Good afternoon. I ask help to solve this problem, one of the servers we have running ISPCONFIG3 has started sending spam, I think I used some site with contact form to do so. But I am not even able to fix or prevent the sending of spam. I attached some extracts from the log Apr 22 16:24:11 nbsd1 postfix/smtpd[11036]: connect from localhost[127.0.0.1] Apr 22 16:24:11 nbsd1 postfix/smtpd[11036]: 8512394066C: client=localhost[127.0.0.1] Apr 22 16:24:11 nbsd1 postfix/cleanup[10807]: 8512394066C: message-id=<[email protected] <[email protected]> Apr 22 16:24:11 nbsd1 postfix/qmgr[3390]: 8512394066C: from=<[email protected]>, size=3758, nrcpt=20 (queue active) Apr 22 16:24:11 nbsd1 amavis[3487]: (03487-16) Passed CLEAN {RelayedOpenRelay}, [78.154.10.35]:3157 [78.154.10.35] <[email protected]> -> <[email protected]>,<[email protected] m>,<[email protected]>,<[email protected]>, <[email protected]>,<[email protected]>,<sw [email protected]>,<[email protected]>,<jordsands [email protected]>,<[email protected]>,<kkennedy@ randomhouse.com>,<[email protected]>,<lisa [email protected]>,<esilverman@tridentmed iagroup.com>,<[email protected]> ,<[email protected]>,<nathanferst@ verizon.net>,<[email protected]>,<speccop@yah oo.com>,<[email protected]>, Queue-ID: BB4F7940670, Message-ID: <[email protected]>, mail_id: EiCK_MM940Yv, Hits: -0.205, size: 3353, queued_as: 8512394066C, 1907 ms As you can see the connection originates from localhost. This is my postfix settings root@nbsd1:~# postconf -n alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = nbsd1.nanobytes.es, localhost, localhost.localdomain myhostname = nbsd1.nanobytes.es mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, reject_unknown_sender_domain smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000 Please help, I´m stuck. Thanks a lot.
Please see her on how to inspcet a message with postcat: http://www.howtoforge.com/forums/showthread.php?t=65194 if the message has been sent by a website then you will find details in the postcat output like the sending php script and the detailed message headers.
Hi, this is the output of one of them root@nbsd1:~# postcat /var/spool/postfix/deferred/2/24562940617 *** ENVELOPE RECORDS /var/spool/postfix/deferred/2/24562940617 *** message_size: 3713 2306 20 0 3713 message_arrival_time: Tue Apr 22 20:11:03 2014 create_time: Tue Apr 22 20:11:03 2014 named_attribute: log_ident=24562940617 named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=41314 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=41314 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS /var/spool/postfix/deferred/2/24562940617 *** Received: from localhost (localhost [127.0.0.1]) by nbsd1.nanobytes.es (Postfix) with ESMTP id 24562940617; Tue, 22 Apr 2014 20:11:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at nbsd1.nanobytes.es Received: from nbsd1.nanobytes.es ([127.0.0.1]) by localhost (nbsd1.nanobytes.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiepaQO2YaoJ; Tue, 22 Apr 2014 20:11:01 +0200 (CEST) Received: from aceprensa.com (130-204-133-223.2074264292.ddns.cablebg.net [130.204.133.223]) (Authenticated sender: [email protected]) by nbsd1.nanobytes.es (Postfix) with ESMTPA id CADF194054C; Tue, 22 Apr 2014 20:10:57 +0200 (CEST) Message-ID: <[email protected] <[email protected]> From: [email protected] <[email protected]> To: "=?ISO-8859-1?Q?jcoulter=40rocketmail.com?=" <[email protected]>, "=?ISO-8859-1?Q?gipen=40juno.com?=" <[email protected]>, "=?ISO-8859-1?Q?canrod99=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?alwahid=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?steigauf22=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?tvolz=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?slymonee=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?shirlenerunsfast=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?krenjames=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?mjm81us=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?deon20072003=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?buba=5Fgaga=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?monychen=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?nenatwilliams=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?ianderson541=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?beve rlybratcher=40sbcglobal.net?=" <[email protected]>, "=?ISO-8859-1?Q?native=5Fpride4me=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?heatherashton=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?dayowl13=40yahoo.com?=" <[email protected]>, "=?ISO-8859-1?Q?tyrone56us=40yahoo.com?