Mail server attempting to send out 1000s of SPAM emails

[punto]

Hi All,

I am running 2.2.27, CENTOS 5.2. Been running for over 2 years without a hiccup. Woke up this morning to 20,000 emails in my work inbox (separate domain to ISPCONFIG - I receive all emails for root)

Checked mail logs on mail server and they are full of emails being generated by the local machine and they are trying to be relayed out to any and all mailservers. I have already received a warning from Yahoo about excessive traffic.

Here is a grab from the maillogs

Jan 7 10:01:48 web postfix/qmgr[3442]: D16EC2028D00: to=<jasantos7@yahoo.com.br>, relay=none, delay=15492, delays=15158/333/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to c.mx.mail.yahoo.com[216.39.53.2]: Connection timed out)

and this

web postfix/smtp[4749]: 356182029285: to=<jbsilva@yahoo.com.br>, relay=e.mx.mail.yahoo.com[216.39.53.1]:25, delay=4108, delays=3795/0.07/313/0, dsn=4.7.0, status=deferred (host e.mx.mail.yahoo.com[216.39.53.1] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.89.212.187 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

I have run a test for rootkits and viruses (RKHUNTER) and it came up clean. Checked it with an OPEN RELAY test and is passed all tests. I have made no modifications to the perfect setup and as I said it has been running flawlessy for 2 years.

Please help, I am not sure where to look next... let me know if you need any more information.

Kind Regards
Matt

[till]

The most common scenarios are:

1) One of your email accounts has a too simple password. You can try to check this in the mail log and see if the spam mails have been sent by an authenticated user.

2) One of your websites runs a vulnerable cms or contact form script which is misused to send the spam.

[punto]

Quote:

Originally Posted by till

The most common scenarios are:

1) One of your email accounts has a too simple password. You can try to check this in the mail log and see if the spam mails have been sent by an authenticated user.

2) One of your websites runs a vulnerable cms or contact form script which is misused to send the spam.

Till,

Thanks for showing me where to look. All I am seeing in the logs are lines like this:

Jan 7 20:57:10 web postfix/qmgr[3538]: 83F1B20291AC: to=<jblima@dianet.com.br>, relay=none, delay=46688, delays=4
6638/50/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to ironx.multdia.com.br[200.166.1
04.28]: Connection refused)

and this

Jan 7 20:57:37 web postfix/smtp[29005]: B42BA2028B3E: to=<jarocha@barroco.com.br>, relay=unix.barroco.com.br[200.
214.148.133]:25, conn_use=13, delay=61232, delays=61159/72/0.37/0.74, dsn=4.0.0, status=deferred (host unix.barroc
o.com.br[200.214.148.133] said: 451 ACCESS DENIED! YOU ARE IN MY SPAM BLACKLIST! (in reply to RCPT TO command))

Does that give any clue to if it is an authenticated user?

I had a hunch it may have been a web form - if I stop httpd and this stops the SPAM that would then point to that scenario?

EDIT: I stopped HTTPD but the emails are still coming. Do I need to check each website for a vulnerable contact script? Goodness we have more than 50 sites on the server

Kind Regards
Matt

[punto]

Well this problem is persisting
The mail logs haven't helped me determine if it is an authenticated user - I don't think it is. So, I am slowly going through each website to try and find a rogue script or the like.

One thing I have noticed is that all the emails are trying to be delivered to 2 or 3 domains only. Can you please tell me what I need to add to my Postfix configuration file to prevent my mail server from trying to send to specific domains?

For example one of the domains is barroco.com.br, so any emails they are trying to be sent to this domain should not be allowed. It is only a workaround but at least it will cut down the SPAM and buy me a little time while I try and pin point the problem.

Many thanks
Matt

[stevieb_]

have you not got a line similar to

Jan 8 09:08:48 ridcully postfix/smtpd[1835]: E8D1418200B2: client=host86-128-92-29.range86-128.btcentralplus.com[86.128.92.29], sasl_method=PLAIN, sasl_username=web1_forthe

before the mails are sent?
that shows someone has authenticated


but it does echo a lot like the old mail.cgi script flaw :| i dont know if that helps any?

Stevieb

[punto]

Stevie, thanks for the advice mate
I have had a good look at the logs and doesnt seem to be from an authenticated user - nothing evident that precedes the email being sent.

Guess that means it is a script playing up - need to keep looking.

Thanks for your help
Matt

[till]

You can try to look into the mail files with the postcat command if some of them are still in the deferred mailqueue. Sometimes the mails contain hints (e.g. email addresses) in the header from the original mail script that was misused to send them.

