spam mails

Discussion in 'General' started by hadizeid, Jan 12, 2020.

  1. hadizeid

    hadizeid Member

    Good evening everyone,

    I'm having trouble tracking down some weird spam happening on my server.
    here is an example of what i find in mail queue:
    61D081E01B39 7596 Sun Jan 12 18:26:56 [email protected]
    (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.1xx.1xx&c=poli)
    [email protected]

    the domain or email of [email protected] doesnt belong to my server
    Running Postcat on this specific deffered message shows the below result:
    *** ENVELOPE RECORDS /var/spool/postfix/deferred/6/61D081E01B39 ***
    message_size: 7596 642 1 0 7596 0
    message_arrival_time: Sun Jan 12 22:26:56 2020
    create_time: Sun Jan 12 22:26:56 2020
    named_attribute: log_ident=61D081E01B39
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=48106
    named_attribute: log_message_origin=localhost[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost
    named_attribute: reverse_client_name=localhost
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=48106
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS /var/spool/postfix/deferred/6/61D081E01B39 ***
    Received: from localhost (localhost [127.0.0.1])
    by mhd101.myhostingdeal.com (Postfix) with ESMTP id 61D081E01B39
    for <[email protected]>; Sun, 12 Jan 2020 22:26:56 +0400 (+04)
    X-Virus-Scanned: Debian amavisd-new at mhd101.mylocalserver.com
    Received: from mhd101.mylocalserver.com ([127.0.0.1])
    by localhost (mhd101.mylocalserver.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id R77hj_jHJKIt for <[email protected]>;
    Sun, 12 Jan 2020 22:26:56 +0400 (+04)
    Received: from mhd101.mylocalserver.com (localhost [127.0.0.1])
    by mhd101.mylocalserver.com (Postfix) with ESMTP id 9D2B41E01805
    for <[email protected]>; Sun, 12 Jan 2020 22:26:55 +0400 (+04)
    Date: Sun, 12 Jan 2020 22:26:55 -0600 (CST)
    To: [email protected]
    From: USPS <[email protected]>
    Decrementing-Excitingly-Confides: 1254
    Unconventional-Fuchs: medicinally
    Wearily-Stravinsky-Read: 74
    Content-Transfer-Encoding: 7bit
    Message-ID: <[email protected]>
    Subject: USPostalService notification No.32698
    MIME-Version: 1.0
    Content-Type: text/html; charset=utf-8


    Please advise what should i do
     
    Last edited: Jan 12, 2020
  2. Steini86

    Steini86 Active Member

    Your mailserver is sending spam/scam.
    1. Stop your mail server (postfix)
    2. Find out how the mails enter your system
    3. Fix the problem, empty the queue and restart postfix

    Is that your real server? Than it is not properly configured. There is more than one problem..

    The email seems to enter your system via JavaMail, so it is probably a webhost which was hacked.
     
  3. hadizeid

    hadizeid Member

    Hi Steinni86,
    Thanks for your input and support.
    Thats exactly what I am trying to do. But I am stuck at step #2. I did realize that something related to javamail, but how i could trace it to which webhost it belongs?
    Thanks
     
  4. hadizeid

    hadizeid Member

    Is there a way to trace This JavaMail.|i already did a scan using ispprotect and found nothing as malware
     
  5. Steini86

    Steini86 Active Member

    You could search for the web, that uses java mail for a start:
    find /var/www -name 'javax.mail.jar'

    If that does not find something, do a longer search in file contents
    grep -rnw '/var/www/' -e 'java.mail'
    • -r is recursive,
    • -n is line number
    • -w stands for match the whole word.
    • - e search pattern
    • -l (lower L) can be added to just show the file containing pattern

    Otherwise look for more logs. For example at the time the mail gets submitted to postfix, which sites were accessed. If the problem persists, increase log level to get more information
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Do you have many websites which run java apps? You could depending on your environment, but those are so few in my world it would be pretty obvious/easy to check each.

    Some things to check are: httpd (apache/nginx) logs, and correlate HTTP requests with the timestamps of those emails. Or if there are a lot of emails, simply check the logs for lots of requests coming in.

    The mail appears to have been sent by a smtp connection to localhost, probably on port 25, so you can see what processes are connecting there, eg. with
    Code:
    lsof -i @127.0.0.1:25
    You might also check port 465 and 587 if either of those allow unauthenticated SMTP from localhost. That would show active processes, so would only help while the smtp connection itself is established, but if you found such a process you can then see what other file handles it has open to identify the site, or maybe correlate log files looking for that process id or it's parent to see where it started.

