Too many spam mails being sent from Server.

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Feb 21, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    There too many spam mails being sent from the server.
    From the logs I am unable to make out where to plug the gap, which domain is effected. etc.
    here are some of the mail which were sent to relay server, but from which Vhost or script it is being sent, I couldn't make it out.
    The ID in the logs for spam as a sample is "[email protected]"
    Code:
    Feb 21 07:32:19 server1 postfix/smtpd[609]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in>
    Feb 21 07:32:19 server1 postfix/cleanup[615]: warning: regexp map /etc/postfix/header_checks, line 39: Invalid preceding regular expression
    Feb 21 07:32:19 server1 postfix/smtpd[609]: 8C51D604BFC: client=localhost.localdomain[127.0.0.1]
    Feb 21 07:32:19 server1 postfix/cleanup[615]: 8C51D604BFC: message-id=<[email protected]>
    Feb 21 07:32:19 server1 postfix/qmgr[4548]: 77EEB6049DB: from=<[email protected]>, size=1937, nrcpt=1 (queue active)
    Feb 21 07:32:19 server1 postfix/qmgr[4548]: 77F4F604BD3: from=<[email protected]>, size=1946, nrcpt=1 (queue active)
    Feb 21 07:32:19 server1 postfix/qmgr[4548]: 77EC160017E: from=<[email protected]>, size=1940, nrcpt=1 (queue active)
    Feb 21 07:32:19 server1 postfix/qmgr[4548]: 8C51D604BFC: from=<[email protected]>, size=1913, nrcpt=1 (queue active)
    
    Feb 21 07:32:42 server1 postfix/qmgr[4548]: 0D3356049DB: from=<[email protected]>, size=2420, nrcpt=1 (queue active)
    Feb 21 07:32:42 server1 amavis[9605]: (09605-03) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: nDhCmX15ener, Hits: 4.167, size: 1910, queued_as: 0D3356049DB, 10676 ms
    Feb 21 07:32:42 server1 postfix/smtp[617]: 8C51D604BFC: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=23, delays=0.08/12/0/11, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as 0D3356049DB)
    Feb 21 07:32:42 server1 postfix/qmgr[4548]: 8C51D604BFC: removed
    Feb 21 07:32:44 server1 postfix/smtpd[602]: connect from o1.p4.mailjet.com[178.33.221.1]
    Feb 21 07:32:45 server1 postfix/smtp[626]: 0D3356049DB: to=<[email protected]>, relay=smtp-ovhfr10.mailjet.com[5.196.43.129]:25, delay=3.1, delays=0.08/0/2.5/0.59, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A7A181B600E2)
    Feb 21 07:32:45 server1 postfix/qmgr[4548]: 0D3356049DB: removed
    Feb 21 07:32:46 server1 postfix/smtpd[602]: NOQUEUE: filter: RCPT from o1.p4.mailjet.com[178.33.221.1]: <[email protected]om>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]om> to=<[email protected]> proto=ESMTP helo=<o1.p4.mailjet.com>
    Feb 21 07:32:46 server1 postfix/smtpd[602]: NOQUEUE: filter: RCPT from o1.p4.mailjet.com[178.33.221.1]: <[email protected]om>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]om> to=<[email protected]> proto=ESMTP helo=<o1.p4.mailjet.com>
    Feb 21 07:32:46 server1 postfix/smtpd[602]: 16D826049DB: client=o1.p4.mailjet.com[178.33.221.1]
    Feb 21 07:32:46 server1 postfix/smtpd[609]: connect from o1.p4.mailjet.com[178.33.221.1]
    Feb 21 07:32:46 server1 postfix/cleanup[608]: 16D826049DB: message-id=<[email protected]>
    Feb 21 07:32:46 server1 postfix/qmgr[4548]: 16D826049DB: from=<[email protected]om>, size=9295, nrcpt=1 (queue active)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at the mails in the mailqueue with the postcat command, in the mail headers you can most likely see which website or mail account ahs sent them.
     
  3. pawan

    pawan Member HowtoForge Supporter

    I have tried to run "postcat" command in the terminal. The cursor just keeps blinking. If I hit enter again -
    I get - postcat: warning: stdin: input is not a valid queue file.

