Spam mitigation outgoing mail from php script scan

Discussion in 'General' started by Thaddeus, Jun 16, 2017.

  1. Thaddeus

    Thaddeus New Member HowtoForge Supporter

    After a spam outbreak from a compromised site on one of my Ispconfig servers I set out to prevent outbreaks.
    One thing I did was to lock down port 25 to mail and mailman groups and disable php mail() function. I also changed the sendmail path in php.ini to use a second postfix instance and installed cluebringer to ratelimit mail on the second postfix instance, so that legitimate mail from php scripts can still pass.

    The setup looks like this
    Code:
                                                                     cbpolicy             amavisd
                                                                          |                      |
    Mail from  php script-------> sendmail (postfix instance2 port2525) ---------------->Main postfix  --->Mailbox
                                                                                                  |
                                                                                              Clamav
    
    
    main.cf second postfix instance
    Code:
    data_directory = /var/lib/postfix-2525
    queue_directory = /var/spool/postfix-2525
    relayhost = 127.0.0.1:12525
    multi_instance_name = postfix-2525
    multi_instance_enable = yes
    smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031
    

    master.cf second postfix instance

    Code:
    127.0.0.1:2525      inet  n       -       -       -       2       smtpd
            -o syslog_name=postfix2525
    pickup    fifo  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       -       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay     unix  -       -       -       -       -       smtp
            -o smtp_fallback_relay=
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    
    I know both out going and incoming mail is scanned, so in this setup will the mail from the php script be scanned as well or are there some changes that might required?
    Thanks
     
    Last edited: Jun 16, 2017
    SamTzu likes this.
  2. SamTzu

    SamTzu Member HowtoForge Supporter

    One fairly easy way to "control" SMTP que is with Webmin. It has a built in "System and Server Status" monitor that we use to email an alert to our SMS account (on https://www.clicksend.com.) Set the "Mail Queue Size" alert on Webmin for 100 or so and you will get email alert every time some account starts to SPAM. Have that email sent to your SMS provider (Clicksend.) Then disable SPAM account and use the script below to remove all email in the que from the spammer. (Remeber to check "Email SMS Allowed Addresses" on Clicksend settings otherwise you wont get SMS alert.) For additional security we built a relay SMTP server that only sends 100 emails in a minute. ISPconfig has the Webmin alert that pushes the email alert and you will probably only leak a few hundred SPAM mails if you react quickly while the SPAM is queued in the SMTP servers outbound que. For more additional security you can config Postfix main.cf on ISPconfig to send 100 emails per minute and only half of that on the SMTP relay server. That way ISPConfig wont collect the SPAM in it's que but SMTP relay will. Webmin is a lot easier to configure for monitoring and alerts than ZenOSS.

    Code:
    root@smtp1:~# spam-que-del.sh
    
    #!/usr/bin/perl
    #Use this script below to remove all email in the que from the spammer. Works with all Debian based systems.
    #Save this script and change it with command "chmod 755 spam-que-del.sh" (makes the script executable). Now you can run the following command
    #./spam-que-del.sh MYSPAMDOMAIN.COM which will delete all myspamdomain.com mails from the mailque.
    #./spam-que-del.sh SPAMUSER which will delete all queued messages that contain the word "spamuser" in the e-mail address.
    
    $REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@gmail.com)!";
    @data = qx</usr/sbin/postqueue -p>;
    for (@data) {
      if (/^(\w+)(\*|\!)?\s/) {
         $queue_id = $1;
      }
      if($queue_id) {
        if (/$REGEXP/i) {
          $Q{$queue_id} = 1;
          $queue_id = "";
        }
      }
    }
    open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;
    foreach (keys %Q) {
      print POSTSUPER "$_\n";
    };
    close(POSTSUPER);
    
     
    Last edited: Jun 16, 2017
    ahrasis likes this.

Share This Page