    You could try to search for websites which use JavaMail, though I'm not very adept at how that would be done right offhand. A quick
    Code:
    find /var/www/clients | grep -i java | grep -i mail
    might find some candidates just based on filenames. You could try
    Code:
    grep -RFl javax.mail /var/www/clients
    and maybe find something. I imagine there is a way to find compiled java code and dump dependencies for it (same as 'ldd' for C programs) and search the output, but if I ever knew specifically how, I have forgotten long ago. :) Probably some web searches asking similar questions to yours would find some help.
     
    Steini86 likes this.
  7. hadizeid

    hadizeid Member

    Please can you advise how i can do this?
    i have around 75 websites to clients that i dont have direct control. Majority is wordpress but again is there a way to determin which clients are running Java Apps. or is there a way to bock java apps on the server?
     
  8. hadizeid

    hadizeid Member

    @till your support is much appreciated if you can.
    Thanks in advance.
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Find the time the message was delivered (in the Received headers or fields in 'postcat' output), then look in web server log files for requests made at that time (eg. exact same second or within a few seconds prior, most likely). It's manual, but I would simply run a few grep commands to find matches for timestamps of interest.

    It has been many years since I've written or deployed anything related to Java, so more knowledgeable folks could surely have better input.

    The greps above (for eg. javax.mail) would match if the .java source itself is within the website - pure gold, if you find it. If you do not, it may be that the java source has been compiled into byte code, and that is what you would find .class files. I believe you can wrap the whole thing up in a .jar archive, so look for those, too. Also .jsp and .jws, and there may well be others, it's really out of my forte.

    It will take a while to run, but you could try:
    Code:
    find /var/www/clients -type f | xargs file | grep Java
    Heck, even try
    Code:
    grep -Rl /var/www/clients JavaMail
    And it wouldn't hurt to take a quick look at running applications, as any java app I've dealt with has always been a huge memory sucker. You might try even
    Code:
    ps auxww | grep -Ei 'java|james|tomcat|websphere'
    That depends on how they run (deployment), and as above, I'm pretty rusty. There are servers like Apache James, Tomcat, I think WebSphere, and probably plenty others. I'd guess these are unlikely, and will be pretty obvious (due to resources used) though if you find processes for 'java' or some of the others, you may be dealing with them. Then I believe you can deploy compiled bytecode right from a simple webpage, and have it run in a browser, though to send mail you would still need a server-side component to handle the connection.

    So see what you find with the above searches, if anything. And check, do you even have java installed on your server? There is the very real possibility that none of your sites are running any java apps at all. As far as I know, that determination was based solely on 'JavaMail' being present in the Message-ID? I would also presume the message was originated via a java app somehow, but it doesn't mean that anything java related will be found on your server. I don't know how likely, but as an obfuscation, any app (eg. php script) could add a Message-ID header with 'JavaMail' in it. It's possible something is running on your server and relaying a connection from a different port to localhost:25, and merely passes the message through. That would include something like a script originating a connection to a remote server (eg. a simple curl request to remote url) to get the message contents, and submitting it locally. You may have a malicious script uploaded and operating, or you may simply have a vulnerability in one of your many wordpress (or other) sites performing this. You could even have vulnerabilities in completely unrelated software which allow this (eg. old proxy-through-ftp-server connections, misconfiguration in your web server, even the old HTTPOXY vulnerability in the HTTP protocol itself did this).

    A lot of possibilities, but don't freak out, just start digging and you'll find it before long.
     
