spam mails

Discussion in 'General' started by hadizeid, Jan 12, 2020.

  1. hadizeid

    hadizeid New Member

    Good evening everyone,

    I'm having trouble tracking down some weird spam happening on my server.
    here is an example of what i find in mail queue:
    61D081E01B39 7596 Sun Jan 12 18:26:56 [email protected]
    (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.1xx.1xx&c=poli)
    [email protected]

    the domain or email of [email protected] doesnt belong to my server
    Running Postcat on this specific deffered message shows the below result:
    *** ENVELOPE RECORDS /var/spool/postfix/deferred/6/61D081E01B39 ***
    message_size: 7596 642 1 0 7596 0
    message_arrival_time: Sun Jan 12 22:26:56 2020
    create_time: Sun Jan 12 22:26:56 2020
    named_attribute: log_ident=61D081E01B39
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=48106
    named_attribute: log_message_origin=localhost[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost
    named_attribute: reverse_client_name=localhost
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=48106
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS /var/spool/postfix/deferred/6/61D081E01B39 ***
    Received: from localhost (localhost [127.0.0.1])
    by mhd101.myhostingdeal.com (Postfix) with ESMTP id 61D081E01B39
    for <[email protected]>; Sun, 12 Jan 2020 22:26:56 +0400 (+04)
    X-Virus-Scanned: Debian amavisd-new at mhd101.mylocalserver.com
    Received: from mhd101.mylocalserver.com ([127.0.0.1])
    by localhost (mhd101.mylocalserver.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id R77hj_jHJKIt for <[email protected]>;
    Sun, 12 Jan 2020 22:26:56 +0400 (+04)
    Received: from mhd101.mylocalserver.com (localhost [127.0.0.1])
    by mhd101.mylocalserver.com (Postfix) with ESMTP id 9D2B41E01805
    for <[email protected]>; Sun, 12 Jan 2020 22:26:55 +0400 (+04)
    Date: Sun, 12 Jan 2020 22:26:55 -0600 (CST)
    To: [email protected]
    From: USPS <[email protected]>
    Decrementing-Excitingly-Confides: 1254
    Unconventional-Fuchs: medicinally
    Wearily-Stravinsky-Read: 74
    Content-Transfer-Encoding: 7bit
    Message-ID: <[email protected]>
    Subject: USPostalService notification No.32698
    MIME-Version: 1.0
    Content-Type: text/html; charset=utf-8


    Please advise what should i do
     
    Last edited: Jan 12, 2020
  2. Steini86

    Steini86 Active Member

    Your mailserver is sending spam/scam.
    1. Stop your mail server (postfix)
    2. Find out how the mails enter your system
    3. Fix the problem, empty the queue and restart postfix

    Is that your real server? Than it is not properly configured. There is more than one problem..

    The email seems to enter your system via JavaMail, so it is probably a webhost which was hacked.
     
  3. hadizeid

    hadizeid New Member

    Hi Steinni86,
    Thanks for your input and support.
    Thats exactly what I am trying to do. But I am stuck at step #2. I did realize that something related to javamail, but how i could trace it to which webhost it belongs?
    Thanks
     
  4. hadizeid

    hadizeid New Member

    Is there a way to trace This JavaMail.|i already did a scan using ispprotect and found nothing as malware
     
  5. Steini86

    Steini86 Active Member

    You could search for the web, that uses java mail for a start:
    find /var/www -name 'javax.mail.jar'

    If that does not find something, do a longer search in file contents
    grep -rnw '/var/www/' -e 'java.mail'
    • -r is recursive,
    • -n is line number
    • -w stands for match the whole word.
    • - e search pattern
    • -l (lower L) can be added to just show the file containing pattern

    Otherwise look for more logs. For example at the time the mail gets submitted to postfix, which sites were accessed. If the problem persists, increase log level to get more information
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Do you have many websites which run java apps? You could depending on your environment, but those are so few in my world it would be pretty obvious/easy to check each.

    Some things to check are: httpd (apache/nginx) logs, and correlate HTTP requests with the timestamps of those emails. Or if there are a lot of emails, simply check the logs for lots of requests coming in.

