Virus sending spam from the server

Discussion in 'Installation/Configuration' started by Pyanepsion, Aug 14, 2019.

  1. Pyanepsion

    Pyanepsion Member

    Hello,
    • Debian 9.9
    • ISPConfig Version: 3.1.14p2 single
    • Nginx
    The server host has blocked outgoing traffic on port 25 because their Anti-Spam protection has detected a significant spam from one of the IPs.
    Indeed, my server seems contaminated because it sends a lot of spam.
    How to do?

    mail.err
    There are many lines
    then even more
    Mail Queue
    There is a horrendous amount of connections.
     
    Last edited: Aug 15, 2019
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the email headers of one of the spam emails with the postcat command.

    postcat -q ID

    ID has to be replaced with the queue ID of one of the spam emails.

    There are two likely reasons:

    a) A website has been hacked e.g. because it was not up to date and is sending spam now.
    b) One of the mail accounts is misused to send email (weak password or password used for multiple services)
     
    Pyanepsion likes this.
  3. Pyanepsion

    Pyanepsion Member

    I checked all email addresses. One of them is at fault, because its password is weak.
    This offending e-mail address receives notification of receipt. The titles of the messages suggest that this is prostitution. It is mainly in Swedish, Italian and German.

    postcat -q indicates that it is a jpg image.

    The password was indeed very simple. I changed it with a very strong password.
    As soon as I unlocked the IP, the sending of spam started again immediately to be immediately blocked by the host of the server with anyway 103 spam that have had time to be sent in a few seconds.

    So I deactivated the SMTP and activated the gray list.
    It took a few fractions of a second before the server was blocked again.

    Do I have to delete this email address altogether?

    The consequences are a lot of temporary blockages of email (too many connection), but also Wordpress sites with error 500.
    ispconfig-malware-02.png
    and
    ispconfig-malware-03.png
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    If you have addressed the source of the spam (by changing the password), you need to clear old mail from your mail queue, or everything sent prior to that will still be processed/delivered.

    You can run "postsuper -h ALL" to put all mail in the hold queue, then it's safe to start up postfix and process new mail again. After you clean the queued spam, run "postsuper -H ALL" to put everything (all the remaining messages that didn't get removed in your cleanup) back into active queue. With an abused sender account, cleanup is often as simple as "mailq | grep '[email protected]' | cut -f1 -d'!' | postsuper -d -", though you might want to make sure you've got the right messages before blindly running that (eg. try just "mailq | grep '[email protected]' | less" to see what it's about to whack).
     
    Pyanepsion likes this.
  5. Pyanepsion

    Pyanepsion Member

Share This Page