My server got hacked and is being used to SPAM

Discussion in 'Installation/Configuration' started by greenhornet, Jan 16, 2008.

  1. greenhornet

    greenhornet New Member

    Guys,
    I really need some help with this and I'm very much a noob. I followed the out of the box instructions to get my ISPconfig server up and running. I am getting dozens of bounced spam emails that are either being sent through my server or spoofed through my domain.

    How can I stop this? HELP
     
  2. till

    till Super Moderator HowtoForge Supporter

    This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf
     
  3. edge

    edge Active Member HowtoForge Supporter

    Also make sure that you have a correct SPF record setup for the domain to only use that server for outgoing email.
     
  4. Hans

    Hans Moderator HowtoForge Supporter

    Another tip:
    Verify your mail.log files and try to find out via which user sends the spam.

    Also go to http://www.mxtoolbox.com/blacklists.aspx and check if your server is not blacklisted in te mean time.
    To check if you have an open relay, you can use the site http://www.abuse.net/relay.html
    If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser.
    If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions.
    If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.
     
    Last edited: Jan 17, 2008
  5. greenhornet

    greenhornet New Member

    Yes, but to go from zero to roughly 75 bounced emails in an hour it is an indication that SOMETHING changed and I have become a target. Successful or otherwise.

    What's the location of my mail log and I'll post?
     
  6. Hans

    Hans Moderator HowtoForge Supporter

    Please have a look at your directory /var/log/.

    You can follow the activities within your log file with the command:

    tail -f /var/log/mail.log

    ctrl+C to exit your session.
     
  7. greenhornet

    greenhornet New Member

    main.cf contents

    Here's the /etc/postfix/main.cf content. I have removed my domain references and replaced with xxx. I'm also working on getting the mail log when I figure out where it is.

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = isp.xxx.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    #mydestination = isp.xxx.net, localhost.xxx.net, , localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_una$
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names
     
  8. greenhornet

    greenhornet New Member

    mail log

    Here is a excerpt from mail mail log. I tried to go back to when the problem was at it worst yesterday but appears the log doesn't retain information that long. The number of bounced spam messages has slowed quite a bit in the past 24 hours.
    Code:
    Jan 17 00:14:59 isp postfix/smtpd[8464]: connect from ftp.dbldistributing.com[208.51.73.51]
    Jan 17 00:15:00 isp postfix/smtpd[8464]: 32EA73E02F1: client=ftp.dbldistributing.com[208.51.73.51]
    Jan 17 00:15:00 isp postfix/cleanup[8469]: 32EA73E02F1: message-id=<2a13201c858d0$c83334a0$4432010a@dbl.local>
    Jan 17 00:15:02 isp postfix/qmgr[8170]: 32EA73E02F1: from=<ndebaggis@dbldistributing.com>, size=100369, nrcpt=1 (queue active)
    Jan 17 00:15:02 isp postfix/smtpd[8464]: disconnect from ftp.dbldistributing.com[208.51.73.51]
    Jan 17 00:15:06 isp postfix/pickup[8169]: 04FC53E033A: uid=10010 from=<web11_>
    Jan 17 00:15:06 isp postfix/cleanup[8469]: 04FC53E033A: message-id=<20080117061506.04FC53E033A@isp.thealangroup.net>
    Jan 17 00:15:06 isp postfix/qmgr[8170]: 04FC53E033A: from=<web11_@isp.thealangroup.net>, size=386, nrcpt=1 (queue active)
    Jan 17 00:15:07 isp postfix/local[8491]: 04FC53E033A: to=<admispconfig@localhost.localdomain>, relay=local, delay=1.1, delays=0.05/0.01/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    Jan 17 00:15:07 isp postfix/qmgr[8170]: 04FC53E033A: removed
    Jan 17 00:15:17 isp postfix/local[8470]: 32EA73E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=18, delays=2.6/0.01/0/15, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    Jan 17 00:15:17 isp postfix/qmgr[8170]: 32EA73E02F1: removed
    Jan 17 00:15:49 isp postfix/smtpd[8464]: connect from unknown[62.117.127.3]
    Jan 17 00:15:49 isp postfix/smtpd[8464]: 6544B3E02F1: client=unknown[62.117.127.3]
    Jan 17 00:15:49 isp postfix/cleanup[8469]: 6544B3E02F1: message-id=<000701c858d0$06620afc$d433d496@csblewno>
    Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: from=<kyra@surecom.com>, size=880, nrcpt=1 (queue active)
    Jan 17 00:15:49 isp postfix/local[8491]: warning: required alias not found: postmaster
    Jan 17 00:15:49 isp postfix/local[8491]: 6544B3E02F1: to=<postmaster@green-hornet.com>, relay=local, delay=0.37, delays=0.37/0/0/0, dsn=2.0.0, status=sent (discarded)
    Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: removed
    Jan 17 00:15:49 isp postfix/smtpd[8464]: disconnect from unknown[62.117.127.3]
    Jan 17 00:17:49 isp postfix/smtpd[8546]: connect from unknown[58.187.120.65]
    Jan 17 00:19:13 isp postfix/smtpd[8564]: connect from unknown[123.253.132.236]
    Jan 17 00:19:15 isp postfix/smtpd[8564]: 87CD23E02F1: client=unknown[123.253.132.236]
    Jan 17 00:19:16 isp postfix/cleanup[8566]: 87CD23E02F1: message-id=<1200547543.0043@sprint.ca>
    Jan 17 00:19:16 isp postfix/qmgr[8170]: 87CD23E02F1: from=<lavernebirdvp@sprint.ca>, size=1260, nrcpt=1 (queue active)
    Jan 17 00:19:17 isp postfix/smtpd[8564]: disconnect from unknown[123.253.132.236]
    Jan 17 00:19:21 isp postfix/local[8569]: 87CD23E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=5.9, delays=0.79/0.01/0/5.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    Jan 17 00:19:21 isp postfix/qmgr[8170]: 87CD23E02F1: removed
    Jan 17 00:21:35 isp postfix/smtpd[8599]: warning: 201.209.4.30: hostname 201-209-4-30.genericrev.cantv.net verification failed: Name or service not known
    Jan 17 00:21:35 isp postfix/smtpd[8599]: connect from unknown[201.209.4.30]
    Jan 17 00:21:36 isp postfix/smtpd[8599]: 0F0043E030C: client=unknown[201.209.4.30]
    Jan 17 00:21:36 isp postfix/cleanup[8601]: 0F0043E030C: message-id=<5IX530EJXVWDA478@mms-mobilya.com>
    Jan 17 00:21:36 isp postfix/qmgr[8170]: 0F0043E030C: from=<Nanyone@allidaho.com>, size=1248, nrcpt=1 (queue active)
    Jan 17 00:21:36 isp postfix/smtpd[8599]: disconnect from unknown[201.209.4.30]
     
