Postfix Problem (Possible Trojan/Spam)

Discussion in 'Server Operation' started by bluegrass, Jul 27, 2010.

  1. bluegrass

    bluegrass New Member

    Hi,

    I have installed Virtual Users And Domains With Postfix, Courier And MySQL (+
    SMTP-AUTH, Quota, SpamAssassin, ClamAV) in Debian Lenny for my mail server. At first, I had no problems, I can actually send and receive emails to/from the server.

    Yesterday, one of my users reported that his friend did not receive his email, and that said email was sent 3 weeks ago. So I made a test email from my server, sending it to my yahoo, gmail and hotmail accounts. For more than 24 hours already, I never received the said email.

    I checked the mail logs and this is what I saw:

    Code:
    Jul 27 09:15:23 mail postfix/qmgr[5210]: 9020E4502DF: from=<[email protected]>, size=1097, nrcpt=1 (queue active)
    Jul 27 09:15:23 mail amavis[4964]: (04964-08) Passed CLEAN, LOCAL [192.168.101.2] [192.168.101.2] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 9It6Tl2pxI1C, Hits: -2.846, size: 639, queued_as: 9020E4502DF, 6175 ms
    Jul 27 09:19:51 mail postfix/qmgr[5210]: CF7224502E6: from=<[email protected]>, size=1165, nrcpt=3 (queue active)
    Jul 27 09:19:52 mail postfix/qmgr[5210]: 7650D4502E5: from=<[email protected]>, size=868, nrcpt=1 (queue active)
    Jul 27 09:19:54 mail postfix/qmgr[5210]: BE2EA4502DA: from=<[email protected]>, size=1144, nrcpt=2 (queue active)
    Jul 27 09:24:54 mail postfix/qmgr[5210]: 536494502EA: from=<[email protected]>, size=1097, nrcpt=1 (queue active)
    Jul 27 09:25:04 mail postfix/smtp[5415]: BE2EA4502DA: to=<[email protected]>, relay=none, delay=14587, delays=14278/190/120/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection timed out)
    Jul 27 09:25:21 mail postfix/smtp[5243]: CF7224502E6: to=<[email protected]>, relay=none, delay=3398, delays=3068/297/33/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: No route to host)
    Jul 27 09:29:18 mail imapd: LOGIN, user=[email protected], ip=[::ffff:192.168.101.2], port=[2262], protocol=IMAP
    Jul 27 09:29:53 mail postfix/qmgr[5210]: 9020E4502DF: from=<[email protected]>, size=1097, nrcpt=1 (queue active)
    Jul 27 09:35:26 mail postfix/qmgr[5210]: 70EA04502EE: from=<[email protected]>, size=534, nrcpt=1 (queue active)
    Jul 27 09:35:46 mail amavis[8248]: (08248-07) Blocked SPAM, [189.6.206.136] [189.6.206.136] <[email protected]> -> <[email protected]>, quarantine: V/spam-VQnNS8RP9KZX.gz, Message-ID: <[email protected]>, mail_id: VQnNS8RP9KZX, Hits: 8.26, size: 534, 20011 ms
    Jul 27 09:35:46 mail postfix/smtp[8177]: 70EA04502EE: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=1.2/0/0/20, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=08248-07, BOUNCE)
    Jul 27 09:35:46 mail postfix/virtual[8321]: 341814502F4: to=<[email protected]>, relay=virtual, delay=0.26, delays=0.07/0.04/0/0.15, dsn=2.0.0, status=sent (delivered to maildir)
    Jul 27 09:39:53 mail postfix/qmgr[5210]: 536494502EA: from=<[email protected]>, size=1097, nrcpt=1 (queue active)
    Jul 27 09:39:53 mail postfix/qmgr[5210]: 9115B4502E8: from=<[email protected]>, size=1108, nrcpt=1 (queue active)
    
    The given samples were log records from my own email only.