    I also tried to log the headers using phpmail.log.
    But Changes I am making in /etc/php5/apache2/php.ini and /etc/php5/cgi/php.ini (Restarted Apache. Not using php.fpm)
    are not reflected in phpinfo() for any websites.
    I have also tried to run the resync in tools menu, but that also doesn't have any effect.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Postcat works like this:

    1) List the mails in your mailqueue with:

    postqueue -p

    Pick up the ID of a mail (the ID is the char/number string that is displayed for each email line). Then use:

    postcat -q ID

    where ID is the ID of that mail, to view it's content.
     
    Turbanator likes this.
  5. pawan

    pawan Member HowtoForge Supporter

    The first command postqueue -p
    returns: Mail queue is empty
    means at the time of checking it is empty.
    But I am getting notification from the Relay SMTP host for mails being sent in huge numbers with the sending mail address, which doesn't form part of any of my domains.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you see the mails being sent when you look at the /var/log/mail.log (or /var/log/maillog on CentOS) file of the system?
     
  7. pawan

    pawan Member HowtoForge Supporter

    Yes in mail.log there are so many mails as per my first post.
    only that I am not able to make out from where it is originating.
     
  8. pawan

    pawan Member HowtoForge Supporter

    Hi Till, Please help me eliminate this problem. There are so many spam mails going out from the system.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    There should be mails in the mailqueue when you can see them in the mail.log file. Check the mailqueue with the command:

    postqueue -p

    again and then check one of the mails with postcat as described above.
     
