Spam issue

Discussion in 'ISPConfig 3 Priority Support' started by jpcyrenne, Jul 27, 2017.

  1. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    Running a updated CentOS6.9 with ISPConfig 3.0.5.4p8, Apache, Postfix setup (php 5.3.3).
    # cat /etc/redhat-release
    CentOS release 6.9 (Final)
    # php -v
    PHP 5.3.3 (cli) (built: Mar 22 2017 12:27:09)

    There is only 1 site on this VPS (an updated WP with captcha on the Contact page).

    I'm having major spamming issues (outgoing).
    1) I put the classic snipet in /etc/php.ini
    mail.add_x_header = On
    mail.log = /var/log/phpmail.log
    Even if I run a smal script to send an email, I don't see anything in /var/log/maillog ?
    Also tried some sendmail-wrapper solutions with no success?

    2) It might be more serious than I think... Would the VPS be compromised?

    # netstat -anp | grep :25
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15096/master
    tcp 0 0 167.114.35.58:25 200.66.43.190:36601 ESTABLISHED 18055/smtpd
    tcp 0 0 :::25 :::* LISTEN 15096/master
    tcp 0 1 ::1:45684 2001:558:fe21:2a::6:25 SYN_SENT 18114/smtp
    tcp 0 1 ::1:54873 2607:f8b0:400d:c08::1a:25 SYN_SENT 18116/smtp
    tcp 0 1 ::1:43693 2607:f8b0:400d:c08::1b:25 SYN_SENT 18072/smtp
    tcp 0 1 ::1:43722 2607:f8b0:400d:c08::1b:25 SYN_SENT 18077/smtp

    I'm not using IPV6 could I completely block IPv6 ?

    Stopped postfix restarted it and:
    # service postfix stop
    Shutting down postfix: [ OK ]
    [root@host ~]# netstat -anp | grep :25
    [root@host ~]# service postfix start
    Starting postfix: [ OK ]
    [root@host ~]# netstat -anp | grep :25
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 18341/master
    tcp 0 0 :::25 :::* LISTEN 18341/master
    [root@host ~]# netstat -anp | grep :25
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 18341/master
    tcp 0 0 167.114.35.58:36891 64.12.88.132:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:36879 64.12.88.132:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46091 152.163.0.67:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:41292 64.12.88.163:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:41279 64.12.88.163:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46077 152.163.0.67:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:36885 64.12.88.132:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46182 64.12.88.131:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46076 152.163.0.67:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46067 152.163.0.67:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:60903 152.163.0.99:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46064 152.163.0.67:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:50126 152.163.0.100:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:36888 64.12.88.132:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:36886 64.12.88.132:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:34920 64.12.91.195:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:41293 64.12.88.163:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:60922 152.163.0.99:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:50265 64.12.88.164:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:41304 64.12.88.163:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:34919 64.12.91.195:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:34921 64.12.91.195:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:50272 64.12.88.164:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:60905 152.163.0.99:25 TIME_WAIT -
    tcp 0 0 167.114.35.58:46169 64.12.88.131:25 TIME_WAIT -
    tcp 0 0 :::25 :::* LISTEN 18341/master

    Then back to
    root@host ~]# netstat -anp | grep :25
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 10798/smtpd
    tcp 0 0 :::25 :::* LISTEN 10798/smtpd

    I have many of these in /var/log/maillog
    Jul 26 23:00:06 host postfix/smtpd[18828]: warning: unknown[179.43.144.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 26 23:00:06 host postfix/smtpd[18828]: disconnect from unknown[179.43.144.37]