[punto]

Thanks Till, postcat gives alot of information when I run it against the messages in the deffered queue. Can you please have a look at this and help me decipher it? I can't see anything that relates to a customer website, but there is alot of guff in there. Below is the output from postcat on one of the messages that are trying to be sent as SPAM.

Is there a configuration error on my mail server? Can I block either domains or IPs through postfix or the ehlo connection? I see the from sender and the to address but I can't see how they are generating the message??

Any help much appreciated

Thanks
Matt

*** ENVELOPE RECORDS deferred/0/0CD50202952A ***
message_size: 5184 592 1 0
message_arrival_time: Wed Jan 7 09:27:32 2009
create_time: Wed Jan 7 09:27:32 2009
named_attribute: rewrite_context=local
named_attribute: sasl_sender=apache@web.berginct.com
sender: apache@web.berginct.com
named_attribute: log_client_name=web.berginct.com
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=web.berginct.com[127.0.0.1]
named_attribute: log_helo_name=web.berginct.com
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=web.berginct.com
named_attribute: reverse_client_name=web.berginct.com
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=web.berginct.com
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;jcaldas@esporte.com
original_recipient: jcaldas@esporte.com
recipient: jcaldas@esporte.com
*** MESSAGE CONTENTS deferred/0/0CD50202952A ***
Received: from web.berginct.com (web.berginct.com [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by web.berginct.com (Postfix) with ESMTP id 0CD50202952A
for <jcaldas@esporte.com>; Wed, 7 Jan 2009 09:27:32 +1100 (EST)
Received: (from apache@localhost)
by web.berginct.com (8.13.8/8.13.8/Submit) id n06MRV2J006088;
Wed, 7 Jan 2009 09:27:31 +1100
Date: Tue Jan 6 21:57:28 EST 2009
From: Caixa Economica Federal <fabio.goys@hotmail.com>
To: jcaldas@esporte.com
Subject: Correcao para o Cadastramento de Computadores
X-Mailer: UmailNG .NET (powered by Microsoft Windows 2003)
Mime-Version: 1.0
content-type: text/html
Reply-To: "fabio.goys@hotmail.com" <"adraiana82@"@gmail.com>
X-OriginalArrivalTime: Tue 06 Jan 2009 09:57:29 PM EST -0.762217 seconds
Message-Id: <urgentemessageid-389640879@mail.yahoo.com.br>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE>.hmmessage P {
PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
FONT-SIZE: 10pt; FONT-FAMILY: Verdana
}
</STYLE>

<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY class=hmmessage bgColor=#ffffff>
<DIV><FONT face=Arial></FONT><BR>
<STYLE>
.ExternalClass .EC_style2
{font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;}
.ExternalClass
{;}
.ExternalClass .EC_style4
{font-size:10px;}
.ExternalClass .EC_style5
{font-size:12px;}
.ExternalClass .EC_style6
{font-size:12px;font-family:Verdana, Arial, Helvetica, sans-serif;}
.ExternalClass .EC_style7
{font-size:12px;}
</STYLE>
</DIV>
<TABLE borderColor=#022986 height=436 width=755 align=center border=0>
<TBODY>
<TR>
<TD width=780 bgColor=#022986><IMG height=57 hspace=0
src="http://www.caixa.gov.br/_newimages/icaixa/header_caixa.jpg" width=140
border=0><IMG height=57 hspace=0
src="http://www.caixa.gov.br/_newimages/icaixa/O_banco_que_acredita.jpg"
width=141 border=0></TD></TR>
<TR>
<TD height=364>
<DIV align=center>
<DIV class=EC_EC_EC_ExternalClass id=EC_EC_EC_MsgContainer
style="WIDTH: 765px; HEIGHT: 388px">
<P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
class=EC_style7><SPAN class=EC_style5><STRONG><FONT
size=3></FONT></STRONG></SPAN></SPAN></SPAN></SPAN>
<P align=left>&nbsp;
<P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
class=EC_style7><SPAN class=EC_style5><STRONG><FONT
size=3><img src="http://cleese.lima-city.de/images/meioqj3.jpg"></FONT></STRONG></SPAN></SPAN></SPAN></SPAN>
<P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
class=EC_style7><SPAN class=EC_style5><STRONG><FONT
size=3></FONT></STRONG></SPAN></SPAN></SPAN></SPAN>
<p align="left">&nbsp;</p>
<p align="left"><strong><font size="2">Prezado Cliente,</font></strong></p>
<p>&nbsp;</p>
<p align="left"><font size="2">Foi lan&ccedil;ada uma nova corre&ccedil;&atilde;o para o Cadastramento
de Computadores, esta corrige uma falha de n&iacute;vel cr&iacute;tico
do sistema de identifica&ccedil;&atilde;o do cliente, que pode ocasionar
perdas de dados e problemas no acesso.</font></p>
<p align="left">&nbsp;</p>
<p align="left"><font size="2">A atualiza&ccedil;&atilde;o &eacute; simples e r&aacute;pida, basta
clicar no link abaixo e em seguida completar todos os dados que pedir&atilde;o
para efetuar uma atualiza&ccedil;&atilde;o completa.</font></p>
<p align="left">&nbsp;</p>
<p align="left"><font size="2"><a href="http://200.165.72.234/webmail/logs/atualizacao.php?download=www.caixa.gov.br/download/atualizacao/seguranca/20349582095802210481328409128035971094701324870193 25789124701329470135781327489132748912735897123894 71320947120957189324791382579183274109237425714928 71489151344.php?seguranca=index">http://www.caixa.gov.br/segurança/download/atualização/</a></font></p>
<p align="left">&nbsp;</p>
<p align="left"><font size="2"><strong>Aten&ccedil;&atilde;o:</strong> Todos os usu&aacute;rios devem se cadastrar e
atualizar o Cadastramento de Computadores. Caso a corre&ccedil;&atilde;o
n&atilde;o seja realizada, seu computador ser&aacute; <strong>bloqueado
e o desbloqueio s&oacute; poder&aacute; ser realizado nas ag&ecirc;ncias
da CAIXA.</strong></font></p>
<p align="left">&nbsp;</p>
<p align="left"><font size="2"><strong>Em caso de d&uacute;vidas, ligue
para o Help Desk CAIXA 0800 726 0104</strong></font><br>
</p>
<p align="left">&nbsp;</p>
<p align="left">&nbsp; </p>
<p align="left"><img src="http://cleese.lima-city.de/images/fimqj3.jpg"><br>
</p>
</DIV></DIV></TD></TR></TBODY></TABLE>
</BODY></HTML>


