Blacklisted due to backscatter?

Discussion in 'ISPConfig 3 Priority Support' started by arraken, Aug 25, 2017.

  1. arraken

    arraken Member HowtoForge Supporter

    Hi! I have run into a spam problem on my webserver (part of an ISPConfig Multiserver Cluster) which I cannot seem to control.
    we are blacklisted on the cbl-blacklist with our server. The server is a webserver (NGINX) with a postfix instance used to send mail. Shortly before we got blacklisted, we saw backscatter symptoms in the mail log almost exactly like described here: https://blog.frd.mn/backscatter-due-to-loopback-mx/.

    We had many log enties like this:

    Code:
    Aug 25 02:23:49 web1 postfix/smtp[24110]: AC8EC5A00104: to=<[email protected]>, relay=none, delay=0.12, delays=0.08/0/0.04/0, dsn=5.4.6, status=bounced (mail for matrixdesign.net loops back to myself)
    Aug 25 02:24:34 web1 postfix/smtp[24107]: 063155A00104: to=<[email protected]>, relay=none, delay=0.09, delays=0.08/0/0.01/0, dsn=5.4.6, status=bounced (mail for sinfo.net loops back to myself)
    Aug 25 02:25:58 web1 postfix/smtp[24107]: 5299F5A00104: to=<[email protected]>, relay=none, delay=0.12, delays=0.11/0/0.01/0, dsn=5.4.6, status=bounced (mail for kahkaha.com loops back to myself)
    Aug 25 02:26:45 web1 postfix/smtp[24107]: BE0135A00104: to=<[email protected]>, relay=none, delay=0.24, delays=0.11/0/0.13/0, dsn=5.4.6, status=bounced (mail for timoonanimation.com loops back to myself)
    Aug 25 02:27:27 web1 postfix/smtp[24107]: 037D05A00104: to=<[email protected]>, relay=none, delay=0.13, delays=0.12/0/0.01/0, dsn=5.4.6, status=bounced (mail for kahkaha.com loops back to myself)
    Aug 25 02:28:13 web1 postfix/smtp[24107]: B96D35A00104: to=<[email protected]>, relay=none, delay=0.11, delays=0.11/0/0.01/0, dsn=5.4.6, status=bounced (mail for sinamail.com loops back to myself)
    Aug 25 02:28:55 web1 postfix/smtp[24619]: EE6575A00104: to=<[email protected]>, relay=none, delay=0.14, delays=0.11/0/0.03/0, dsn=5.4.6, status=bounced (mail for akentertainment.com loops back to myself)
    Aug 25 02:29:41 web1 postfix/smtp[24617]: 78A245A00104: to=<[email protected]>, relay=none, delay=0.1, delays=0.09/0/0.01/0, dsn=5.4.6, status=bounced (mail for southeast.net loops back to myself)
    We applied the solution in the linked article, and now the log entries look like this (which seemed to be the goal, regarding the mentioned article.
    Code:
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 554 5.7.1 <[email protected]>: Recipient address rejected: Domain MX in loopback network; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<my.server.tld>
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: lost connection after RCPT from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: disconnect from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: connect from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 554 5.7.1 <[email protected]>: Recipient address rejected: Domain MX in loopback network; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<my.server.tld>
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: lost connection after RCPT from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:40 web1 postfix/smtpd[1409]: disconnect from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:41 web1 postfix/smtpd[1411]: connect from localhost.localdomain[127.0.0.1]
    Aug 25 17:27:41 web1 postfix/smtpd[1411]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 554 5.7.1 <[email protected]>: Recipient address rejected: Domain MX in loopback network; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<my.server.tld> 
    We hoped the problem would be solved - and for first it seemed to have worked. The detection count on the lookup page https://www.abuseat.org/lookup.cgi stayed frozen at 20. But since some hours now, the counter is steadily rising again. We just can't figure out where the mails come from. In the mail-log, there is nothing that I can see as suspicious. Is it possible that mail is being sent, without showing up in the mail log? I am really running out of ideas here. Thankful for any help or advice!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, when the sending script comes with it's own smtp client. You should try to scan the websites on the server for malware and check with e.g. top command if you see unusually high usage for php processes of s specific web ID and then look at the access.log of this web to see if you find strange activity (mostly a lot of POST request to an unusual file name).
     
  3. arraken

    arraken Member HowtoForge Supporter

    Thank you very much for you fast reply! I think I found the culprint (fingers crossed!): a hacked wordpress site, using a known exploit (placed the file phpd.local.php in the /tmp folder and presumbaly sent spam). For anyone interested: here's the used file: https://github.com/mattiasgeniar/php-exploit-scripts/blob/master/found_on_wordpress/phpd.local.php

    The (h)top command was very revealing - almost instantly found the hacked site. Banging my head why I didn't think of that sooner - I was too fixated on analyzing the mail log....

    Thanks again Till - saved my weekend. :)
     

Share This Page