=" <[email protected]> Subject: Fw: Date: Mon, 22 Apr 2014 07:10:57 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_95EC_3A50E808.60B12A36" X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 16.4.3522.110 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110 This is a multi-part message in MIME format. ------=_NextPart_000_95EC_3A50E808.60B12A36 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi! People say it works: http://blog.bdesign.eu/gh/like.php =20 [email protected] ------=_NextPart_000_95EC_3A50E808.60B12A36 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD> <BODY dir=3Dltr> <DIV dir=3Dltr> <DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000"> <DIV><FONT face=3DArial><STRONG></STRONG></FONT> </DIV> <DIV><FONT size=3D4>Hi! P<SPAN lang=3Den id=3Dresult_box = class=3Dshort_text><SPAN=20 class=3Dhps>eople<EM> </EM>say</SPAN> <SPAN class=3Dhps>it=20 works:</SPAN></SPAN></FONT> <A href=3D"http://blog.bdesign.eu/gh/like.php"><FONT=20 face=3DArial>http://blog.bdesign.eu/gh/like.php</FONT></A></DIV> <DIV><FONT face=3D"Times New Roman"><STRONG> = </STRONG></FONT><FONT=20 face=3DCalibri> <EM> </EM></FONT></DIV> <DIV><FONT size=3D4>[email protected]</FONT></DIV></DIV></DIV></BODY></HTML> ------=_NextPart_000_95EC_3A50E808.60B12A36-- Thread-Index: ARqEIUFDFTd2cXQxMjZ1dW5wc3Rmdg== *** HEADER EXTRACTED /var/spool/postfix/deferred/2/24562940617 *** named_attribute: encoding=7bit *** MESSAGE FILE END /var/spool/postfix/deferred/2/24562940617 ***
I check deferred mails, (I have sent a log but is pending approval) the message source is local machine. message_size: 2858 1230 8 0 2858 message_arrival_time: Tue Apr 22 20:39:27 2014 create_time: Tue Apr 22 20:39:27 2014 named_attribute: log_ident=0B68E94055B named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=45125 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=45125 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected]
The message source is not the local machine, the messages are from IP 130.204.133.223 and the sender authenticated with the correct password of the account [email protected]. The relevant lines are these: Code: Received: from aceprensa.com (130-204-133-223.2074264292.ddns.cablebg.net [130.204.133.223]) (Authenticated sender: [email protected]) To stop the spam sending, change the password of that email account. There are several reasons howthis could have happened: if you are sure thet the email address owner was not sending the spam, then it might be that he has a virus or trojan on his pc that stole the email password or he used the password in a internet cafe or over a unencrypted connection and his password was stolen this way.
Hi. Im stuck whit postfix again. On this time postfix its sending a lot of spam, I´ve check the content of mails with postcat. On this time there is no authenticated user. There is the postcat of 1 mail. All mail come from the same sender domain. Please help. root@nbsd1:~# postcat /var/spool/postfix/deferred/D/D250694083C *** ENVELOPE RECORDS /var/spool/postfix/deferred/D/D250694083C *** message_size: 1233 663 1 0 1233 message_arrival_time: Sat Jul 19 00:51:16 2014 create_time: Sat Jul 19 00:51:16 2014 named_attribute: log_ident=D250694083C named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=49327 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=49327 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS /var/spool/postfix/deferred/D/D250694083C *** Received: from localhost (localhost [127.0.0.1]) by nbsd1.nanobytes.es (Postfix) with ESMTP id D250694083C for <[email protected]>; Sat, 19 Jul 2014 00:51:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at nbsd1.nanobytes.es Received: from nbsd1.nanobytes.es ([185.2.150.158]) by localhost (nbsd1.nanobytes.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVCwdAr4A7bh for <[email protected]>; Sat, 19 Jul 2014 00:51:12 +0200 (CEST) Received: by nbsd1.nanobytes.es (Postfix, from userid 5069) id 6059294095E; Sat, 19 Jul 2014 00:50:50 +0200 (CEST) To: [email protected] Subject: Fw: Wow , Two amateur twinks kissed and anal messes on picnic X-PHP-Originating-Script: 5069:general.php From: "Susana Snider" <[email protected]> Reply-To:"Susana Snider" <[email protected]> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message-Id: <[email protected]> Date: Sat, 19 Jul 2014 00:50:50 +0200 (CEST) <div><a href="http://brmc.by/templates/bizuniverse/html/mod_login/view.html">Two amateur twinks kissed and anal messes on picnic</a></div> *** HEADER EXTRACTED /var/spool/postfix/deferred/D/D250694083C *** named_attribute: encoding=8bit *** MESSAGE FILE END /var/spool/postfix/deferred/D/D250694083C ***
The spam sis ent trough a hacked website. The script that sends the spam is "general.php" see header: X-PHP-Originating-Script: 5069:general.php normally you would see the sending website in the from address (e.g. from [email protected]). as thats not the case here, I guess this site uses mod_php and not the recommended combination php-fcgi + suexec or php-fpm + suexec.
Hello t there to it not passing zombie on the machine? http://en.wikipedia.org/wiki/Zombie_%28computer_science%29 I had a case, and I found the problem Mz74