    My other problem is, it seems that my server is sending emails that are not valid:
    Code:
    Jul 27 09:42:19 mail postfix/smtp[5412]: 6ADDC4504E4: to=<[email protected]>, relay=none, delay=351009, delays=348780/2118/111/0, dsn=4.4.1, status=deferred (connect to mx2.west.saic.com[198.151.12.25]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5303]: E0C20450386: to=<[email protected]>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5380]: 50A46440183: to=<[email protected]>, relay=none, delay=338899, delays=338155/683/61/0, dsn=4.4.1, status=deferred (connect to mail2.fcinternational.net[194.3.174.46]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5425]: connect to mail-mx4.its.unimelb.edu.au[128.250.118.136]:25: No route to host
    Jul 27 09:42:19 mail postfix/smtp[5419]: connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out
    Jul 27 09:42:19 mail postfix/smtp[5313]: D761245042A: to=<[email protected]>, relay=none, delay=351750, delays=349523/2166/61/0, dsn=4.4.1, status=deferred (connect to mx2.main.nc.us[74.207.237.203]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5327]: EB3DD440088: to=<[email protected]>, relay=none, delay=349549, delays=347603/1915/30/0, dsn=4.4.1, status=deferred (connect to mail.ark-mortensen.dk[62.243.229.238]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5337]: E523F450461: to=<[email protected]>, relay=none, delay=351580, delays=349632/1944/3.4/0, dsn=4.4.1, status=deferred (connect to mail.limal.dk[195.128.174.71]:25: No route to host)
    Jul 27 09:42:19 mail postfix/smtp[5399]: 21CE4440178: to=<[email protected]>, relay=none, delay=338969, delays=336738/2149/82/0, dsn=4.4.1, status=deferred (connect to fallback2.csnet.nl[194.69.30.7]:25: Connection timed out)
    Jul 27 09:42:19 mail postfix/smtp[5324]: connect to mail20.ixwebhosting.com[76.162.254.117]:25: Connection timed out
    Jul 27 09:42:19 mail postfix/smtp[5343]: connect to continuumct.com[168.143.18.237]:25: No route to host
    Jul 27 09:42:19 mail postfix/smtp[5449]: connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out
    Jul 27 09:42:20 mail postfix/smtp[5303]: E0C20450386: to=<[email protected]>, relay=none, delay=353014, delays=351066/1887/60/0, dsn=4.4.1, status=deferred (connect to 1273128082.mail.outlook.com[65.54.188.109]:25: Connection timed out)
    Jul 27 09:42:20 mail postfix/smtp[5419]: E9D9144012C: to=<[email protected]>, relay=none, delay=339709, delays=337759/1910/40/0, dsn=4.4.1, status=deferred (connect to onemain-mx.earthlink.net[209.86.93.121]:25: Connection timed out)
    Jul 27 09:42:20 mail postfix/smtp[5445]: connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out
    Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b1.psmtp.com[64.18.7.13]:25: Connection timed out
    Jul 27 09:42:20 mail postfix/smtp[5270]: connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host
    Jul 27 09:42:20 mail postfix/smtp[5303]: connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host
    Jul 27 09:42:20 mail postfix/smtp[5413]: D761245042A: to=<[email protected]>, relay=none, delay=351748, delays=349523/2165/61/0, dsn=4.4.1, status=deferred (connect to mail.icciran.com[216.12.205.115]:25: Connection timed out)
    Jul 27 09:42:20 mail postfix/smtp[5343]: EC909440143: to=<[email protected]>, relay=none, delay=339546, delays=337597/1927/21/0, dsn=4.4.1, status=deferred (connect to continuumct.com[168.143.18.237]:25: No route to host)
    Jul 27 09:42:20 mail postfix/smtp[5329]: EB3DD440088: to=<[email protected]>, relay=none, delay=349551, delays=347603/1920/27/0, dsn=4.4.1, status=deferred (connect to dkcphmx62.softcom.dk[213.150.52.217]:25: No route to host)
    Jul 27 09:42:20 mail postfix/smtp[5442]: connect to ASPMX.L.GOOGLE.com[72.14.213.27]:25: Connection timed out
    Jul 27 09:42:21 mail postfix/smtp[5448]: connect to mx-adinet.adinet.com.uy[200.40.30.218]:25: Connection timed out
    Jul 27 09:42:21 mail postfix/smtp[5445]: 6ADDC4504E4: to=<[email protected]>, relay=none, delay=351012, delays=348780/2111/121/0, dsn=4.4.1, status=deferred (connect to aspmx2.googlemail.com[74.125.43.27]:25: Connection timed out)
    Jul 27 09:42:21 mail postfix/smtp[5270]: 2D3C5450375: to=<[email protected]>, relay=none, delay=353285, delays=351053/2140/92/0, dsn=4.4.1, status=deferred (connect to thesunnews.com.s8b2.psmtp.com[64.18.7.14]:25: No route to host)
    Jul 27 09:42:21 mail postfix/smtp[5303]: E523F450461: to=<[email protected]>, relay=none, delay=351582, delays=349632/1949/0.73/0, dsn=4.4.1, status=deferred (connect to front-lvs.scannet.dk[195.69.129.85]:25: No route to host)
    Jul 27 09:42:21 mail postfix/smtp[5270]: connect to mailgate.cybercity.dk[212.242.43.248]:25: No route to host
    Jul 27 09:42:21 mail postfix/smtp[5323]: connect to mx.club-internet.fr[93.17.128.7]:25: Connection timed out
    Jul 27 09:42:21 mail postfix/smtp[5449]: E0C20450386: to=<[email protected]>, relay=none, delay=353016, delays=351066/1890/60/0, dsn=4.4.1, status=deferred (connect to bmail.go.com.jo[196.27.0.114]:25: Connection timed out)
    Jul 27 09:42:21 mail postfix/smtp[5362]: EB3DD440088: to=<[email protected]>, relay=none, delay=349550, delays=347603/1917/30/0, dsn=4.4.1, status=deferred (connect to msec.sdu.dk[130.225.156.16]:25: Connection timed out)
    