    The mail appears to have been sent by a smtp connection to localhost, probably on port 25, so you can see what processes are connecting there, eg. with
    Code:
    lsof -i @127.0.0.1:25
    You might also check port 465 and 587 if either of those allow unauthenticated SMTP from localhost. That would show active processes, so would only help while the smtp connection itself is established, but if you found such a process you can then see what other file handles it has open to identify the site, or maybe correlate log files looking for that process id or it's parent to see where it started.

    You could try to search for websites which use JavaMail, though I'm not very adept at how that would be done right offhand. A quick
    Code:
    find /var/www/clients | grep -i java | grep -i mail
    might find some candidates just based on filenames. You could try
    Code:
    grep -RFl javax.mail /var/www/clients
    and maybe find something. I imagine there is a way to find compiled java code and dump dependencies for it (same as 'ldd' for C programs) and search the output, but if I ever knew specifically how, I have forgotten long ago. :) Probably some web searches asking similar questions to yours would find some help.
     
    Steini86 likes this.
  7. hadizeid

    hadizeid New Member

    Please can you advise how i can do this?
    i have around 75 websites to clients that i dont have direct control. Majority is wordpress but again is there a way to determin which clients are running Java Apps. or is there a way to bock java apps on the server?
     
  8. hadizeid

    hadizeid New Member

    @till your support is much appreciated if you can.
    Thanks in advance.
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Find the time the message was delivered (in the Received headers or fields in 'postcat' output), then look in web server log files for requests made at that time (eg. exact same second or within a few seconds prior, most likely). It's manual, but I would simply run a few grep commands to find matches for timestamps of interest.

    It has been many years since I've written or deployed anything related to Java, so more knowledgeable folks could surely have better input.

    The greps above (for eg. javax.mail) would match if the .java source itself is within the website - pure gold, if you find it. If you do not, it may be that the java source has been compiled into byte code, and that is what you would find .class files. I believe you can wrap the whole thing up in a .jar archive, so look for those, too. Also .jsp and .jws, and there may well be others, it's really out of my forte.

    It will take a while to run, but you could try:
    Code:
    find /var/www/clients -type f | xargs file | grep Java
    Heck, even try
    Code:
    grep -Rl /var/www/clients JavaMail
    And it wouldn't hurt to take a quick look at running applications, as any java app I've dealt with has always been a huge memory sucker. You might try even
    Code:
    ps auxww | grep -Ei 'java|james|tomcat|websphere'
    That depends on how they run (deployment), and as above, I'm pretty rusty. There are servers like Apache James, Tomcat, I think WebSphere, and probably plenty others. I'd guess these are unlikely, and will be pretty obvious (due to resources used) though if you find processes for 'java' or some of the others, you may be dealing with them. Then I believe you can deploy compiled bytecode right from a simple webpage, and have it run in a browser, though to send mail you would still need a server-side component to handle the connection.

    So see what you find with the above searches, if anything. And check, do you even have java installed on your server? There is the very real possibility that none of your sites are running any java apps at all. As far as I know, that determination was based solely on 'JavaMail' being present in the Message-ID? I would also presume the message was originated via a java app somehow, but it doesn't mean that anything java related will be found on your server. I don't know how likely, but as an obfuscation, any app (eg. php script) could add a Message-ID header with 'JavaMail' in it. It's possible something is running on your server and relaying a connection from a different port to localhost:25, and merely passes the message through. That would include something like a script originating a connection to a remote server (eg. a simple curl request to remote url) to get the message contents, and submitting it locally. You may have a malicious script uploaded and operating, or you may simply have a vulnerability in one of your many wordpress (or other) sites performing this. You could even have vulnerabilities in completely unrelated software which allow this (eg. old proxy-through-ftp-server connections, misconfiguration in your web server, even the old HTTPOXY vulnerability in the HTTP protocol itself did this).

    A lot of possibilities, but don't freak out, just start digging and you'll find it before long.
     
