Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd July 2013, 08:40
mattltm mattltm is offline
Member
 
Join Date: Jun 2011
Posts: 73
Thanks: 16
Thanked 5 Times in 5 Posts
Default users getting spam emails from server

Some of my users have started receiving spam emails that look like they are coming from the mail server. They are addressed from someone@servername.mydomain.tld

Is there anything I can do to stop this?
Reply With Quote
Sponsored Links
  #2  
Old 2nd July 2013, 11:36
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,158
Thanks: 4
Thanked 58 Times in 54 Posts
Default

you could add headers to check where it's sent from... it's probably a some php script that's getting abused.
__________________
"Common sense is not as common as commonly believed" by sjau

Auto-Install Script for ISPConfig and Horde on a Vanilla Debian Stable

Need more Repos for Ubuntu? Repository Generator
Need more Repos for Debian? Debian Repository Generator
Reply With Quote
  #3  
Old 2nd July 2013, 17:42
mattltm mattltm is offline
Member
 
Join Date: Jun 2011
Posts: 73
Thanks: 16
Thanked 5 Times in 5 Posts
Default

Add headers?

Do you mean check the headers on the email?

This is the email header:

Code:
Return-Path: <Message@tax.co.uk>
From: <HM@myserver.mydomain.tld>
To: <info@userdomain.tld>
Subject: ***SPAM***Tax Refund New Message Alert!
Date: Tue, 2 Jul 2013 03:32:01 +0100
Message-ID: <20130702033201.6680DF36347B90A9@from.header.has.no.domain>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_01BA_01CE773A.83E03300"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFXOcqxYQyb3TjOkfCwYK4CVpWOYQ==

Last edited by mattltm; 2nd July 2013 at 17:46.
Reply With Quote
  #4  
Old 2nd July 2013, 17:47
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,158
Thanks: 4
Thanked 58 Times in 54 Posts
Default

you can tell php to add a header that shows the script path of a php script that sent the email.
__________________
"Common sense is not as common as commonly believed" by sjau

Auto-Install Script for ISPConfig and Horde on a Vanilla Debian Stable

Need more Repos for Ubuntu? Repository Generator
Need more Repos for Debian? Debian Repository Generator
Reply With Quote
  #5  
Old 2nd July 2013, 17:48
mattltm mattltm is offline
Member
 
Join Date: Jun 2011
Posts: 73
Thanks: 16
Thanked 5 Times in 5 Posts
Default

Oh, right.

Do you have a link where I can find out how to do that?
Reply With Quote
  #6  
Old 2nd July 2013, 17:49
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,158
Thanks: 4
Thanked 58 Times in 54 Posts
Default

Quote:
Originally Posted by mattltm View Post
Oh, right.

Do you have a link where I can find out how to do that?
Google knows
__________________
"Common sense is not as common as commonly believed" by sjau

Auto-Install Script for ISPConfig and Horde on a Vanilla Debian Stable

Need more Repos for Ubuntu? Repository Generator
Need more Repos for Debian? Debian Repository Generator
Reply With Quote
  #7  
Old 2nd July 2013, 17:56
mattltm mattltm is offline
Member
 
Join Date: Jun 2011
Posts: 73
Thanks: 16
Thanked 5 Times in 5 Posts
Default

Lol. Thats great

For anyone else who checks this thread and wants to know without wondering what google search string to use (a lot of results are for adding additional headers using the mail() function), it's the following line in your php.ini file:

Code:
;Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
mail.add_x_header = On
Mine is set to "On" so I guess this email is not coming from a script being abused on my server as it does not contain the "X-PHP-Originating-Script" string in the header.

Any other guesses as to where it's coming from and how to stop it?
Reply With Quote
  #8  
Old 2nd July 2013, 18:03
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,158
Thanks: 4
Thanked 58 Times in 54 Posts
Default

http://serverfault.com/questions/404...l-with-postfix


Well, my guess was an outdated Joomla installation... had one of those being abused a while back
__________________
"Common sense is not as common as commonly believed" by sjau

Auto-Install Script for ISPConfig and Horde on a Vanilla Debian Stable

Need more Repos for Ubuntu? Repository Generator
Need more Repos for Debian? Debian Repository Generator
Reply With Quote
  #9  
Old 2nd July 2013, 18:23
mattltm mattltm is offline
Member
 
Join Date: Jun 2011
Posts: 73
Thanks: 16
Thanked 5 Times in 5 Posts
Default

Good guess.

I have no idea how it's happening but it is getting some users very confused as they think it's coming from me!
Reply With Quote
  #10  
Old 2nd July 2013, 19:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
 
Default

Apache mod_security is a good way to protect outdated cms systems from being abused as it tests each http request against a set of generic exploit rules.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sending mail ISPConfig 3 but not receivind catza Installation/Configuration 20 19th May 2010 13:47
I don't recieve mail. privir Installation/Configuration 2 3rd June 2009 23:08
Cacti and ISPConfig: Monitoring Tool VMartins Tips/Tricks/Mods 11 9th August 2008 19:37
Junk mail and spamassassin... sthompson Installation/Configuration 4 27th December 2006 17:11
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 03:30


All times are GMT +2. The time now is 12:07.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.