojan/Spam)

[bluegrass]

Hi,

I have installed Virtual Users And Domains With Postfix, Courier And MySQL (+
SMTP-AUTH, Quota, SpamAssassin, ClamAV) in Debian Lenny for my mail server. At first, I had no problems, I can actually send and receive emails to/from the server.

Yesterday, one of my users reported that his friend did not receive his email, and that said email was sent 3 weeks ago. So I made a test email from my server, sending it to my yahoo, gmail and hotmail accounts. For more than 24 hours already, I never received the said email.

I checked the mail logs and this is what I saw:

Code:

Jul 27 09:15:23 mail postfix/qmgr[5210]: 9020E4502DF: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:15:23 mail amavis[4964]: (04964-08) Passed CLEAN, LOCAL [192.168.101.2] [192.168.101.2] <rtjuarez@cpu.edu.ph> -> <royski_it2004@yahoo.com>, Message-ID: <4C4E3326.5000605@cpu.edu.ph>, mail_id: 9It6Tl2pxI1C, Hits: -2.846, size: 639, queued_as: 9020E4502DF, 6175 ms
Jul 27 09:19:51 mail postfix/qmgr[5210]: CF7224502E6: from=<rtjuarez@cpu.edu.ph>, size=1165, nrcpt=3 (queue active)
Jul 27 09:19:52 mail postfix/qmgr[5210]: 7650D4502E5: from=<rtjuarez@cpu.edu.ph>, size=868, nrcpt=1 (queue active)
Jul 27 09:19:54 mail postfix/qmgr[5210]: BE2EA4502DA: from=<rtjuarez@cpu.edu.ph>, size=1144, nrcpt=2 (queue active)
Jul 27 09:24:54 mail postfix/qmgr[5210]: 536494502EA: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:25:04 mail postfix/smtp[5415]: BE2EA4502DA: to=<rtjuarez@gmail.com>, relay=none, delay=14587, delays=14278/190/120/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection timed out)
Jul 27 09:25:21 mail postfix/smtp[5243]: CF7224502E6: to=<rtjuarez@gmail.com>, relay=none, delay=3398, delays=3068/297/33/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: No route to host)
Jul 27 09:29:18 mail imapd: LOGIN, user=rtjuarez@cpu.edu.ph, ip=[::ffff:192.168.101.2], port=[2262], protocol=IMAP
Jul 27 09:29:53 mail postfix/qmgr[5210]: 9020E4502DF: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:35:26 mail postfix/qmgr[5210]: 70EA04502EE: from=<rtjuarez@cpu.edu.ph>, size=534, nrcpt=1 (queue active)
Jul 27 09:35:46 mail amavis[8248]: (08248-07) Blocked SPAM, [189.6.206.136] [189.6.206.136] <rtjuarez@cpu.edu.ph> -> <rtjuarez@cpu.edu.ph>, quarantine: V/spam-VQnNS8RP9KZX.gz, Message-ID: <20100727013525.70EA04502EE@mail.cpu.edu.ph>, mail_id: VQnNS8RP9KZX, Hits: 8.26, size: 534, 20011 ms
Jul 27 09:35:46 mail postfix/smtp[8177]: 70EA04502EE: to=<rtjuarez@cpu.edu.ph>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=1.2/0/0/20, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=08248-07, BOUNCE)
Jul 27 09:35:46 mail postfix/virtual[8321]: 341814502F4: to=<rtjuarez@cpu.edu.ph>, relay=virtual, delay=0.26, delays=0.07/0.04/0/0.15, dsn=2.0.0, status=sent (delivered to maildir)
Jul 27 09:39:53 mail postfix/qmgr[5210]: 536494502EA: from=<rtjuarez@cpu.edu.ph>, size=1097, nrcpt=1 (queue active)
Jul 27 09:39:53 mail postfix/qmgr[5210]: 9115B4502E8: from=<rtjuarez@cpu.edu.ph>, size=1108, nrcpt=1 (queue active)

The given samples were log records from my own email only.

