I'm sending spams?! [postfix][debian][ispconfig3]

Discussion in 'Server Operation' started by cookie-monster, Dec 15, 2011.

  1. cookie-monster

    cookie-monster New Member

    Hello,
    My 3 day old server started sending spam. I see that i can't connect mysql, i made a little research, there's huge amount of queries to mysql. And finally, i found the mail logs..
    I just configured the server, and nobody is using smtp server... 25 port is closed im using 465...

    Here is the part of log file
    Code:
    Dec 14 00:13:50 woody postfix/qmgr[28051]: DB7E21321AF: from=<root@woody.2fastweb.net>, size=36855, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/qmgr[28051]: BC9371321D4: from=<root@woody.2fastweb.net>, size=36385, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/smtp[25828]: DA8141321CC: to=<hsvguy2005@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=85, delay=7.4, delays=0.67/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-85, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DB7E21321AF)
    Dec 14 00:13:50 woody postfix/smtp[25827]: 2E2811321FE: to=<thewrongprescription@hotmail.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.8, delays=2.1/6.4/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CCF1A1321E2)
    Dec 14 00:13:50 woody postfix/qmgr[28051]: DA8141321CC: removed
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 2E2811321FE: removed
    Dec 14 00:13:50 woody postfix/pickup[24000]: 0A2771321CC: uid=0 from=<root>
    Dec 14 00:13:50 woody postfix/cleanup[25425]: 0A2771321CC: message-id=<20111213231350.0A2771321CC@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 0A2771321CC: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/pickup[24000]: 1EC511321ED: uid=0 from=<root>
    Dec 14 00:13:50 woody postfix/cleanup[25450]: 1EC511321ED: message-id=<20111213231350.1EC511321ED@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/smtpd[24247]: 370B713220F: client=localhost.localdomain[127.0.0.1]
    Dec 14 00:13:50 woody postfix/cleanup[25668]: 370B713220F: message-id=<20111213231343.584471321E6@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/smtp[24365]: 70BF41321FB: to=<cursie_18@yahoo.de>, relay=mx2.mail.eu.yahoo.com[77.238.184.241]:25, delay=0.77, delays=0.14/0.07/0.08/0.48, dsn=2.0.0, status=sent (250 ok dirdel)
    Dec 14 00:13:50 woody postfix/smtpd[24256]: 384BB13220B: client=localhost.localdomain[127.0.0.1]
    Dec 14 00:13:50 woody postfix/cleanup[25910]: 384BB13220B: message-id=<20111213231343.8786F1321A0@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 70BF41321FB: removed
    Dec 14 00:13:50 woody postfix/smtp[24375]: EAE551321D0: to=<americanboi28@yahoo.com>, relay=mta7.am0.yahoodns.net[66.94.238.147]:25, delay=2.3, delays=0.14/0/0.42/1.8, dsn=2.0.0, status=sent (250 ok dirdel)
    Dec 14 00:13:50 woody postfix/qmgr[28051]: EAE551321D0: removed
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 370B713220F: from=<root@woody.2fastweb.net>, size=36903, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody amavis[25303]: (25303-02-87) Passed CLEAN, <root@woody.2fastweb.net> -> <hornyoncam2010@hotmail.com>, Message-ID: <20111213231343.8786F1321A0@woody.2fastweb.net>, mail_id: oUSpQcQLnQuM, Hits: 9.875, size: 36399, queued_as: 384BB13220B, 323 ms