    Last edited: Jan 15, 2020
  10. hadizeid

    hadizeid Member

    Thanks @Jesse Norell for your support.
    the result for this is:
    Code:
    root      6166  0.0  0.0  12780  1020 pts/0    S+   21:45   0:00 grep -Ei java|james|tomcat|websphere
    While this is showing: grep: javamil: no such file or directory
    while is results in :
    Code:
    /var/www/clients/client0/web28/web/wp-content/themes/pearl/includes/admin/theme_options/includes/src/index.main.js:                                                              Java source, ASCII text
    /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js:                                       Java source, ASCII text
    /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js:                             Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js:                                                                                           Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js:                                                                                 Java source, ASCII text
    /var/www/clients/client0/web25/web/wp-content/plugins/houzez-login-register/social/Facebook/Helpers/FacebookJavaScriptHelper.php:                                                                    PHP script, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-shortcode.js:                                                            Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/products.js:                                                            Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/get-query.js:                                                           Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/deprecations.js:                                                             Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/shared-attributes.js:                                                        Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-query.js:                                                                Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-on-sale/index.js:                                                   Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-best-sellers/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/index.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/block.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/utils.js:                                                 Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/handpicked-products/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/widgets.js:                                                       Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/woo.js:                                                           Java source, ASCII text, with very long lines
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/folder-star.js:                                                   Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/checkbox-checked.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/test/index.js:                                          Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/products-control/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/grid-layout-control/index.js:                                           Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/load-more-button/index.js:                                         Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list-item/index.js:                                         Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/test/index.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/index.js:                                                    Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-order-select/index.js:                                      Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list/index.js:                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/read-more/test/index.js:                                           Java source, ASCII text, with very long lines
    
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/test/with-searched-products.js:                                               Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-product.js:                                                              Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-searched-products.js:                                                    Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-category.js:                                                             Java source, ASCII text
    /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/index.js:                                                                          Java source, ASCII text
    /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java.min.js:                                    ASCII text, with very long lines, with no line terminators
    /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java-ID.min.js:                                 ASCII text, with very long lines, with no line terminators
    /var/www/clients/client6/web26/web/wp-content/plugins/download-manager/libs/socialconnect/Facebook/Helpers/FacebookJavaScriptHelper.php:                        PHP script, ASCII text
    
     
  11. hadizeid

    hadizeid Member

    do you mean in /var/log/syslog?
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

    Sorry, I had that switched, try
    Code:
    grep -Rl JavaMail /var/www/clients
    That looks like mainly javascript files miss-identified as Java source, but is normal.

    Do try that other grep for 'JavaMail' string, but you might well not have the (presumably java) code which generates these emails on your server, which means something is merely passing the messages through. You might need to correlate messages with HTTP requests (web server logs) to find it.

    syslog would be worth checking for something tunneled through FTP (though I think those holes are generally closed "out of the box" nowadays), but no, /var/log/syslog does not have your web server logs.

    On a debian server the primary apache log to search is /var/log/apache2/other_vhosts_access.log, and that gets rotated daily (so you can search older days in the files /var/log/apache2/other_vhosts_access.log.1 and /var/log/apache2/other_vhosts_access.log.*.gz You can see the date format in those, eg. '[17/Jan/2020:09:15:31 -0700]' .. so just grep for '17/Jan/2020:09:15' or so to match all requests during that minute. Correlate the time with when your spam messages were submitted.
     
  13. hadizeid

    hadizeid Member

    Code:
     grep -Rl JavaMail /var/www/clients
    grep: /var/www/clients/client3/web16/log/access.log: No such file or directory
    grep: /var/www/clients/client3/web16/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client3/domain1.co/log/access.log: No such file or directory
    grep: /var/www/clients/client3/domain1.co/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client0/web24/log/access.log: No such file or directory
    grep: /var/www/clients/client0/web24/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client0/domain2.ae/log/access.log: No such file or directory
    grep: /var/www/clients/client0/domain2.ae/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client6/masterplan.domain3.com/log/access.log: No such file or directory
    grep: /var/www/clients/client6/masterplan.domain3.com/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client6/web22/log/access.log: No such file or directory
    grep: /var/www/clients/client6/web22/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/web3/log/access.log: No such file or directory
    grep: /var/www/clients/client2/web3/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/domain4.com/log/access.log: No such file or directory
    grep: /var/www/clients/client2/domain4.com/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/web2/log/access.log: No such file or directory
    grep: /var/www/clients/client2/web2/log/yesterday-access.log: No such file or directory
    grep: /var/www/clients/client2/domain5.me/log/access.log: No such file or directory
    grep: /var/www/clients/client2/domain5.me/log/yesterday-access.log: No such file or directory
    currently having no mails in queue, once have will try to search in the log and see what could i find and post it.
    Thanks for your help and support @Jesse Norell
     
  14. hadizeid

    hadizeid Member

    Still Stuck and have no clue from where spam is originating.
    if anyone could help that would be much appreciated
     
  15. Jesse Norell

    Jesse Norell Well-Known Member

    So that pretty well confirms the mail is likely not generated by code found in your websites. Follow the other suggestions above to work on tracking it down.
     
