Postfix sending spam and unable to stop it.

Discussion in 'Server Operation' started by davebamford, Jul 29, 2013.

  1. davebamford

    davebamford New Member

    Hi
    I am running ISPCONFIG3 on a Debian Wheezy server and we had a Joomla website hacked which has resulted in spam going out from a user web53@maggie.backed-up.net (maggie.backed-up.net is the mail server) I have blacklisted this user and disabled it in main.cf
    authorized_submit_users = !web53, static:anyone

    I cannot find out how the spam is being sent and we are being blacklisted by more and more servers. I have checked for open relay and it OK
    Telnet on port 25 gives

    root@millhouse:/home/dave# telnet 94.228.42.202 25
    Trying 94.228.42.202...
    Connected to 94.228.42.202.
    Escape character is '^]'.
    220 maggie.backed-up.net ESMTP Postfix (Debian/GNU)
    ehlo localhost.localdomain
    250-maggie.backed-up.net
    250-PIPELINING
    250-SIZE
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN

    Any ideas where I go from here, we have a load of users now not getting emails.

    Thanks

    Dave
     
  2. till

    till Super Moderator

    Take a look at the spam emails in postfix queue with postcat command, all recent php versions add a header in the emails that shows the name of the script which called the mail function.
     
  3. davebamford

    davebamford New Member

    Thanks I tried postcat on one of the emails in the queue and got

    X-PHP-Originating-Script: 5034:k7ybaz.php(1) : eval()'d code

    Now searching for this file, but it was probably only temporary.

    but it also told me
    Postfix, from userid 5034

    How do I translate the userid?

    Thanks

    Dave
     
  4. till

    till Super Moderator

    run

    grep 5034 /etc/passwd

    to get the username and website path.
     
  5. davebamford

    davebamford New Member

    Thanks

    That pointed back at the user for the web site I thought I had deleted, but stupidly I had only deleted the sym link. Now I have really deleted it after making a copy. Hopefully this will stop it, but emails are still going out so I guess I need to flush the queue somehow.

    Regards

    Dave
     
  6. till

    till Super Moderator

    Here a short script that I use to clean the mailqueue:

    Code:
    mailq | tail -n +2 | awk 'BEGIN { RS = "" }
    # $7=sender, $8=recipient1, $9=recipient2
    { if ($7 == "www-data@somedomain.tld")
    print $1 }
    ' | tr -d '*!' | postsuper -d -
    it can be copied to the shell directly.

    Replace the email address with the sender address of the spam emails.
     
  7. davebamford

    davebamford New Member

    Thanks for the script, I have cleaned out te queue now and things are more or less back to normal. It just shows how important it is to keep joomla up to date.

    Regards

    Dave
    :)
     

Share This Page