Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th December 2011, 15:56
cookie-monster cookie-monster is offline
Junior Member
 
Join Date: Dec 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default I'm sending spams?! [postfix][debian][ispconfig3]

Hello,
My 3 day old server started sending spam. I see that i can't connect mysql, i made a little research, there's huge amount of queries to mysql. And finally, i found the mail logs..
I just configured the server, and nobody is using smtp server... 25 port is closed im using 465...

Here is the part of log file
Code:
Dec 14 00:13:50 woody postfix/qmgr[28051]: DB7E21321AF: from=<root@woody.2fastweb.net>, size=36855, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/qmgr[28051]: BC9371321D4: from=<root@woody.2fastweb.net>, size=36385, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/smtp[25828]: DA8141321CC: to=<hsvguy2005@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=85, delay=7.4, delays=0.67/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-85, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DB7E21321AF)
Dec 14 00:13:50 woody postfix/smtp[25827]: 2E2811321FE: to=<thewrongprescription@hotmail.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.8, delays=2.1/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CCF1A1321E2)
Dec 14 00:13:50 woody postfix/qmgr[28051]: DA8141321CC: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 2E2811321FE: removed
Dec 14 00:13:50 woody postfix/pickup[24000]: 0A2771321CC: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25425]: 0A2771321CC: message-id=<20111213231350.0A2771321CC@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 0A2771321CC: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 1EC511321ED: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25450]: 1EC511321ED: message-id=<20111213231350.1EC511321ED@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24247]: 370B713220F: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25668]: 370B713220F: message-id=<20111213231343.584471321E6@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtp[24365]: 70BF41321FB: to=<cursie_18@yahoo.de>, relay=mx2.mail.eu.yahoo.com[77.238.184.241]:25, delay=0.77, delays=0.14/0.07/0.08/0.48, dsn=2.0.0, status=sent (250 ok dirdel)
Dec 14 00:13:50 woody postfix/smtpd[24256]: 384BB13220B: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25910]: 384BB13220B: message-id=<20111213231343.8786F1321A0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 70BF41321FB: removed
Dec 14 00:13:50 woody postfix/smtp[24375]: EAE551321D0: to=<americanboi28@yahoo.com>, relay=mta7.am0.yahoodns.net[66.94.238.147]:25, delay=2.3, delays=0.14/0/0.42/1.8, dsn=2.0.0, status=sent (250 ok dirdel)
Dec 14 00:13:50 woody postfix/qmgr[28051]: EAE551321D0: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 370B713220F: from=<root@woody.2fastweb.net>, size=36903, nrcpt=1 (queue active)
Dec 14 00:13:50 woody amavis[25303]: (25303-02-87) Passed CLEAN, <root@woody.2fastweb.net> -> <hornyoncam2010@hotmail.com>, Message-ID: <20111213231343.8786F1321A0@woody.2fastweb.net>, mail_id: oUSpQcQLnQuM, Hits: 9.875, size: 36399, queued_as: 384BB13220B, 323 ms
Dec 14 00:13:50 woody amavis[25301]: (25301-02-86) Passed CLEAN, <root@woody.2fastweb.net> -> <blackbrew90291129@btinternet.co.uk>, Message-ID: <20111213231343.584471321E6@woody.2fastweb.net>, mail_id: zk0M4xzdOAUw, Hits: 9.875, size: 36415, queued_as: 370B713220F, 324 ms
Dec 14 00:13:50 woody postfix/smtp[25827]: 8786F1321A0: to=<hornyoncam2010@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=87, delay=8.2, delays=1.7/6.1/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-87, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 384BB13220B)
Dec 14 00:13:50 woody postfix/smtp[25828]: 584471321E6: to=<blackbrew90291129@btinternet.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.3, delays=1.4/6.5/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 370B713220F)
Dec 14 00:13:50 woody postfix/qmgr[28051]: 1EC511321ED: from=<root@woody.2fastweb.net>, size=36411, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/qmgr[28051]: 8786F1321A0: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 384BB13220B: from=<root@woody.2fastweb.net>, size=36871, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 5A9571321A0: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 584471321E6: removed
Dec 14 00:13:50 woody postfix/cleanup[25425]: 5A9571321A0: message-id=<20111213231350.5A9571321A0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 5A9571321A0: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 6D1A71321B9: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25450]: 6D1A71321B9: message-id=<20111213231350.6D1A71321B9@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtp[24475]: 370B713220F: to=<blackbrew90291129@btinternet.co.uk>, relay=none, delay=0.22, delays=0.14/0.01/0.07/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=btinternet.co.uk type=A: Host found but no data record of requested type)
Dec 14 00:13:50 woody postfix/cleanup[25910]: 7126F132214: message-id=<20111213231350.7126F132214@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24247]: 83120132212: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25425]: 83120132212: message-id=<20111213231343.EE5FE1321FF@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24256]: 8B9A9132213: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25668]: 8B9A9132213: message-id=<20111213231343.E19101321F0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/bounce[24413]: 370B713220F: sender non-delivery notification: 7126F132214
Dec 14 00:13:50 woody amavis[25303]: (25303-02-88) Passed CLEAN, <root@woody.2fastweb.net> -> <bcramerx@yahoo.com>, Message-ID: <20111213231343.E19101321F0@woody.2fastweb.net>, mail_id: lZjmQxcMBiEh, Hits: 9.875, size: 36383, queued_as: 8B9A9132213, 338 ms