  16. hadizeid

    hadizeid Member

    So mail queue is having around 21 message similar to the below:
    Code:
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    8CC7C1E01884 7650 Wed Jan 22 08:17:07 [email protected]
    (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb111) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=xxx.xx.xxx.xxx&c=poli)
    [email protected]
    
    8833C1E01885 7420 Wed Jan 22 08:22:27 [email protected]
    (host mx.lb.btinternet.com[213.120.69.89] said: 421-Too many messages (1.5.7.1) on 2020/01/22 09:37:42 GMT from un-validated IP address: xxx.xx.xxx.xxx. Please add a SPF record for the domain frankusher.co.uk to your DNS or ask your service provider to do this, 421 we will be unable to deliver email until this is done due to the volume of email being sent from this IP address. An SPF record allows us to verify you and confidently deliver your email to our customers. Our Postmaster will be unable to help you. (in reply to MAIL FROM command))
    [email protected]
    
    9A8191E0180A 7880 Wed Jan 22 07:09:20 [email protected]
    (delivery temporarily suspended: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb010) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=xxx.xx.xxx.xxx&c=poli)
    [email protected]

    using command postcat -q 8CC7C1E01884 which is for the first messagein queue show this:
    Code:
    postcat -q 8CC7C1E01884
    *** ENVELOPE RECORDS deferred/8/8CC7C1E01884 ***
    message_size:            7650             669               1               0            7650               0
    message_arrival_time: Wed Jan 22 12:17:07 2020
    create_time: Wed Jan 22 12:17:07 2020
    named_attribute: log_ident=8CC7C1E01884
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=55182
    named_attribute: log_message_origin=localhost[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost
    named_attribute: reverse_client_name=localhost
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=55182
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS deferred/8/8CC7C1E01884 ***
    Received: from localhost (localhost [127.0.0.1])
            by mhd101.mymailserver.com (Postfix) with ESMTP id 8CC7C1E01884
            for <[email protected]>; Wed, 22 Jan 2020 12:17:07 +0400 (+04)
    X-Virus-Scanned: Debian amavisd-new at mhd101.myhostingdeal.com
    Received: from mhd101.mymailserver.com ([127.0.0.1])
            by localhost (mhd101.mymailserver.com [127.0.0.1]) (amavisd-new, port 10026)
            with ESMTP id 6NDevIYeFgWt for <[email protected]>;
            Wed, 22 Jan 2020 12:17:07 +0400 (+04)
    Received: from mhd101.mymailserver.com (localhost [127.0.0.1])
            by mhd101.mymailserver.com (Postfix) with ESMTP id F082B1E0180C
            for <[email protected]>; Wed, 22 Jan 2020 12:17:06 +0400 (+04)
    Withstood-Winnipesaukee: DB573DC8
    Message-ID: <[email protected]>
    Content-Type: text/html; charset=utf-8
    Scamper-Treks: 3
    Subject: United States Postal Service ticket #95256
    From: USPS <[email protected]>
    To: [email protected]
    Encamps-Britannica-Generating: 7559
    Inhibitions-Dostoevsky: schroeder
    Date: Wed, 22 Jan 2020 12:17:06 -0600 (CST)
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    
    searching in mail.log to all instances of "[email protected]" as this id is the sender of the message shows:
     
  17. hadizeid

    hadizeid Member

    Based on this looks like the message was sent on jan22 @ around 12:17
    doing a search in appache log for that date at 12:16 and 12:17 results in:
    Is there anything specific that could lead to the issue or am i still missing any location to search for more evidence.
    Any thoughts or suggestions are much appreciated as i am totally stuck now not knowing how to go further.
    Thanks for you support everyone
     
  18. Steini86

    Steini86 Active Member

    First you could hold all mails, and release them by hand to no longer send spam messages (otherwise your mail sender reputation will be worthless forever):
    Code:
    defer_transports = hold
    default_transport = hold
    Add to your php.ini setting:
    Code:
    mail.add_x_header = On
    mail.log = /var/log/phpmail.log
    This adds a "X-PHP-Originating-Script" header to the email which should give you more information about which script is sending these mails. Then look at /var/log/phpmail.log or use "postcat -q ID | grep X-PHP-Originating-Script". The output should be like "X-PHP-Originating-Script: 1012:script.php" where the number is the linux user id sending and script.php the scriptname.