  9. falko

    falko Super Moderator HowtoForge Supporter

    If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server. :(
     
  10. greenhornet

    greenhornet New Member

    Yes but I'm not certain that's all they are doing. Are you? It appeared from the logs that they attained one of the ISPconfig account names (ie: web2_bob) and were sending with that. That is not something that would typically be visible to someone that just tried spoofing an email address (ie: bob@bobsdomain.com).
     
  11. falko

    falko Super Moderator HowtoForge Supporter

    I'd change web2_bob's password and see if that changes anything.
     
  12. zetnsh

    zetnsh New Member

    Just my brief thoughts on this:

    Firstly, you can find older log files in the same directory as the maillog, but with different suffixes - on my system the relevant files are in /var/log:

    Code:
    [root@mail ~]# ls -al /var/log/mail*
    -rw------- 1 root root 835677 Jan 19 17:18 /var/log/maillog
    -rw------- 1 root root 182263 Jan 13 04:06 /var/log/maillog.1
    -rw------- 1 root root 184045 Jan  6 04:06 /var/log/maillog.2
    -rw------- 1 root root 155908 Dec 30 04:06 /var/log/maillog.3
    -rw------- 1 root root  98734 Dec 23 04:06 /var/log/maillog.4
    You will see from the dates that the log rotates every few days when it gets beyond a certain size, and the old one gets archived (as in /var/log/maillog.x) the bigger 'x' is, the older the file. In my system, it only keeps 4 copies.

    Also with reference to your worries about spam, I would say that you are very likely to see ISPConfig usernames in the log files, simply because the incoming e-mail addresses at some point get rewritten to that. Just because you're seeing those usernames doesn't necessarily mean anything's wrong - you would see those even if you received a normal mail.

    What generally happens in these cases is that a third party sends out SPAM mail using an address on one of your domains as the sending address. This kind of sender forgery is unfortunately very common, and the mere fact that the domain is even registered is often enough for spammers to have a go. Of course the vast majority of this spam is send to non-existent addresses, or gets bounced by a spam filter, so of course your mailserver, as the one genuinely responsible for handling mail for the domain, gets hit with the bounces. This is sometimes called "backscatter", and simply handling the volume can present problems for any system administrator.

    I think the important things are to check that you really are not an open relay (ie. anyone can send using your SMTP server) - Hans provided a good link to a site which tests that, and also make sure you haven't got any misbehaving CGI/PHP programs running on your server. Common examples of these would be feedback forms on websites - they usually provide a mechanism for sending e-mail to an address configured in the form's hidden fields, which can often be used malitiously for spamming. Older versions of formmail.pl had this problem, but it's been fixed in newer versions. Any custom written scripts might have this problem of course! The golden rule really should be never send e-mail to an address given in a web form...

    Hope all that is some sort of help!