  10. pawan

    pawan Member HowtoForge Supporter

    I am still getting the result from "postqueue -p" as empty.
    Below is the portion of the mail.log file.
    Code:
    Feb 26 16:06:16 server1 postfix/smtpd[14815]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in>
    Feb 26 16:06:16 server1 postfix/cleanup[17880]: warning: regexp map /etc/postfix/header_checks, line 39: Invalid preceding regular expression
    Feb 26 16:06:16 server1 postfix/smtpd[14815]: A76CB604C9F: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/smtpd[17881]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/cleanup[17880]: A76CB604C9F: message-id=<[email protected]>
    Feb 26 16:06:16 server1 postfix/smtpd[17882]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/smtpd[17879]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in>
    Feb 26 16:06:16 server1 postfix/cleanup[17884]: warning: regexp map /etc/postfix/header_checks, line 39: Invalid preceding regular expression
    Feb 26 16:06:16 server1 postfix/smtpd[17879]: B7480604CA7: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/smtpd[17881]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in>
    Feb 26 16:06:16 server1 postfix/qmgr[4548]: A76CB604C9F: from=<[email protected]>, size=2448, nrcpt=1 (queue active)
    Feb 26 16:06:16 server1 postfix/smtpd[17881]: B944F604CAD: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/smtpd[14815]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/cleanup[17884]: B7480604CA7: message-id=<[email protected]>
    Feb 26 16:06:16 server1 postfix/cleanup[17880]: B944F604CAD: message-id=<[email protected]>
    Feb 26 16:06:16 server1 postfix/smtpd[17882]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in>
    Feb 26 16:06:16 server1 postfix/cleanup[17889]: warning: regexp map /etc/postfix/header_checks, line 39: Invalid preceding regular expression
    Feb 26 16:06:16 server1 postfix/smtpd[17882]: C9793604CC8: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/smtpd[17879]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:16 server1 postfix/cleanup[17889]: C9793604CC8: message-id=<[email protected]>
    Feb 26 16:06:16 server1 postfix/qmgr[4548]: B7480604CA7: from=<[email protected]>, size=2455, nrcpt=1 (queue active)
    Feb 26 16:06:16 server1 postfix/qmgr[4548]: C9793604CC8: from=<[email protected]>, size=2475, nrcpt=1 (queue active)
    Feb 26 16:06:16 server1 postfix/qmgr[4548]: B944F604CAD: from=<[email protected]>, size=2501, nrcpt=1 (queue active)
    Feb 26 16:06:17 server1 postfix/smtpd[17881]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:17 server1 postfix/smtpd[17882]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 postfix/smtpd[17895]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 postfix/smtpd[17895]: 54E07604CCB: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 postfix/cleanup[17884]: 54E07604CCB: message-id=<[email protected]>
    Feb 26 16:06:18 server1 postfix/smtpd[17896]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 postfix/smtpd[17896]: 65D1C604CCD: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 postfix/cleanup[17880]: 65D1C604CCD: message-id=<[email protected]>
    Feb 26 16:06:18 server1 postfix/qmgr[4548]: 54E07604CCB: from=<[email protected]>, size=2962, nrcpt=1 (queue active)
    Feb 26 16:06:18 server1 postfix/qmgr[4548]: 65D1C604CCD: from=<[email protected]>, size=2957, nrcpt=1 (queue active)
    Feb 26 16:06:18 server1 postfix/smtpd[17895]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 amavis[29322]: (29322-06) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: EgCwWKO87XdT, Hits: 3.551, size: 2450, queued_as: 54E07604CCB, 1568 ms
    Feb 26 16:06:18 server1 postfix/smtp[17892]: B7480604CA7: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.7, delays=0.15/0.01/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as 54E07604CCB)
    Feb 26 16:06:18 server1 postfix/qmgr[4548]: B7480604CA7: removed
    Feb 26 16:06:18 server1 postfix/smtpd[17896]: disconnect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:18 server1 amavis[30759]: (30759-07) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: uWXZoPrXwMaV, Hits: 3.551, size: 2443, queued_as: 65D1C604CCD, 1758 ms
    Feb 26 16:06:18 server1 postfix/smtp[17886]: A76CB604C9F: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.9, delays=0.1/0.01/0/1.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as 65D1C604CCD)
    Feb 26 16:06:18 server1 postfix/qmgr[4548]: A76CB604C9F: removed
    Feb 26 16:06:19 server1 postfix/smtpd[17895]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:19 server1 postfix/smtpd[17895]: A1CC0604C9F: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:19 server1 postfix/cleanup[17889]: A1CC0604C9F: message-id=<[email protected]>
    Feb 26 16:06:19 server1 amavis[29322]: (29322-07) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: CEpLLoZ67Zb4, Hits: 3.551, size: 2470, queued_as: A1CC0604C9F, 1120 ms
    Feb 26 16:06:19 server1 postfix/smtp[17892]: C9793604CC8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=0.08/1.6/0.14/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as A1CC0604C9F)
    Feb 26 16:06:19 server1 postfix/qmgr[4548]: A1CC0604C9F: from=<[email protected]>, size=2992, nrcpt=1 (queue active)
    Feb 26 16:06:19 server1 postfix/qmgr[4548]: C9793604CC8: removed
    Feb 26 16:06:20 server1 postfix/smtpd[17896]: connect from localhost.localdomain[127.0.0.1]
    Feb 26 16:06:20 server1 postfix/smtpd[17896]: 72B38604CA7: client=localhost.localdomain[127.0.0.1]
    Feb 26 16:06:20 server1 postfix/cleanup[17884]: 72B38604CA7: message-id=<[email protected]>
    Feb 26 16:06:20 server1 postfix/qmgr[4548]: 72B38604CA7: from=<[email protected]>, size=3022, nrcpt=1 (queue active)
    Feb 26 16:06:20 server1 amavis[30759]: (30759-08) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: jcjwwn5+7Bbl, Hits: 3.551, size: 2496, queued_as: 72B38604CA7, 1941 ms
    Feb 26 16:06:20 server1 postfix/smtp[17886]: B944F604CAD: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=3.8, delays=0.14/1.7/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as 72B38604CA7)
    Feb 26 16:06:20 server1 postfix/qmgr[4548]: B944F604CAD: removed
    Feb 26 16:06:23 server1 postfix/smtp[17899]: 54E07604CCB: to=<[email protected]>, relay=smtp-ovhfr10.mailjet.com[5.196.43.129]:25, delay=4.8, delays=0.09/0.06/4.1/0.56, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9E8E41CC00CF)
    Feb 26 16:06:23 server1 postfix/qmgr[4548]: 54E07604CCB: removed
    Feb 26 16:06:23 server1 postfix/smtp[17904]: A1CC0604C9F: to=<[email protected]>, relay=smtp-ovhfr8.mailjet.com[46.105.54.204]:25, delay=3.6, delays=0.04/0.03/2.9/0.54, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B96C71B6014C)
    Feb 26 16:06:23 server1 postfix/qmgr[4548]: A1CC0604C9F: removed
    Feb 26 16:06:23 server1 postfix/smtp[17901]: 65D1C604CCD: to=<[email protected]>, relay=smtp-ovhfr10.mailjet.com[5.196.43.129]:25, delay=5.2, delays=0.02/0.16/4.5/0.56, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 28BDF2E400C8)
    Feb 26 16:06:23 server1 postfix/qmgr[4548]: 65D1C604CCD: removed
    Feb 26 16:06:23 server1 postfix/smtp[17905]: 72B38604CA7: to=<[email protected]>, relay=smtp-ovhfr8.mailjet.com[46.105.54.204]:25, delay=3.3, delays=0.06/0.04/2.7/0.54, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5044E20E00EA)
    "pleasuresandpassions.com" is not any domain on myserver.
    but I am getting notification from mailjet - smtp server that mail is being sent from this domain.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at your processes, e.g. with the top command, do you see any unusual load from php processes? if yes, then check the log of the website that belongs to the "webID" User that these PHP processes are running at. If you see a lot of POST requests in the access.log, then you probably found the spam sending site.