    Consider to only allow your own domains as sender addresses. (Reduces spam but does not solve the problem of your compromised script)

    Can you do a "egrep 8CC7C1E01884 /var/log/mail.log"?
     
    Last edited: Jan 22, 2020
  19. Jesse Norell

    Jesse Norell Well-Known Member

    Perfect, so ignoring autodiscover.xml requests and all you had hitting your server per those logs is to the single site jumeirahluxuryliving.com. There was a normal wordpress cron run, a page read by a bot, and a lot of POST by 94.206.63.46, which I suspect is a compromised client sending your spam.

    Code:
    jumeirahluxuryliving.com:443 94.206.63.46 - - [22/Jan/2020:12:16:58 +0400] "POST / HTTP/1.1" 200 143938 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4312; Pro)"
    I am not familiar with posts by ms office right offhand to know what on the server side would be handling that, but you should be able to log the full requests and get a lot more info.

    On logging full requests, a little searching indicates you can use mod_log_forensic, mod_security, and mod_dumpio. Eg. add to the apache snippets for jumeirahluxuryliving.com:

    Code:
    <IfModule mod_log_forensic.c>
        ForensicLog logging/jumeirahluxuryliving.log
    </IfModule>
    
    Then enable mod_log_forensic:
    Code:
    mkdir /etc/apache2/logging
    chgrp www-data /etc/apache2/logging
    chmod 770 /etc/apache2/logging
    
    
    a2enmod log_forensic
    systemctl restart apache2
    
    Then wait a bit and see what you find in /etc/apache2/logging/jumeirahluxuryliving.log. Note there could be sensitive info in those requests, don't blindly post any here without looking at what you might post first.
     
  20. hadizeid

    hadizeid Member

    Code:
    egrep 8CC7C1E01884 /var/log/mail.log
    Jan 22 12:17:07 mhd101 postfix/smtpd[7416]: 8CC7C1E01884: client=localhost[127.0.0.1]
    Jan 22 12:17:07 mhd101 postfix/cleanup[7408]: 8CC7C1E01884: message-id=<[email protected]>
    Jan 22 12:17:07 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 12:17:07 mhd101 amavis[2600]: (02600-03) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1]:36948 <[email protected]> -> <[email protected]>, Queue-ID: F082B1E0180C, Message-ID: <[email protected]>, mail_id: 6NDevIYeFgWt, Hits: 1.771, size: 7154, queued_as: 8CC7C1E01884, 670 ms
    Jan 22 12:17:07 mhd101 postfix/smtp[7412]: F082B1E0180C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.78, delays=0.08/0.02/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 8CC7C1E01884)
    Jan 22 12:17:07 mhd101 postfix/smtp[7417]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli
    Jan 22 12:17:08 mhd101 postfix/smtp[7417]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=0.58, delays=0.13/0.01/0.44/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 12:22:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 12:22:42 mhd101 postfix/smtp[7767]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli
    Jan 22 12:22:42 mhd101 postfix/smtp[7767]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=335, delays=335/0/0.45/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb012) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 12:32:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 12:32:42 mhd101 postfix/error[8439]: 8CC7C1E01884: to=<[email protected]>, relay=none, delay=935, delays=935/0.01/0/0.02, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 12:52:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 12:52:42 mhd101 postfix/smtp[9818]: 8CC7C1E01884: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb010) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli
    Jan 22 12:52:42 mhd101 postfix/smtp[9818]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha02.web.de[212.227.17.8]:25, delay=2135, delays=2135/0.03/0.45/0, dsn=4.0.0, status=deferred (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb112) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 13:32:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 13:32:42 mhd101 postfix/smtp[12641]: 8CC7C1E01884: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli
    Jan 22 13:32:43 mhd101 postfix/smtp[12641]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha02.web.de[212.227.17.8]:25, delay=4535, delays=4535/0.03/0.48/0, dsn=4.0.0, status=deferred (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb111) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 14:42:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    Jan 22 14:42:43 mhd101 postfix/smtp[17721]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli
    Jan 22 14:42:43 mhd101 postfix/smtp[17721]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=8736, delays=8735/0.02/0.48/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli)
    Jan 22 15:52:43 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active)
    c=poli)
    i deleted some due to post size limit

    Can you advise how to do so?
    already added this in /etc/php/7.0/apache2/php.ini but phpmail..log empty unless i missed something or doing things .

    normally i deleting the emails from queue is it still necessary to do the above?

    Thanks
     

Share This Page