Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd September 2014, 16:58
csabo csabo is offline
Junior Member
 
Join Date: Oct 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default outgoing spam, unable to identify source

Hello,
We get bursts of outgoing messages that when viewed with mailq are certainly spam (the recipients are bogus, a lot of failed deliveries). I'm unable to tell what the source of this mail is, except i'm fairly certain its not coming from websites being hosted (i've blocked the www user from being able to send mail). Below is what i've already checked

1.) auth.log only contains cron,ftp and ssh entries

2.) mail.log and mail.info show the messages, and show connections from IPs in other countries (that are clearly not our customers). but no mention of authentication.

3.) fail2ban has been enabled for sasl and postfix

4.) from main.cf
.smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination


I'm honestly at a loss on how to stop this, i'm not sure if theres some loophole for unauth mail to go out, or an account was comprimised. Any help would be awesome.


--------------------------------------------------------------------------------------------------------
for the sake of completeness heres the output of the common issues php script

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
IP-address(es) (as per ifconfig): ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***
[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.0.5.3


##### VERSION CHECK #####

[INFO] php (cli) version is 5.4.4-14+deb7u14
[INFO] php-cgi (used for cgi php in default vhost!) is version 5.4.4-14+deb7u14

##### PORT CHECK #####

[WARN] Port 8080 (ISPConfig) seems NOT to be listening

##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
Apache 2 (PID 14562)
[INFO] I found the following mail server(s):
Postfix (PID 5431)
[INFO] I found the following pop3 server(s):
Dovecot (PID 5479)
[INFO] I found the following imap server(s):
Dovecot (PID 5479)
[INFO] I found the following ftp server(s):
PureFTP (PID 23424)

##### LISTENING PORTS #####
(only ()
Local (Address)
[localhost]:9191 (32380/php-fpm:)
[anywhere]:59783 (2039/rpc.statd)
[localhost]:10024 (7782/amavisd-new)
[localhost]:10025 (5431/master)
[localhost]:9130 (37247/php-fpm:)
[anywhere]:587 (5431/master)
[localhost]:9164 (15824/php-fpm:)
[localhost]:9133 (64769/php-fpm.conf))
[localhost]:9197 (64769/php-fpm.conf))
[localhost]:9165 (64769/php-fpm.conf))
[anywhere]:110 (5479/dovecot)
[anywhere]:143 (5479/dovecot)
[localhost]:9039 (64769/php-fpm.conf))
[localhost]:783 (3018/spamd.pid)
[anywhere]:111 (2006/rpcbind)
[localhost]:9104 (64769/php-fpm.conf))
[anywhere]:10000 (4472/perl)
[anywhere]:465 (5431/master)
[localhost]:9043 (14929/php-fpm:)
[localhost]:9108 (14365/php-fpm:)
[localhost]:9044 (41879/php-fpm:)
[anywhere]:21 (23424/pure-ftpd)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
***.***.***.***:53 (29314/named)
[localhost]:53 (29314/named)
[anywhere]:22 (2972/sshd)
[anywhere]:25 (5431/master)
[localhost]:953 (29314/named)
[localhost]:9081 (64769/php-fpm.conf))
[localhost]:9177 (41898/php-fpm:)
[localhost]:9018 (64769/php-fpm.conf))
[localhost]:9087 (64769/php-fpm.conf))
[localhost]:9183 (64769/php-fpm.conf))
[anywhere]:993 (5479/dovecot)
[localhost]:9026 (64769/php-fpm.conf))
[anywhere]:10050 (2415/zabbix_agentd)
[anywhere]:995 (5479/dovecot)
*:*:*:*::*:3306 (5979/mysqld)
*:*:*:*::*:587 (5431/master)
[localhost]10 (5479/dovecot)
*:*:*:*::*:37102 (2039/rpc.statd)
localhost]43 (5479/dovecot)
[localhost]11 (2006/rpcbind)
*:*:*:*::*:80 (14562/apache2)
*:*:*:*::*:465 (5431/master)
*:*:*:*::*:8081 (14562/apache2)
*:*:*:*::*:21 (23424/pure-ftpd)
*:*:*:*::*:53 (29314/named)
*:*:*:*::*:22 (2972/sshd)
*:*:*:*::*:25 (5431/master)
*:*:*:*::*:953 (29314/named)
*:*:*:*::*:4443 (14562/apache2)
*:*:*:*::*:443 (14562/apache2)
*:*:*:*::*:993 (5479/dovecot)
[localhost]0050 (2415/zabbix_agentd)
*:*:*:*::*:995 (5479/dovecot)

##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
fail2ban-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
fail2ban-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
fail2ban-postfix tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465
fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0

Chain fail2ban-postfix (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0

Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0

Chain fail2ban-sasl (1 references)
target prot opt source destination
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0
DROP all -- ***.***.***.*** [anywhere]/0
RETURN all -- [anywhere]/0 [anywhere]/0

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0
Reply With Quote
Sponsored Links
  #2  
Old 22nd September 2014, 18:40
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,492
Thanks: 835
Thanked 5,534 Times in 4,352 Posts
Default

you have to check the mail headers of the mails in the mailqueue with postcat. Thats the only way to find the source.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd September 2014, 18:47
csabo csabo is offline
Junior Member
 
Join Date: Oct 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
you have to check the mail headers of the mails in the mailqueue with postcat. Thats the only way to find the source.
Till,
Thanks for the heads up. the sender field is blank on the postcat -vq output..

I do see "Regular_text: From: MAILER-DAEMON@..." in the message contents.

is that of any significance?
Reply With Quote
  #4  
Old 22nd September 2014, 18:58
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,492
Thanks: 835
Thanked 5,534 Times in 4,352 Posts
 
Default

These are the messages that came back. Please try to find a message that got stuck when it was send out e.g. due to a blacklisting of your server and not a MAILER_DAEMON message.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ubuntu and nginx delgado2061 Installation/Configuration 0 28th November 2011 00:36
Forbidden 403; Samba access; config of maildeamon fawkes Installation/Configuration 4 14th January 2010 19:16
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 18:37
Dspam planet_fox General 6 20th January 2007 19:42
HotSaNIC domino Tips/Tricks/Mods 23 6th November 2006 06:19


All times are GMT +2. The time now is 13:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.