users getting spam emails from server

Discussion in 'Installation/Configuration' started by mattltm, Jul 2, 2013.

  1. mattltm

    mattltm Member

    Some of my users have started receiving spam emails that look like they are coming from the mail server. They are addressed from [email protected]

    Is there anything I can do to stop this?
  2. sjau

    sjau Local Meanie Moderator

    you could add headers to check where it's sent from... it's probably a some php script that's getting abused.
  3. mattltm

    mattltm Member

    Add headers?

    Do you mean check the headers on the email?

    This is the email header:

    Return-Path: <[email protected]>
    From: <[email protected]>
    To: <[email protected]>
    Subject: ***SPAM***Tax Refund New Message Alert!
    Date: Tue, 2 Jul 2013 03:32:01 +0100
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-Mailer: Microsoft Outlook 14.0
    Thread-Index: AQFXOcqxYQyb3TjOkfCwYK4CVpWOYQ==
    Last edited: Jul 2, 2013
  4. sjau

    sjau Local Meanie Moderator

    you can tell php to add a header that shows the script path of a php script that sent the email.
  5. mattltm

    mattltm Member

    Oh, right.

    Do you have a link where I can find out how to do that?
  6. sjau

    sjau Local Meanie Moderator

    Google knows
  7. mattltm

    mattltm Member

    Lol. Thats great :rolleyes:

    For anyone else who checks this thread and wants to know without wondering what google search string to use (a lot of results are for adding additional headers using the mail() function), it's the following line in your php.ini file:

    ;Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
    mail.add_x_header = On
    Mine is set to "On" so I guess this email is not coming from a script being abused on my server as it does not contain the "X-PHP-Originating-Script" string in the header.

    Any other guesses as to where it's coming from and how to stop it?
  8. sjau

    sjau Local Meanie Moderator

  9. mattltm

    mattltm Member

    Good guess.

    I have no idea how it's happening but it is getting some users very confused as they think it's coming from me!
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Apache mod_security is a good way to protect outdated cms systems from being abused as it tests each http request against a set of generic exploit rules.
  11. mattltm

    mattltm Member

    The only cms that is running on this server is a Wordpress install (all up to date with no funky plugins!) but the email headers show that the emails are not coming from a script on the server.

    I have run the following postfix config to see if it helps:

    postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination’
    and added:

    under System >> Config >> Mail >> Real-time Blackhole List

Share This Page