My other problem is, it seems that my server is sending emails that are not valid:

Code:

Jul 27 09:42:19 mail postfix/smtp[5412]: 6ADDC4504E4: to=<blascakb@cpva.saic.com>, relay=none, delay=351009, delays=348780/2118/111/0, dsn=4.4.1, status=deferred (connect to mx2.west.saic.com[198.151.12.25]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5303]: E0C20450386: to=<ahram@ahram.org.eg>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5380]: 50A46440183: to=<lllinares@arcadis-fr.com>, relay=none, delay=338899, delays=338155/683/61/0, dsn=4.4.1, status=deferred (connect to mail2.fcinternational.net[194.3.174.46]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5425]: connect to mail-mx4.its.unimelb.edu.au[128.250.118.136]:25: No route to host
Jul 27 09:42:19 mail postfix/smtp[5419]: connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out
Jul 27 09:42:19 mail postfix/smtp[5313]: D761245042A: to=<archive@israelipalestinianpeace.org>, relay=none, delay=351750, delays=349523/2166/61/0, dsn=4.4.1, status=deferred (connect to mx2.main.nc.us[74.207.237.203]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5327]: EB3DD440088: to=<ot@ark-mortensen.dk>, relay=none, delay=349549, delays=347603/1915/30/0, dsn=4.4.1, status=deferred (connect to mail.ark-mortensen.dk[62.243.229.238]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5337]: E523F450461: to=<ole@limal.dk>, relay=none, delay=351580, delays=349632/1944/3.4/0, dsn=4.4.1, status=deferred (connect to mail.limal.dk[195.128.174.71]:25: No route to host)
Jul 27 09:42:19 mail postfix/smtp[5399]: 21CE4440178: to=<l.lindelauf@prettel.nl>, relay=none, delay=338969, delays=336738/2149/82/0, dsn=4.4.1, status=deferred (connect to fallback2.csnet.nl[194.69.30.7]:25: Connection timed out)
Jul 27 09:42:19 mail postfix/smtp[5324]: connect to mail20.ixwebhosting.com[76.162.254.117]:25: Connection timed out
Jul 27 09:42:19 mail postfix/smtp[5343]: connect to continuumct.com[168.143.18.237]:25: No route to host
Jul 27 09:42:19 mail postfix/smtp[5449]: connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5303]: E0C20450386: to=<ahramdaily@ahram.org.eg>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5419]: E9D9144012C: to=<lkozrk@usmo.com>, relay=none, delay=339709, delays=337759/1910/40/0, dsn=4.4.1, status=deferred (connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5445]: connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b1.psmtp.com[64.18.7.13]:25: Connection timed out
Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host
Jul 27 09:42:20 mail postfix/smtp[5303]: connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host
Jul 27 09:42:20 mail postfix/smtp[5413]: D761245042A: to=<arezoo@icciran.com>, relay=none, delay=351748, delays=349523/2165/61/0, dsn=4.4.1, status=deferred (connect to mail.icciran.com[216.12.205.115]:25: Connection timed out)
Jul 27 09:42:20 mail postfix/smtp[5343]: EC909440143: to=<llandry@continuumct.com>, relay=none, delay=339546, delays=337597/1927/21/0, dsn=4.4.1, status=deferred (connect to continuumct.com[168.143.18.237]:25: No route to host)
Jul 27 09:42:20 mail postfix/smtp[5329]: EB3DD440088: to=<otbeju@gladsaxe.dk>, relay=none, delay=349551, delays=347603/1920/27/0, dsn=4.4.1, status=deferred (connect to dkcphmx62.softcom.dk[213.150.52.217]:25: No route to host)
Jul 27 09:42:20 mail postfix/smtp[5442]: connect to ASPMX.L.GOOGLE.com[72.14.213.27]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5448]: connect to mx-adinet.adinet.com.uy[200.40.30.218]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5445]: 6ADDC4504E4: to=<blazer@blazeruae.com>, relay=none, delay=351012, delays=348780/2111/121/0, dsn=4.4.1, status=deferred (connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out)
Jul 27 09:42:21 mail postfix/smtp[5270]: 2D3C5450375: to=<ads@thesunnews.com>, relay=none, delay=353285, delays=351053/2140/92/0, dsn=4.4.1, status=deferred (connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host)
Jul 27 09:42:21 mail postfix/smtp[5303]: E523F450461: to=<ole@lunding.dk>, relay=none, delay=351582, delays=349632/1949/0.73/0, dsn=4.4.1, status=deferred (connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host)
Jul 27 09:42:21 mail postfix/smtp[5270]: connect to mailgate.cybercity.dk[212.242.43.248]:25: No route to host
Jul 27 09:42:21 mail postfix/smtp[5323]: connect to mx.club-internet.fr[93.17.128.7]:25: Connection timed out
Jul 27 09:42:21 mail postfix/smtp[5449]: E0C20450386: to=<aiccom@aic.nuqul.com.jo>, relay=none, delay=353016, delays=351066/1890/60/0, dsn=4.4.1, status=deferred (connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out)
Jul 27 09:42:21 mail postfix/smtp[5362]: EB3DD440088: to=<otb@bib.sdu.dk>, relay=none, delay=349550, delays=347603/1917/30/0, dsn=4.4.1, status=deferred (connect to msec.sdu.dk[130.225.156.16]:25: Connection timed out)

I don't think that in just 1 second, there are several emails that are being sent. I have also discovered that even on an unholy hours in my local time, there are a lot of emails being sent also.

