Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st March 2010, 02:25
provell provell is offline
Member
 
Join Date: Apr 2006
Posts: 97
Thanks: 0
Thanked 0 Times in 0 Posts
Default Mail server compromised and sending out spam HELP!

Hi,

My server is sending large amounts of spam.
If I check the mail log files they are sometimes 350mb because of alle mail that is send.

This is what is in the logging:
Quote:
01.mx.aol.com[64.12.90.1] refused to talk to me: 554 5.7.1 : (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html)
Mar 19 06:30:41 websrv01 postfix/qmgr[21354]: 1564377C1E5: to=<flute1inc@aol.com>, relay=none, delay=275693, delays=275477/217/0/0, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.1] refused to talk to me: 554 5.7.1 : (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html)
Mar 19 06:30:41 websrv01 postfix/qmgr[21354]: 1564377C1E5: to=<fluteacher@aol.com>, relay=none, delay=275693, delays=275477/217/0/0, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.1] refused to talk to me: 554 5.7.1 : (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html)
Mar 19 06:30:41 websrv01 postfix/qmgr[21354]: 1564377C1E5: to=<flutejourn@aol.com>, relay=none, delay=275693, delays=275477/217/0/0, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.1] refused to talk to me: 554 5.7.1 : (RLY:B1)

I'm unable to see who the user is that sends it.
The mail logging just says that a mail is send to someone.
I can't find out if it is the server or some client.

Is there a way to see who sends these mails?
What is the best logging to check for this?

Thanks in advance for your help.
Reply With Quote
Sponsored Links
  #2  
Old 21st March 2010, 13:01
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,504
Thanks: 813
Thanked 5,265 Times in 4,129 Posts
Default

In most cases, such spam is sent trough a vulnerable script or contact form. Take a look at this howto to find the spam source if its a php script:

http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st March 2010, 16:15
provell provell is offline
Member
 
Join Date: Apr 2006
Posts: 97
Thanks: 0
Thanked 0 Times in 0 Posts
Default php

Ok, I will install and run the script.
I do have some "forms" that mail with the use of php scripts.

For these php scripts(forms) that are mis-used to create the spammail there is an option to have those "weird letters" you have to type in before you are able to confirm/send.
Would that be the key to never have this problem again or is it just an extra precaution?

And if it was one of my clients who had a problem, would turning on the spamfilter help? Or is this just for incomming mail?

Anyway thanks for the script and information so far.
Reply With Quote
  #4  
Old 23rd March 2010, 22:59
provell provell is offline
Member
 
Join Date: Apr 2006
Posts: 97
Thanks: 0
Thanked 0 Times in 0 Posts
Default postsuper

Hi,

I setup the "formcheck" like you advised through:
http://www.howtoforge.com/how-to-log...tect-form-spam

The tests were ok so the scripts works.
But when the spaming from my server began again the log file was empty.

Then I did an apt-get update and the upgrade.
I also updated from ISPconfig 2.2.27 to 2.2.35.
Still the spamming whent on.

When "grepping" throug the enormous log file I can't find out who is sending the mails, I only can see a to=userx@aol.com and so on.
The from=usery@lawyer.com is not hosted on my server, and it seems to change from time to time to some other user.

I followed up the advise on rkhunter an chkrootkit but they did not alarm me with anything to wory about.
Infect 99% was ok, just 3 hidden directory's in /dev were pointed out to me.
They seem to hold no strange files.

THEN i did what stopped the spamming the last time!!
I deleted the whole postfix que with the following command:
postsuper -d ALL

It then deletes some 2000 mails and the spamming stops(for now).
Do you have any idea why that helps?

So it is not a php form abuse.
Checked the server thoroughly, what could it be?
Any Idea's where or what I should be checking would be much appreciated.

Thanks for your help in advance.
Reply With Quote
  #5  
Old 24th March 2010, 14:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Are there any non-PHP web applications (e.g. Perl, Python, Ruby, etc.) that could be abused?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 24th March 2010, 19:28
provell provell is offline
Member
 
Join Date: Apr 2006
Posts: 97
Thanks: 0
Thanked 0 Times in 0 Posts
Default postcat -q nnnnn

Well I finaly succeded in removing the spam problem
Wow! this is something I don't want to happen ever again.

Till gave an options to someone in the forum to use the command postcat -q.
That gave me a nice discription who was the sasl_username that was sending the mail.
Once I changed the password of that user the spaming stopped.

This is obiously not the fault of ispconfig and not of good working debian system, but it did happen.
One milion mails every day for a couple of days!!!
Now I have setup al kinds op grepping bash files that inform me through mail so I at least know right away that this is happening.
If there are any other suggestions to prevent this in the future they are welkom!

Final questions:
How do I get myself back on track with all the other mailserver?
Getting off from the blacklist listing and sorts?

I checked out the mtoolbox site and mailed to all the blacklisted party's.
Is there anything else I can do, appart from the obvious wich is not spamming

Thanks for all your help to in this matter.
Reply With Quote
  #7  
Old 26th March 2010, 02:07
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
 
Default

I'd install fail2ban to prevent brute-force attacks to sniff out your passwords.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 02:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.