    and...
    Jul 26 23:00:55 host postfix/smtp[27521]: 4134BE6168: to=<joelelza@yahoo.fr>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21467, delays=21466/0.07/0.65/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 26 23:00:55 host postfix/smtp[27542]: F06A4E6151: to=<lucaciu24@yahoo.de>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21512, delays=21511/0.1/0.66/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 26 23:00:55 host postfix/smtp[27559]: 2215EE6977: to=<d86kessler@yahoo.de>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=12962, delays=12961/0.12/0.64/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 26 23:00:55 host postfix/smtp[27554]: 7DDDFE612B: to=<anthony1129@sky.com>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21579, delays=21578/0.13/0.65/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 26 23:00:55 host postfix/smtp[27563]: 1E775E1E70: host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=167.114.35.58 - A problem occurred. (Ask your postmaster for help or to contact tosa@rx.t-online.de to clarify.) (BL)
    Jul 26 23:00:55 host postfix/smtp[27563]: 1E775E1E70: to=<milad.saeed@t-online.de>, relay=mx03.t-online.de[194.25.134.73]:25, delay=88599, delays=88598/0.11/0.98/0, dsn=4.0.0, status=deferred (host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=167.114.35.58 - A problem occurred. (Ask your postmaster for help or to contact tosa@rx.t-online.de to clarify.) (BL))
    Jul 26 23:01:24 host postfix/smtp[27552]: connect to mailin-02.mx.aol.com[152.163.0.99]:25: Connection timed out
    Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: host mailin-03.mx.aol.com[64.12.91.196] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: to=<upnorth63@aol.com>, relay=mailin-01.mx.aol.com[64.12.88.131]:25, delay=237151, delays=237121/0.12/30/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58)

    Something is clearly trying to exploit SMTP. IPs change...

    Doesn't seem like it's compromised. Latest RKhunter:
    System checks summary
    =====================

    File properties checks...
    Required commands check failed
    Files checked: 142
    Suspect files: 0

    Rootkit checks...
    Rootkits checked : 477
    Possible rootkits: 0

    Applications checks...
    All checks skipped

    Help, what can I do next?

    Thanks in advance,

    JP
     
  2. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11165]: 6A9D0E338D: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11161]: C57D1E338B: host mailin-03.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11164]: CD2B9E3353: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11166]: A70FDE336E: host mailin-02.mx.aol.com[64.12.91.195] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-04.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11165]: 6A9D0E338D: host mailin-04.mx.aol.com[152.163.0.67] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11161]: C57D1E338B: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-02.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11166]: A70FDE336E: host mailin-01.mx.aol.com[152.163.0.99] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11164]: CD2B9E3353: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-02.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11165]: 6A9D0E338D: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11161]: C57D1E338B: host mailin-04.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11159]: CB3B0E6E49: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11164]: CD2B9E3353: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11155]: F0DFEE337B: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11167]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    Jul 26 23:15:55 host postfix/smtp[11168]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    Jul 26 23:15:55 host postfix/smtp[11169]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    Jul 26 23:15:55 host postfix/smtp[11159]: CB3B0E6E49: to=<dper101@aol.com>, relay=mailin-01.mx.aol.com[152.163.0.99]:25, delay=2223, delays=2223/0.05/0.54/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[152.163.0.99] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58)
    Jul 26 23:15:55 host postfix/smtp[11161]: C57D1E338B: host mailin-02.mx.aol.com[64.12.91.195] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58
    Jul 26 23:15:55 host postfix/smtp[11155]: F0DFEE337B: to=<pottluckpollock@aol.com>, relay=mailin-03.mx.aol.com[152.163.0.67]:25, delay=118000, delays=118000/0.05/0.57/0, dsn=4.0.0, status=deferred (host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58)

    MANY MORE...

    Jul 26 23:17:29 host postfix/smtpd[11205]: connect from unknown[156.67.106.245]
    Jul 26 23:17:31 host postfix/smtpd[11205]: warning: unknown[156.67.106.245]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 26 23:17:31 host postfix/smtpd[11205]: lost connection after AUTH from unknown[156.67.106.245]
    Jul 26 23:17:31 host postfix/smtpd[11205]: disconnect from unknown[156.67.106.245]
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's probably just a bot that tres to guess a password and not the spam source.

    Regarding your spam sending issue, check the spam mails in the queue, you should see in their headers how they get send.

    Use the postqueue command tolist the mails in the queue, then pick the ID of one of the spam messages and view its content with:

    postcat -q ID

    replace ID with the ID of the spam mail. In the header, you should see if the mail has been sent by a php script or an authenticated user.

    The most common spam sources are hacked websites and email accounts where the spammer was able t get a password for. That the server itself is hacked is uncommon for spam problems.
     

Share This Page