    Last edited: Jan 15, 2020
  10. hadizeid

    hadizeid New Member

    Thanks @Jesse Norell for your support.
    the result for this is:
    Code:
    root      6166  0.0  0.0  12780  1020 pts/0    S+   21:45   0:00 grep -Ei java|james|tomcat|websphere
    While this is showing: grep: javamil: no such file or directory
    while is results in :
    Code:
    /var/www/clients/client0/web28/web/wp-content/themes/pearl/includes/admin/theme_options/includes/src/index.main.js:                                                              Java source, ASCII text
    /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js:                                       Java source, ASCII text
    /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js:                             Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js:                                                                                           Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js:                                                                                 Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/houzez-login-register/social/Facebook/Helpers/FacebookJavaScriptHelper.php:                                                                    PHP script, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-shortcode.js:                                                            Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/products.js:                                                            Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/get-query.js:                                                           Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/deprecations.js:                                                             Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/shared-attributes.js:                                                        Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-query.js:                                                                Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-on-sale/index.js:                                                   Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-best-sellers/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/index.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/block.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/utils.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/handpicked-products/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/widgets.js:                                                       Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/woo.js:                                                           Java source, ASCII text, with very long lines
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/folder-star.js:                                                   Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/checkbox-checked.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/test/index.js:                                          Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/products-control/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/grid-layout-control/index.js:                                           Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/load-more-button/index.js:                                         Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list-item/index.js:                                         Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/test/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/index.js:                                                    Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-order-select/index.js:                                      Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/read-more/test/index.js:                                           Java source, ASCII text, with very long lines
    
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/test/with-searched-products.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-product.js:                                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-searched-products.js:                                                    Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-category.js:                                                             Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/index.js:                                                                          Java source, ASCII text
    /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java.min.js:                                    ASCII text, with very long lines, with no line terminators
    /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java-ID.min.js:                                 ASCII text, with very long lines, with no line terminators
    /var/www/clients/client6/web26/web/wp-content/plugins/download-manager/libs/socialconnect/Facebook/Helpers/FacebookJavaScriptHelper.php:                        PHP script, ASCII text
    
     
  11. hadizeid

    hadizeid New Member

    do you mean in /var/log/syslog?
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

    Sorry, I had that switched, try
    Code:
    grep -Rl JavaMail /var/www/clients
    That looks like mainly javascript files miss-identified as Java source, but is normal.

    Do try that other grep for 'JavaMail' string, but you might well not have the (presumably java) code which generates these emails on your server, which means something is merely passing the messages through. You might need to correlate messages with HTTP requests (web server logs) to find it.

    syslog would be worth checking for something tunneled through FTP (though I think those holes are generally closed "out of the box" nowadays), but no, /var/log/syslog does not have your web server logs.

    On a debian server the primary apache log to search is /var/log/apache2/other_vhosts_access.log, and that gets rotated daily (so you can search older days in the files /var/log/apache2/other_vhosts_access.log.1 and /var/log/apache2/other_vhosts_access.log.*.gz You can see the date format in those, eg. '[17/Jan/2020:09:15:31 -0700]' .. so just grep for '17/Jan/2020:09:15' or so to match all requests during that minute. Correlate the time with when your spam messages were submitted.
     
  13. hadizeid

    hadizeid New Member

    Code:
     grep -Rl JavaMail /var/www/clients
    grep: /var/www/clients/client3/web16/log/access.log: No such file or directory
    grep: /var/www/clients/client3/web16/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client3/domain1.co/log/access.log: No such file or directory
    grep: /var/www/clients/client3/domain1.co/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client0/web24/log/access.log: No such file or directory
    grep: /var/www/clients/client0/web24/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client0/domain2.ae/log/access.log: No such file or directory
    grep: /var/www/clients/client0/domain2.ae/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client6/masterplan.domain3.com/log/access.log: No such file or directory
    grep: /var/www/clients/client6/masterplan.domain3.com/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client6/web22/log/access.log: No such file or directory
    grep: /var/www/clients/client6/web22/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/web3/log/access.log: No such file or directory
    grep: /var/www/clients/client2/web3/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/domain4.com/log/access.log: No such file or directory
    grep: /var/www/clients/client2/domain4.com/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/web2/log/access.log: No such file or directory
    grep: /var/www/clients/client2/web2/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/domain5.me/log/access.log: No such file or directory
    grep: /var/www/clients/client2/domain5.me/log/yesterday-access.log: No such file or directory
    currently having no mails in queue, once have will try to search in the log and see what could i find and post it.
    Thanks for your help and support @Jesse Norell
     
  14. hadizeid

    hadizeid New Member

    Still Stuck and have no clue from where spam is originating.
    if anyone could help that would be much appreciated
     
  15. Jesse Norell

    Jesse Norell Well-Known Member

    So that pretty well confirms the mail is likely not generated by code found in your websites. Follow the other suggestions above to work on tracking it down.
     

Share This Page