My server is sending spam

Discussion in 'ISPConfig 3 Priority Support' started by ressel, May 6, 2013.

  1. ressel

    ressel Member

    Hello everyone,

    I can see my server is being used for sending spam, but I really can't figure out how to close their way into my server, I can se they use multiple ip's to send spam with.

    Until now they have only used 1 single customer mail addresse let's just call it webuser@companymail.tld

    To prevent them to send more spam I have from ispconfig panel blocked the email in postfix blacklist as sender.

    I have tried check for open relay with http://www.mailradar.com/openrelay/ and the result was All tested completed! No relays accepted by remote host!

    I have tried disable the customers website and make sure its wasn't mail() by going through /var/log/phpmail.log and result is: spam is not from the website.

    I have tried change password on the mail user, but spam was still going into mail queue (the customer don't even know the password atm.).

    This is my postfix main.cf have following content:
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    #SPF tjek (http://www.howtoforge.com/hardening-postfix-for-ispconfig-3)
    policy-spf_time_limit = 3600s
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = myserver.domain.tld
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = myserver.domain.tld, localhost, localhost.localdomain
    relayhost = 
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = 
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    #smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    
    
    #helo restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    
    #strift rfc fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
    strict_rfc821_envelopes = yes
    
    #data restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
    smtpd_data_restrictions = reject_unauth_pipelining
    
    #smtpd delay
    smtpd_delay_reject = yes
    message_size_limit = 0
    inet_protocols = all
    
    #anti spam fra http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
    disable_vrfy_command = yes
    
    
    
    #Mailman
    virtual_maps = hash:/var/lib/mailman/data/virtual-mailman
    owner_request_special = no
    inet_protocols = all
    
    
    authorized_submit_users = !root, static:anyone
    this is my master.cf
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    2525	   inet  n	   -	    -	     -	      -	smtpd
    
    submission inet n       -       -       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    fifo  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       -       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay     unix  -       -       -       -       -       smtp
    	-o smtp_fallback_relay=
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix	-	n	n	-	2	pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtpd_bind_address=127.0.0.1
    
    
    policy-spf  unix  -       n       n       -       -       spawn
         user=nobody argv=/usr/bin/policyd-spf 
    after i have blocked the mail user in ispconfig I still see following in syslog
    Code:
    May  6 13:53:19 web2 postfix/smtpd[25077]: connect from unknown[***.***.128.138]
    May  6 13:53:21 web2 postfix/smtpd[25319]: warning: ***.210.111.33: address not listed for hostname 81-210-111-33.ip.netia.com.pl
    May  6 13:53:21 web2 postfix/smtpd[25319]: connect from unknown[***.210.111.33]
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<dpower@jhancock.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<wghrhzxi@jhbdjlvg.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<aunnfg@jhkmjh.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<ghpvbyif@jhxvvjas.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<rjjtgody@jkbgeqhb.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<vtkhdb@jkmyqu.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<josh@jlscustoms.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<ckmombyu@jnmhhyso.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<kwmnix@jnmtcf.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<k1aj@netzero.net> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<alshack@netzero.net> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:22 web2 postfix/smtpd[25326]: connect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]
    May  6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<md052794@netzero.net> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<angieb12@netzero.net> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<xavierfernand.santos@neuf.fr> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25268]: lost connection after DATA from unknown[***.71.125.14]
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<salifou.savadogo@neuf.fr> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<dsin80@neuf.fr> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<contacto@neverland.com.ar> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<danny@newdisease.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<rmoore@newpi.com> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <webuser@companymail.tld>: Sender address rejected: Access denied; from=<webuser@companymail.tld> to=<legal@newstarsa.com.ar> proto=ESMTP helo=<companymail.tld>
    May  6 13:53:23 web2 postfix/smtpd[25326]: NOQUEUE: reject: RCPT from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]: 450 4.7.1 <TX2EHSNDR002.bigfish.com>: Helo command rejected: Host not found; from=<> to=<webuser@companymail.tld> proto=ESMTP helo=<TX2EHSNDR002.bigfish.com>
    May  6 13:53:24 web2 postfix/smtpd[25326]: disconnect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]
    
    If you need more info or logs please tell me.
    How can I prevent these spammers from sending mails through my server?
     
  2. till

    till Super Moderator

    Take a look into the spam emails in your queue, you should be able to see the delivery way in the header. Mails in the queue can be viewed with postcat command.

    run

    postqueue -p

    identify one spam email and write down the ID of the mail. The ID looks similra to this "2979E2188345"

    postcat /var/spool/postfix/deferred/2/2979E2188345

    were the "/2/" directory in the path is the first number or char of the ID.
     
  3. ressel

    ressel Member

    Hello again,
    I found this, in one of the email's
    Code:
    Received: from myserver.mycompany.tld ([127.0.0.1])
    	by localhost (myserver.mycompany.tld [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id 9I4pc0fK4JSs; Sun,  5 May 2013 07:16:00 +0200 (CEST)
    Received: from companymail.tld (unknown [***.96.200.183])
    	(Authenticated sender: webuser@companymail.tld)
    	by myserver.mycompany.tld (Postfix) with ESMTPA id 9BE1E14AFE7;
    	Sun,  5 May 2013 07:15:32 +0200 (CEST)
    When the user is Authenticated sender, does this mean they are logged in to the server with username and password from my client?
     
  4. till

    till Super Moderator

    Yes. The header is added by postfix when a user is authenticated successfully with email address and password of this mailbox.
     

Share This Page