*** HEADER EXTRACTED deferred/0/0CD50202952A ***
*** MESSAGE FILE END deferred/0/0CD50202952A ***

[stevieb_]

Received: (from apache@localhost)
by web.berginct.com (8.13.8/8.13.8/Submit) id n06MRV2J006088;

Till will correct me if I am wrong but,

that suggests to me more and more that its a webmail form, running through a loop from a database/csv file.

Stevieb

[punto]

This is now becoming unsettling I just received this email, that was sent to undisclosed recipients and the content was

"this is a spam email to show how easy it is to bypass your logins"

...what is that meant to mean???

Here are the headers of the email, taken from Outlook.

Microsoft Mail Internet Headers Version 2.0
X-PMWin-Spam: Gauge=IIIIIIII, Probability=8, Report='__MIME_VERSION 0, __CT 0, __CT_TEXT_PLAIN 0, __CTE 0, __HAS_MSGID 0, __SANE_MSGID 0, NO_REAL_NAME 0, __SUBJ_MISSING 0, EMPTY_BODY 0.1, BODY_SIZE_10_99 0, __MIME_TEXT_ONLY 0, BODY_SIZE_5000_LESS 0, SMALL_BODY 0, BODY_SIZE_1000_LESS 0, SUBJ_MISSING 0'
X-PMWin-SpamScore: 8
X-PMWin-Version: 3.0.1.0, Antispam-Engine: 2.6.1, Antispam-Data: 2009.1.10.14322, Antivirus-Engine: 2.82.1, Antivirus-Data: 4.37E
Received: from web.berginct.com ([203.89.212.187]) by berginct.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 10 Jan 2009 12:55:19 +1100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Received: by web.berginct.com (Postfix) id 6E17C2028002; Sat, 10 Jan 2009 12:55:19 +1100 (EST)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Delivered-To: apache@localhost.berginct.com
Received: from localhost.localdomain (host86-141-201-247.range86-141.btcentralplus.com [86.141.201.247]) by web.berginct.com (Postfix) with SMTP id 832952028001 for <apache@localhost>; Sat, 10 Jan 2009 12:55:18 +1100 (EST)
Message-ID: <20090110015518.832952028001@web.berginct.com>
Date: Sat, 10 Jan 2009 12:55:18 +1100 (EST)
From: <apache@localhost.berginct.com>
To: <undisclosed-recipients:>
Return-Path: <apache@localhost.berginct.com>
X-OriginalArrivalTime: 10 Jan 2009 01:55:19.0627 (UTC) FILETIME=[7DCA49B0:01C972C6]

Has someone hijacked the apache user?
Do I need to start taking down websites until I find the culprit?

Thanks
Matt