Mail server compromised and sending out spam HELP!

Discussion in 'General' started by provell, Mar 21, 2010.

  1. provell

    provell New Member

    Hi,

    My server is sending large amounts of spam.
    If I check the mail log files they are sometimes 350mb because of alle mail that is send.

    This is what is in the logging:

    I'm unable to see who the user is that sends it.
    The mail logging just says that a mail is send to someone.
    I can't find out if it is the server or some client.

    Is there a way to see who sends these mails?
    What is the best logging to check for this?

    Thanks in advance for your help.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. provell

    provell New Member

    php

    Ok, I will install and run the script.:)
    I do have some "forms" that mail with the use of php scripts.

    For these php scripts(forms) that are mis-used to create the spammail there is an option to have those "weird letters" you have to type in before you are able to confirm/send.
    Would that be the key to never have this problem again or is it just an extra precaution?

    And if it was one of my clients who had a problem, would turning on the spamfilter help? Or is this just for incomming mail?

    Anyway thanks for the script and information so far.
     
  4. provell

    provell New Member

    postsuper

    Hi,

    I setup the "formcheck" like you advised through:
    http://www.howtoforge.com/how-to-log...tect-form-spam

    The tests were ok so the scripts works.
    But when the spaming from my server began again the log file was empty.

    Then I did an apt-get update and the upgrade.
    I also updated from ISPconfig 2.2.27 to 2.2.35.
    Still the spamming whent on.

    When "grepping" throug the enormous log file I can't find out who is sending the mails, I only can see a [email protected] and so on.
    The [email protected] is not hosted on my server, and it seems to change from time to time to some other user.

    I followed up the advise on rkhunter an chkrootkit but they did not alarm me with anything to wory about.
    Infect 99% was ok, just 3 hidden directory's in /dev were pointed out to me.
    They seem to hold no strange files.

    THEN i did what stopped the spamming the last time!!
    I deleted the whole postfix que with the following command:
    postsuper -d ALL

    It then deletes some 2000 mails and the spamming stops(for now).
    Do you have any idea why that helps?

    So it is not a php form abuse.
    Checked the server thoroughly, what could it be?
    Any Idea's where or what I should be checking would be much appreciated.

    Thanks for your help in advance.
     
  5. falko

    falko Super Moderator ISPConfig Developer

    Are there any non-PHP web applications (e.g. Perl, Python, Ruby, etc.) that could be abused?
     
  6. provell

    provell New Member

    postcat -q nnnnn

    Well I finaly succeded in removing the spam problem:)
    Wow! this is something I don't want to happen ever again.

    Till gave an options to someone in the forum to use the command postcat -q.
    That gave me a nice discription who was the sasl_username that was sending the mail.
    Once I changed the password of that user the spaming stopped.

    This is obiously not the fault of ispconfig and not of good working debian system, but it did happen.
    One milion mails every day for a couple of days!!!
    Now I have setup al kinds op grepping bash files that inform me through mail so I at least know right away that this is happening.
    If there are any other suggestions to prevent this in the future they are welkom!

    Final questions:
    How do I get myself back on track with all the other mailserver?
    Getting off from the blacklist listing and sorts?

    I checked out the mtoolbox site and mailed to all the blacklisted party's.
    Is there anything else I can do, appart from the obvious wich is not spamming ;)

    Thanks for all your help to in this matter.
     
  7. falko

    falko Super Moderator ISPConfig Developer

    I'd install fail2ban to prevent brute-force attacks to sniff out your passwords.
     

Share This Page