    Neil
     
  13. thctlo

    thctlo New Member

    Antispam solution /add in postfix main.cf stop 90% of all spam

    myhostname = host.domain.com
    myorigin = host.domain.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    #mydestination = host.domain.com, localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command =
    mailbox_size_limit = 0
    recipient_delimiter = +
    #inet_interfaces = all
    inet_interfaces = host.domain.com localhost
    inet_protocols = ipv4

    message_size_limit = 10485760

    notify_classes =
    resource,
    software

    bounce_size_limit = 1024
    invalid_hostname_reject_code = 554
    access_map_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_client_reject_code = 554
    non_fqdn_reject_code = 554
    unknown_sender_reject_code = 554
    unverified_sender_reject_code = 554
    unverified_recipient_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554

    disable_vrfy_command = yes

    smtpd_restriction_classes = verify_sender
    verify_sender = reject_unverified_sender, permit


    ## in order of processing. restrictions/anti-spam
    smtpd_client_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_rhsbl_sender dsn.rfc-ignorant.org,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client list.dsbl.org,
    # reject_unknown_client

    smtpd_helo_required = yes

    smtpd_helo_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    regexp:/etc/postfix/helo.regexp,
    permit

    smtpd_sender_restricitons =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_relay_domains,
    permit_tls_all_clientcerts,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client zen.spamhaus.org,
    reject_unknown_sender_domain

    smtpd_delay_reject = yes

    smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_unknown_sender_domain,
    reject_unauth_pipelining,
    reject_unknown_recipient_domain,
    reject_non_fqdn_sender,
    check_sender_access hash:/etc/postfix/verify_sender.map
    reject_rbl_client multi.uribl.com,
    reject_rbl_client dsn.rfc-ignorant.org,
    reject_rbl_client bogusmx.rfc-ignorant.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client zen.spamhaus.org,
    # reject_rbl_client cbl.anti-spam.org.cn,
    # reject_rbl_client blackholes.five-ten-sg.com,
    # reject_rbl_client dnsbl.ahbl.org,
    # reject_rbl_client dnsbl.njabl.org,
    # reject_rbl_client multi.surbl.org,
    # reject_rbl_client bl.spamcop.net,
    # reject_rbl_client cbl.abuseat.org,
    # reject_rbl_client ix.dnsbl.manitu.net,
    # reject_rbl_client l1.apews.org,
    # reject_rbl_client l2.apews.org,
    # reject_rbl_client t1.dnsbl.net.au,
    # reject_rbl_client combined.rbl.msrbl.net,
    # reject_rbl_client rabl.nuclearelephant.com,
    # reject_rbl_client dnsbl.sorbs.net,
    # reject_rhsbl_sender rhsbl.sorbs.net,
    reject_non_fqdn_recipient,
    reject_unauth_destination

    smtpd_data_restrictions =
    reject_unauth_pipelining,
    permit


    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    ### see also local.cf from spamassassin, add header if user auth over smtp
    smtpd_sasl_authenticated_header = yes


    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names


    extra files.
    /etc/postfix/helo.regexp
    /^localhost$/ 550 Don't use my own hostname
    /^host\.domain\.com$/ 550 Don't use my own hostname
    /^127\.0\.0\.1$/ 550 Don't use my own IP address
    /^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
    /^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
    #/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
    #/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant

    /etc/postfix/verify_sender.map
    ## reverse check the email adresses.
    ## Example: domain.extention verify_sender
    earthlink.net verify_sender
    hotmail.com verify_sender
    lycos.com verify sender
    msn.com verify_sender
    netscape.com verify_sender
    netscape.net verify_sender
    yahoo.com verify_sender
    gmail.com verify_sender
    gmail.nl verify_sender
    live.com verify_sender
    charter.net verify_sender

    and dont forget to postmap verify_sender.map !!! and reload postfix ( /etc/init.d/postfix reload )
    Im running this setup on my company's server, without the zen.spamhouse i get about 1600 spam mails a day.
    with about 160, add urirbl + verify sender + rfc ignorat and i saves again 5-8 % of spam.
    so just 2 % comes in my netwerk, .. and than it comes in the antispam server.
    I get only 1 spam message a week for about 100 user.

    goodluck.

    the remarded lines you better leave the remarkt.
    these can block webmail of roaming users.
     
    Last edited: Jan 21, 2008
  14. greenhornet

    greenhornet New Member

    I just got another round of bounces from spam that appears to be from my server. I'm assuming that by adding the above spam changes I'll need to change all of the 'host.domain.com' to match my domain(s) correct? Or, are there no changes that need to be made?
     
  15. greenhornet

    greenhornet New Member

    Except that the reply to in most of the spams are bogus addresses@mydomain, ie. lesizzxxy@mydomain.com.
     
  16. falko

    falko Super Moderator HowtoForge Supporter

    That's right.
     

Share This Page