Can somebody help me on how to fix this problem?

[matty]

I think you have a problem with port 25 being blocked outbound.

edit: that's not to say you don't have a problem with spam/trojans, but I tried connecting to a bunch of servers at random from the logs you posted and had no trouble connecting to any of them.

[bluegrass]

Quote:

Originally Posted by matty

I think you have a problem with port 25 being blocked outbound.

edit: that's not to say you don't have a problem with spam/trojans, but I tried connecting to a bunch of servers at random from the logs you posted and had no trouble connecting to any of them.

I don't know, but I checked my firewall settings, the same settings was on the system, I have not done any adjustments on it, from the time I install the mail system. When I made an nmap from another server, it showed that port 25 is open.

Code:

Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-27 13:26 PHT
Interesting ports on 121.97.76.4.BTI.NET.PH (121.97.76.4):
Not shown: 1707 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
993/tcp open  imaps
995/tcp open  pop3s
...

On the URLs, yes, I can actually connect to them. But my concern is that why is it that my server seems to send so many emails to different addresses in just a matter of seconds. Is there a freeware tool to check if the system has indeed some sort of a malware?

[matty]

Quote:

Originally Posted by bluegrass

I don't know, but I checked my firewall settings, the same settings was on the system, I have not done any adjustments on it, from the time I install the mail system. When I made an nmap from another server, it showed that port 25 is open.

You need to check outbound. That is, can your server get out to the internet on port 25.

Try this from your mailserver: telnet mail20.ixwebhosting.com 25.

You should see their server respond. If the connection fails, have a look at your firewall again, but look at connections from inside to outside.

Edit: I just realised - it could be your ISP blocking port 25. Many of them do.

Quote:

On the URLs, yes, I can actually connect to them. But my concern is that why is it that my server seems to send so many emails to different addresses in just a matter of seconds. Is there a freeware tool to check if the system has indeed some sort of a malware?

You could try rkhunter to start with. It's in the Debian package system. It's possible that you've created an open relay which is related to your postfix config rather than malware.

[bluegrass]

Thanks Matty,

I'll try to install first rkhunter. Then if I'm satisfied that the problem I have about the bulk mails that is being passed by/through my server then I'll check with my service provider. Maybe they blocked port 25.

[bluegrass]

I was able to check with my service provider. They were able to trace some spam mails passing through my IP, that is why they blocked the SMTP service.

Now my problem is how do I check and block these emails passing through my server. I have already tested the server using rkhunter and chkrootkit, but there were no significant alerts that would say I have open relay.

I hate to do a fresh install/configuration of the mail server.

[edge]

It could be some "PHP" page with a "form" mail function in it that is beeing abused.

To log all mail send by a PHP form page have a look here:
http://www.howtoforge.com/how-to-log...tect-form-spam

[bluegrass]

Quote:

Originally Posted by edge

It could be some "PHP" page with a "form" mail function in it that is beeing abused.

To log all mail send by a PHP form page have a look here:
http://www.howtoforge.com/how-to-log...tect-form-spam

Hi, Edge.

I tried blocking incoming traffic through Port 25, and check whether the same type of traffic I found in my logs will stop. But unfortunately it did not, so, I assume that the problem is really on my server, it sends the spam mails from within, and not as a relay server. Am I right?

I'll check the link you sent.

[falko]

Quote:

Originally Posted by bluegrass

it sends the spam mails from within, and not as a relay server. Am I right?

Seems to be the case. Try the link that edge gave to you.

[bluegrass]

Well, I made a clean install of my Mail Server. Tested the tutorial on the link provided by Edge, but did not work out, I mean, the script did not capture the test mail I sent from my other Web Server.

After I made the clean install to a separate server, and moved all emails from the previous server to the new one, I again encountered the same problems. My server was sending too many emails. In fact, a hostmaster of one site, emailed me, informing me that one of his email users have receive an email which was sent from my server. Upon thorough checking of the said email, the email originated from a different server, and was passed through my mail server via a valid email address of my service.