    Dec 14 00:13:50 woody amavis[25301]: (25301-02-86) Passed CLEAN, <root@woody.2fastweb.net> -> <blackbrew90291129@btinternet.co.uk>, Message-ID: <20111213231343.584471321E6@woody.2fastweb.net>, mail_id: zk0M4xzdOAUw, Hits: 9.875, size: 36415, queued_as: 370B713220F, 324 ms
    Dec 14 00:13:50 woody postfix/smtp[25827]: 8786F1321A0: to=<hornyoncam2010@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=87, delay=8.2, delays=1.7/6.1/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25303-02-87, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 384BB13220B)
    Dec 14 00:13:50 woody postfix/smtp[25828]: 584471321E6: to=<blackbrew90291129@btinternet.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=86, delay=8.3, delays=1.4/6.5/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25301-02-86, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 370B713220F)
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 1EC511321ED: from=<root@woody.2fastweb.net>, size=36411, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 8786F1321A0: removed
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 384BB13220B: from=<root@woody.2fastweb.net>, size=36871, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/pickup[24000]: 5A9571321A0: uid=0 from=<root>
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 584471321E6: removed
    Dec 14 00:13:50 woody postfix/cleanup[25425]: 5A9571321A0: message-id=<20111213231350.5A9571321A0@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/qmgr[28051]: 5A9571321A0: from=<root@woody.2fastweb.net>, size=36389, nrcpt=1 (queue active)
    Dec 14 00:13:50 woody postfix/pickup[24000]: 6D1A71321B9: uid=0 from=<root>
    Dec 14 00:13:50 woody postfix/cleanup[25450]: 6D1A71321B9: message-id=<20111213231350.6D1A71321B9@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/smtp[24475]: 370B713220F: to=<blackbrew90291129@btinternet.co.uk>, relay=none, delay=0.22, delays=0.14/0.01/0.07/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=btinternet.co.uk type=A: Host found but no data record of requested type)
    Dec 14 00:13:50 woody postfix/cleanup[25910]: 7126F132214: message-id=<20111213231350.7126F132214@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/smtpd[24247]: 83120132212: client=localhost.localdomain[127.0.0.1]
    Dec 14 00:13:50 woody postfix/cleanup[25425]: 83120132212: message-id=<20111213231343.EE5FE1321FF@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/smtpd[24256]: 8B9A9132213: client=localhost.localdomain[127.0.0.1]
    Dec 14 00:13:50 woody postfix/cleanup[25668]: 8B9A9132213: message-id=<20111213231343.E19101321F0@woody.2fastweb.net>
    Dec 14 00:13:50 woody postfix/bounce[24413]: 370B713220F: sender non-delivery notification: 7126F132214
    Dec 14 00:13:50 woody amavis[25303]: (25303-02-88) Passed CLEAN, <root@woody.2fastweb.net> -> <bcramerx@yahoo.com>, Message-ID: <20111213231343.E19101321F0@woody.2fastweb.net>, mail_id: lZjmQxcMBiEh, Hits: 9.875, size: 36383, queued_as: 8B9A9132213, 338 ms
    