Code:
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = woody.2fastweb.net, localhost, localhost.localdomain
myhostname = woody.2fastweb.net
mynetworks = 127.0.0.0/8 [::1]/128
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
Reply With Quote
Sponsored Links
  #2  
Old 16th December 2011, 12:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Please check if your server is an open relay: http://www.spamhelp.org/shopenrelay/
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 4th January 2012, 14:23
l.sergi l.sergi is offline
Junior Member
 
Join Date: Jan 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default I have the same problem

I have the same problem and my server is not an open relay

It's a Postfix 2.8.7 compiled on Fedora 16

Cyrus SASL (2.1.25) authentication is enabled with method PLAIN
Users are on a MySQL DB hosted in another server.

Only ports 25, 53 and 22 are opened.

220 myserver.mydomain.com ESMTP Postfix
EHLO xxx.com
250-mail2.tecnes.com
250-PIPELINING
250-SIZE 15000000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Reply With Quote
  #4  
Old 5th January 2012, 15:43
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

What's in your mail log? Did you check if your server is already blacklisted ( http://www.mxtoolbox.com/blacklists.aspx )?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 5th January 2012, 16:00
l.sergi l.sergi is offline
Junior Member
 
Join Date: Jan 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

We aren't in the blacklist since we soon stopped the spam disabling user root to send email from local.

In the main.cf we added:

authorized_submit_users = !root, static:anyone



The maillog during the problem was something like so.

Dec 24 00:40:55 dns postfix/pickup[29510]: F25FF2C04A9: uid=0 from=<root>
Dec 24 00:40:55 dns postfix/cleanup[29575]: F25FF2C04A9: message-id=<20111223234055.F25FF2C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: from=<root@mail2.tecnes.com>, size=358, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29582]: F25FF2C04A9: to=<serverpoplavock@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.08/0/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 16ECAD7B532)
Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 10ED42C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 10ED42C04A9: message-id=<20111223234056.10ED42C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: from=<root@mail2.tecnes.com>, size=1125, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29576]: 10ED42C04A9: to=<youngwhitedude69@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 297BAD7B592)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 23D7C2C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 23D7C2C04A9: message-id=<20111223234056.23D7C2C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: from=<root@mail2.tecnes.com>, size=1122, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29582]: 23D7C2C04A9: to=<knuff1965@hotmail.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3C3DAD7B5E3)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 389D42C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 389D42C04A9: message-id=<20111223234056.389D42C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: from=<root@mail2.tecnes.com>, size=1128, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/pickup[29510]: 4409D2C04A7: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/smtp[29583]: 389D42C04A9: to=<rockfortherockaus@yahoo.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.09/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 529CFD7B6DF)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: removed
Dec 24 00:40:56 dns postfix/cleanup[29575]: 4409D2C04A7: message-id=<20111223234056.4409D2C04A7@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: from=<root@mail2.tecnes.com>, size=1129, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/pickup[29510]: 5AA122C04CE: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/smtp[29576]: 4409D2C04A7: to=<nathan_jackman1998@hotmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.12, delays=0.1/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 695C7D7BAA9)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: removed
Reply With Quote
  #6  
Old 6th January 2012, 12:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Have you updated all your web applications? Maybe the spammers abuse a vulnerable contact form or something like that.

This link might be of interest: http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 6th January 2012, 13:43
l.sergi l.sergi is offline
Junior Member
 
Join Date: Jan 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

There are no web application on this server. Just postfix with SASL authentication and the DNS.

We had the same problem on another Postfix server. In that case there were no DNS. So we can exclude the problem is caused by the DNS.

I can think there's a vulnerability of postfix + SASL but I'm not sure.
Reply With Quote
  #8  
Old 7th January 2012, 12:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Have you tried to change all your passwords?

Also, please run chkrootkit or rkhunter to find out if there's malware installed on your server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 15th July 2013, 12:39
joseluisillo joseluisillo is offline
Junior Member
 
Join Date: Jul 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Most likely an autoresponder

That happened to me because one of the email accounts had an autoresponder on, and answer mails were generated by the root user.

Delivery addresses were strange because he was also responding to the spam he received.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 FCGID locking up the box? crypted General 6 12th April 2011 17:16
Stange mail problem The-Ghost Installation/Configuration 6 25th April 2010 20:59
Fedora 12 - Strage problem - Freezes K_meleonu Installation/Configuration 6 3rd March 2010 19:42
Apche hangs ever few minutes after an update rslinks Server Operation 2 12th December 2009 19:57
LB1 Not Taking Over Shared IP Using Heartbeat 2.1.3 On FC10 64Bit asyadiqin Installation/Configuration 5 11th February 2009 21:11


All times are GMT +2. The time now is 22:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.