    I don't think that in just 1 second, there are several emails that are being sent. I have also discovered that even on an unholy hours in my local time, there are a lot of emails being sent also.

    Can somebody help me on how to fix this problem?
     
  2. matty

    matty Member

    I think you have a problem with port 25 being blocked outbound.

    edit: that's not to say you don't have a problem with spam/trojans, but I tried connecting to a bunch of servers at random from the logs you posted and had no trouble connecting to any of them.
     
    Last edited: Jul 27, 2010
  3. bluegrass

    bluegrass New Member

    I don't know, but I checked my firewall settings, the same settings was on the system, I have not done any adjustments on it, from the time I install the mail system. When I made an nmap from another server, it showed that port 25 is open.

    Code:
    Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-27 13:26 PHT
    Interesting ports on 121.97.76.4.BTI.NET.PH (121.97.76.4):
    Not shown: 1707 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    53/tcp  open  domain
    80/tcp  open  http
    110/tcp open  pop3
    143/tcp open  imap
    993/tcp open  imaps
    995/tcp open  pop3s
    ...
    
    On the URLs, yes, I can actually connect to them. But my concern is that why is it that my server seems to send so many emails to different addresses in just a matter of seconds. Is there a freeware tool to check if the system has indeed some sort of a malware?
     
  4. matty

    matty Member

    You need to check outbound. That is, can your server get out to the internet on port 25.

    Try this from your mailserver: telnet mail20.ixwebhosting.com 25.

    You should see their server respond. If the connection fails, have a look at your firewall again, but look at connections from inside to outside.

    Edit: I just realised - it could be your ISP blocking port 25. Many of them do.

    You could try rkhunter to start with. It's in the Debian package system. It's possible that you've created an open relay which is related to your postfix config rather than malware.
     
  5. bluegrass

    bluegrass New Member

    Thanks Matty,

    I'll try to install first rkhunter. Then if I'm satisfied that the problem I have about the bulk mails that is being passed by/through my server then I'll check with my service provider. Maybe they blocked port 25.
     
  6. bluegrass

    bluegrass New Member

    I was able to check with my service provider. They were able to trace some spam mails passing through my IP, that is why they blocked the SMTP service.

    Now my problem is how do I check and block these emails passing through my server. I have already tested the server using rkhunter and chkrootkit, but there were no significant alerts that would say I have open relay.

    I hate to do a fresh install/configuration of the mail server.:(
     
  7. edge

    edge Active Member Moderator

  8. bluegrass

    bluegrass New Member

    Hi, Edge.

    I tried blocking incoming traffic through Port 25, and check whether the same type of traffic I found in my logs will stop. But unfortunately it did not, so, I assume that the problem is really on my server, it sends the spam mails from within, and not as a relay server. Am I right?

    I'll check the link you sent.
     
  9. falko

    falko Super Moderator ISPConfig Developer

    Seems to be the case. Try the link that edge gave to you.
     
  10. bluegrass

    bluegrass New Member

    Well, I made a clean install of my Mail Server. Tested the tutorial on the link provided by Edge, but did not work out, I mean, the script did not capture the test mail I sent from my other Web Server.

    After I made the clean install to a separate server, and moved all emails from the previous server to the new one, I again encountered the same problems. My server was sending too many emails. In fact, a hostmaster of one site, emailed me, informing me that one of his email users have receive an email which was sent from my server. Upon thorough checking of the said email, the email originated from a different server, and was passed through my mail server via a valid email address of my service.
     
  11. bluegrass

    bluegrass New Member

    I believe, my mail server is being use as a backscatter server. Is there a way we can stop this?
     

Share This Page