    Code:
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    content_filter = amavis:[127.0.0.1]:10024
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = woody.2fastweb.net, localhost, localhost.localdomain
    myhostname = woody.2fastweb.net
    mynetworks = 127.0.0.0/8 [::1]/128
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000
    
     
  2. falko

    falko Super Moderator

  3. l.sergi

    l.sergi New Member

    I have the same problem

    I have the same problem and my server is not an open relay

    It's a Postfix 2.8.7 compiled on Fedora 16

    Cyrus SASL (2.1.25) authentication is enabled with method PLAIN
    Users are on a MySQL DB hosted in another server.

    Only ports 25, 53 and 22 are opened.

    220 myserver.mydomain.com ESMTP Postfix
    EHLO xxx.com
    250-mail2.tecnes.com
    250-PIPELINING
    250-SIZE 15000000
    250-VRFY
    250-ETRN
    250-AUTH PLAIN
    250-AUTH=PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
     
  4. falko

    falko Super Moderator

  5. l.sergi

    l.sergi New Member

    We aren't in the blacklist since we soon stopped the spam disabling user root to send email from local.

    In the main.cf we added:

    authorized_submit_users = !root, static:anyone



    The maillog during the problem was something like so.

    Dec 24 00:40:55 dns postfix/pickup[29510]: F25FF2C04A9: uid=0 from=<root>
    Dec 24 00:40:55 dns postfix/cleanup[29575]: F25FF2C04A9: message-id=<20111223234055.F25FF2C04A9@mail2.tecnes.com>
    Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: from=<root@mail2.tecnes.com>, size=358, nrcpt=1 (queue active)
    Dec 24 00:40:56 dns postfix/smtp[29582]: F25FF2C04A9: to=<serverpoplavock@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.08/0/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 16ECAD7B532)
    Dec 24 00:40:56 dns postfix/qmgr[1028]: F25FF2C04A9: removed
    Dec 24 00:40:56 dns postfix/pickup[29510]: 10ED42C04A9: uid=0 from=<root>
    Dec 24 00:40:56 dns postfix/cleanup[29575]: 10ED42C04A9: message-id=<20111223234056.10ED42C04A9@mail2.tecnes.com>
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: from=<root@mail2.tecnes.com>, size=1125, nrcpt=1 (queue active)
    Dec 24 00:40:56 dns postfix/smtp[29576]: 10ED42C04A9: to=<youngwhitedude69@gmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 297BAD7B592)
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 10ED42C04A9: removed
    Dec 24 00:40:56 dns postfix/pickup[29510]: 23D7C2C04A9: uid=0 from=<root>
    Dec 24 00:40:56 dns postfix/cleanup[29575]: 23D7C2C04A9: message-id=<20111223234056.23D7C2C04A9@mail2.tecnes.com>
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: from=<root@mail2.tecnes.com>, size=1122, nrcpt=1 (queue active)
    Dec 24 00:40:56 dns postfix/smtp[29582]: 23D7C2C04A9: to=<knuff1965@hotmail.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.09, delays=0.07/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3C3DAD7B5E3)
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 23D7C2C04A9: removed
    Dec 24 00:40:56 dns postfix/pickup[29510]: 389D42C04A9: uid=0 from=<root>
    Dec 24 00:40:56 dns postfix/cleanup[29575]: 389D42C04A9: message-id=<20111223234056.389D42C04A9@mail2.tecnes.com>
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: from=<root@mail2.tecnes.com>, size=1128, nrcpt=1 (queue active)
    Dec 24 00:40:56 dns postfix/pickup[29510]: 4409D2C04A7: uid=0 from=<root>
    Dec 24 00:40:56 dns postfix/smtp[29583]: 389D42C04A9: to=<rockfortherockaus@yahoo.co.uk>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.11, delays=0.09/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 529CFD7B6DF)
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 389D42C04A9: removed
    Dec 24 00:40:56 dns postfix/cleanup[29575]: 4409D2C04A7: message-id=<20111223234056.4409D2C04A7@mail2.tecnes.com>
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: from=<root@mail2.tecnes.com>, size=1129, nrcpt=1 (queue active)
    Dec 24 00:40:56 dns postfix/pickup[29510]: 5AA122C04CE: uid=0 from=<root>
    Dec 24 00:40:56 dns postfix/smtp[29576]: 4409D2C04A7: to=<nathan_jackman1998@hotmail.com>, relay=mail.tecnes.com[62.152.117.247]:25, delay=0.12, delays=0.1/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 695C7D7BAA9)
    Dec 24 00:40:56 dns postfix/qmgr[1028]: 4409D2C04A7: removed
     
  6. falko

    falko Super Moderator

  7. l.sergi

    l.sergi New Member

    There are no web application on this server. Just postfix with SASL authentication and the DNS.

    We had the same problem on another Postfix server. In that case there were no DNS. So we can exclude the problem is caused by the DNS.

    I can think there's a vulnerability of postfix + SASL but I'm not sure.
     
  8. falko

    falko Super Moderator

    Have you tried to change all your passwords?

    Also, please run chkrootkit or rkhunter to find out if there's malware installed on your server.
     
  9. joseluisillo

    joseluisillo New Member

    Most likely an autoresponder

    That happened to me because one of the email accounts had an autoresponder on, and answer mails were generated by the root user.

    Delivery addresses were strange because he was also responding to the spam he received.
     

Share This Page