    Beside that, did you check the websites for malware, e.g. with the free ispprotect trial version?
     
  12. pawan

    pawan Member HowtoForge Supporter

    Thanks Till.
    I haven't checked the websites for malware with ispprotect.
    I will do so.
    I have already found one website with most of the files with malicious code and restoring the default files.
    However is there way a way how I can protect the website from malware.
    As when checking this particular website, I couldn't find any file with the wrong permission. (that is 755 or 644).
    It's Joomla site.
    How it is still being hacked.
    What additional precaution I should take to prevent the hacking?
    As in this particular website not only most of the file is modified(injected with malicious code)
    there are also files which are not part of the setup.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Install the updates of the operating system, the CMS and the cms plugins regularly to close security holes and scan the server regularly for malware.

    When there is a security hole in Joomla, then the site can be hacked. That's why it is so important to install the updates of the cms systems regularly.

    Additionally, you can try mod_securiyt, an apache security module. But it will give you a lot of false positives when you start which need be whitelisted, so it is some work to configure it for each website.

    That's the common way hacked sites get modified. Some files get altered and new files get added.
     
  14. pawan

    pawan Member HowtoForge Supporter

    Right Till - Looks like need to check all the websites throughly.
    Since unable to locate the source for SPAM mails.
    I am trying to use the phpmail.log using php.ini file
    I have edited the file etc/php5/cgi/php.ini like this.
    Code:
    mail.add_x_header = On
    mail.log = mail.log = /var/log/phpmail.log
    But the values in php.ini is not getting updated when checking the phpinfo for relevant website. it is still showing as
    Code:
    mail.add_x_header = Off
    mail.log = mail.log = no value
    While looking at phpinfo the loaded file is like this:
    Code:
    Configuration File (php.ini) Path /etc/php5/cgi
    Loaded Configuration File /var/www/conf/web161/php.ini
    I have also run the resync tool, restarted Apache to no effect.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    You use a custom php.ini for that site. In this case, you can do the settings for this site in the custom php.ini field in ISPConfig.
     
  16. pawan

    pawan Member HowtoForge Supporter

    Yes I know that.
    But I want that common setting for all the websites. About 100.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    if you use custom php.ini settings, then the custom php,ini is used and not the global one.

    You can try to edit the /etc/apache2/php.ini as well and wait some time, If I remember correctly the latest ispconfig versions have code to detect changes in that fil and apply them to the custom files.
     
  18. muekno

    muekno Member HowtoForge Supporter

    As you say the mails are not from your domain, for me that looks like you have an open mail relay, some spammers use. You should check this first i.E. see http://www.mailradar.com/openrelay/

    Rainer
     

Share This Page