I'm sending spams?! [postfix][debian][ispconfig3]

[cookie-monster]

Hello,
My 3 day old server started sending spam. I see that i can't connect mysql, i made a little research, there's huge amount of queries to mysql. And finally, i found the mail logs..
I just configured the server, and nobody is using smtp server... 25 port is closed im using 465...

Here is the part of log file

Code:

Dec 14 00:13:50 woody postfix/qmgr[28051]: DB7E21321AF: from=<root@woody.2fastweb.net>, size=36855, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/qmgr[28051]: BC9371321D4: from=<root@woody.2fastweb.net>, size=36385, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/smtp[25828]: DA8141321CC: to=<hsvguy2005@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=85, delay=7.4, delays=0.67/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-85, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DB7E21321AF)
Dec 14 00:13:50 woody postfix/smtp[25827]: 2E2811321FE: to=<thewrongprescription@hotmail.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.8, delays=2.1/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CCF1A1321E2)
Dec 14 00:13:50 woody postfix/qmgr[28051]: DA8141321CC: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 2E2811321FE: removed
Dec 14 00:13:50 woody postfix/pickup[24000]: 0A2771321CC: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25425]: 0A2771321CC: message-id=<20111213231350.0A2771321CC@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 0A2771321CC: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 1EC511321ED: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25450]: 1EC511321ED: message-id=<20111213231350.1EC511321ED@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24247]: 370B713220F: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25668]: 370B713220F: message-id=<20111213231343.584471321E6@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtp[24365]: 70BF41321FB: to=<cursie_18@yahoo.de>, relay=mx2.mail.eu.yahoo.com[77.238.184.241]:25, delay=0.77, delays=0.14/0.07/0.08/0.48, dsn=2.0.0, status=sent (250 ok dirdel)
Dec 14 00:13:50 woody postfix/smtpd[24256]: 384BB13220B: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25910]: 384BB13220B: message-id=<20111213231343.8786F1321A0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 70BF41321FB: removed
Dec 14 00:13:50 woody postfix/smtp[24375]: EAE551321D0: to=<americanboi28@yahoo.com>, relay=mta7.am0.yahoodns.net[66.94.238.147]:25, delay=2.3, delays=0.14/0/0.42/1.8, dsn=2.0.0, status=sent (250 ok dirdel)
Dec 14 00:13:50 woody postfix/qmgr[28051]: EAE551321D0: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 370B713220F: from=<root@woody.2fastweb.net>, size=36903, nrcpt=1 (queue active)
Dec 14 00:13:50 woody amavis[25303]: (25303-02-87) Passed CLEAN, <root@woody.2fastweb.net> -> <hornyoncam2010@hotmail.com>, Message-ID: <20111213231343.8786F1321A0@woody.2fastweb.net>, mail_id: oUSpQcQLnQuM, Hits: 9.875, size: 36399, queued_as: 384BB13220B, 323 ms
Dec 14 00:13:50 woody amavis[25301]: (25301-02-86) Passed CLEAN, <root@woody.2fastweb.net> -> <blackbrew90291129@btinternet.co.uk>, Message-ID: <20111213231343.584471321E6@woody.2fastweb.net>, mail_id: zk0M4xzdOAUw, Hits: 9.875, size: 36415, queued_as: 370B713220F, 324 ms
Dec 14 00:13:50 woody postfix/smtp[25827]: 8786F1321A0: to=<hornyoncam2010@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=87, delay=8.2, delays=1.7/6.1/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-87, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 384BB13220B)
Dec 14 00:13:50 woody postfix/smtp[25828]: 584471321E6: to=<blackbrew90291129@btinternet.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.3, delays=1.4/6.5/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 370B713220F)
Dec 14 00:13:50 woody postfix/qmgr[28051]: 1EC511321ED: from=<root@woody.2fastweb.net>, size=36411, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/qmgr[28051]: 8786F1321A0: removed
Dec 14 00:13:50 woody postfix/qmgr[28051]: 384BB13220B: from=<root@woody.2fastweb.net>, size=36871, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 5A9571321A0: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 584471321E6: removed
Dec 14 00:13:50 woody postfix/cleanup[25425]: 5A9571321A0: message-id=<20111213231350.5A9571321A0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/qmgr[28051]: 5A9571321A0: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
Dec 14 00:13:50 woody postfix/pickup[24000]: 6D1A71321B9: uid=0 from=<root>
Dec 14 00:13:50 woody postfix/cleanup[25450]: 6D1A71321B9: message-id=<20111213231350.6D1A71321B9@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtp[24475]: 370B713220F: to=<blackbrew90291129@btinternet.co.uk>, relay=none, delay=0.22, delays=0.14/0.01/0.07/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=btinternet.co.uk type=A: Host found but no data record of requested type)
Dec 14 00:13:50 woody postfix/cleanup[25910]: 7126F132214: message-id=<20111213231350.7126F132214@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24247]: 83120132212: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25425]: 83120132212: message-id=<20111213231343.EE5FE1321FF@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/smtpd[24256]: 8B9A9132213: client=localhost.localdomain[127.0.0.1]
Dec 14 00:13:50 woody postfix/cleanup[25668]: 8B9A9132213: message-id=<20111213231343.E19101321F0@woody.2fastweb.net>
Dec 14 00:13:50 woody postfix/bounce[24413]: 370B713220F: sender non-delivery notification: 7126F132214
Dec 14 00:13:50 woody amavis[25303]: (25303-02-88) Passed CLEAN, <root@woody.2fastweb.net> -> <bcramerx@yahoo.com>, Message-ID: <20111213231343.E19101321F0@woody.2fastweb.net>, mail_id: lZjmQxcMBiEh, Hits: 9.875, size: 36383, queued_as: 8B9A9132213, 338 ms

Code:

alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = woody.2fastweb.net, localhost, localhost.localdomain
myhostname = woody.2fastweb.net
mynetworks = 127.0.0.0/8 [::1]/128
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

[falko]

Please check if your server is an open relay: http://www.spamhelp.org/shopenrelay/

[l.sergi]

I have the same problem and my server is not an open relay

It's a Postfix 2.8.7 compiled on Fedora 16

Cyrus SASL (2.1.25) authentication is enabled with method PLAIN
Users are on a MySQL DB hosted in another server.

Only ports 25, 53 and 22 are opened.

220 myserver.mydomain.com ESMTP Postfix
EHLO xxx.com
250-mail2.tecnes.com
250-PIPELINING
250-SIZE 15000000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

[falko]

What's in your mail log? Did you check if your server is already blacklisted ( http://www.mxtoolbox.com/blacklists.aspx )?

[l.sergi]

We aren't in the blacklist since we soon stopped the spam disabling user root to send email from local.

In the main.cf we added:

authorized_submit_users = !root, static:anyone



The maillog during the problem was something like so.

Dec 24 00:40:55 dns postfix/pickup[29510]: F25FF2C04A9: uid=0 from=<root>
Dec 24 00:40:55 dns postfix/cleanup[29575]: F25FF2C04A9: message-id=<20111223234055.F25FF2C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: from=<root@mail2.tecnes.com>, size=358, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29582]: F25FF2C04A9: to=<serverpoplavock@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.08/0/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 16ECAD7B532)
Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 10ED42C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 10ED42C04A9: message-id=<20111223234056.10ED42C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: from=<root@mail2.tecnes.com>, size=1125, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29576]: 10ED42C04A9: to=<youngwhitedude69@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 297BAD7B592)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 23D7C2C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 23D7C2C04A9: message-id=<20111223234056.23D7C2C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: from=<root@mail2.tecnes.com>, size=1122, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/smtp[29582]: 23D7C2C04A9: to=<knuff1965@hotmail.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3C3DAD7B5E3)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: removed
Dec 24 00:40:56 dns postfix/pickup[29510]: 389D42C04A9: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/cleanup[29575]: 389D42C04A9: message-id=<20111223234056.389D42C04A9@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: from=<root@mail2.tecnes.com>, size=1128, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/pickup[29510]: 4409D2C04A7: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/smtp[29583]: 389D42C04A9: to=<rockfortherockaus@yahoo.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.09/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 529CFD7B6DF)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: removed
Dec 24 00:40:56 dns postfix/cleanup[29575]: 4409D2C04A7: message-id=<20111223234056.4409D2C04A7@mail2.tecnes.com>
Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: from=<root@mail2.tecnes.com>, size=1129, nrcpt=1 (queue active)
Dec 24 00:40:56 dns postfix/pickup[29510]: 5AA122C04CE: uid=0 from=<root>
Dec 24 00:40:56 dns postfix/smtp[29576]: 4409D2C04A7: to=<nathan_jackman1998@hotmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.12, delays=0.1/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 695C7D7BAA9)
Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: removed

[falko]

Have you updated all your web applications? Maybe the spammers abuse a vulnerable contact form or something like that.

This link might be of interest: http://www.howtoforge.com/how-to-log...tect-form-spam

[l.sergi]

There are no web application on this server. Just postfix with SASL authentication and the DNS.

We had the same problem on another Postfix server. In that case there were no DNS. So we can exclude the problem is caused by the DNS.

I can think there's a vulnerability of postfix + SASL but I'm not sure.

[falko]

Have you tried to change all your passwords?

Also, please run chkrootkit or rkhunter to find out if there's malware installed on your server.