I keep having spamhaus blocking my site. I get bouncebacks: <[email protected]> (expanded from <[email protected]>): host hotmail-com.olc.protection.outlook.com[104.47.18.161] said: 550 5.7.1 Service unavailable, Client host [174.64.32.157] blocked using Spamhaus. To request removal from this list see https://www.spamhaus.org/query/ip/174.64.32.157 (AS3130). [AM7EUR06FT036.eop-eur06.prod.protection.outlook.com] (in reply to MAIL FROM command) now when I go to the link it tells me that It tells me I'm sending weird HELO when connecting. When I do what it asks to check - email [email protected] I get back a perfectly clean HELO ns10.cdbsystems.com - nothing weird or wrong. I grep and 179-113-136-78.user.vivozaap.com.br and my log contains: now there is no [email protected] on my server so where is this originating? rkhunter finds nothing of course. what can I do to eliminate this spamming? sofar spamhaus is the ONLY one complaining, but I want to get rid of this of course! is is that postfix is being tricked into sending a bogus Receipt and spamming that way? some relevent lines from /etc/postfix/main.cf: thanks for your help! cdb.
Start with this to get context and rule out the usual suspects: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ Have you verified your server is not an open relay? Please provide diff for /etc/postfix/main.cf showing what changes you have made.
yes, server is NOT an open relay. used couple of the online sites to verify. And i've changed NOTHING in main.cf in probably 2 years! This problem only just started happening couple of days ago. running Centos 8, php 7x
Where is the htf_report.txt? Then you should check the host for malware. For example https://www.ispconfig.org/add-ons/, the ISPProtect Malware Scanner. I understand first use can be free of charge.
been using ISPPROTECT for years. have not seen it report anything recently significant. recent result: nothing clearly suspicious. and all of these have been on the system for a LONG time. not just a few days.
What was in those files? Nothing prevents a malware from staying two years just hiding. If they are PHP files, read them. If CMS files, compare contents to known good files.
here is the htf_report.txt anything look odd? the program at 8008 is my remote help technician its fine. cdb.
Host has two failed services. My Debian hosts do not have those services, so I do not know what they are for. Maybe not related to spam problem but worth fixing. Host is not running latest ISPConfig. Why is webserver unknown process? I can not see other odd issues.
neither of the failed services are important. one is not supported on this platform. and not related to spam! have not updated ISPCONFIG in a bit but surely not related to spam! not sure why httpd is listed as an unknown service? but what is causing the spam? why do the funny urls have that message in maillog? my maillog has in it: Aug 3 08:02:10 ns10 postfix/qmgr[2349]: 13215305C20CE9: removed Aug 3 08:02:12 ns10 postfix/smtpd[3185806]: warning: hostname 191-209-57-13.user.vivozap.com.br does not resolve to address 191.209.57.13: Name or service not known Aug 3 08:02:12 ns10 postfix/smtpd[3185806]: connect from unknown[191.209.57.13] Aug 3 08:02:13 ns10 postfix/smtpd[3185806]: NOQUEUE: filter: RCPT from unknown[191.209.57.13]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<191-209-57-13.user.vivozap.com.br> Aug 3 08:02:13 ns10 postfix/smtpd[3185806]: NOQUEUE: reject: RCPT from unknown[191.209.57.13]: 550 5.1.0 <[email protected]>: Sender address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<191-209-57-13.user.vivozap.com.br> Aug 3 08:02:13 ns10 postfix/smtpd[3185806]: lost connection after DATA from unknown[191.209.57.13] Aug 3 08:02:13 ns10 postfix/smtpd[3185806]: disconnect from unknown[191.209.57.13] ehlo=1 mail=1 rcpt=0/1 data=0/1 commands=2/4 (hopefully not too long a snip). the 191-209-57-13 is clearly bogus and the ESMTP helo command? cant I block things that trigger this kind of item? does this not send OUT a packet with the bogus helo=<191-209-57-13.user.vivozap.com.br> how can I prevent these??? and are these not actually me sending OUT faulty receipts??? help!
That message was not sent. It got rejected because of its sender address. If there are messages in mail queue, examine contents of those, maybe it gives clues for finding what sends them. Some info on how to do this in my e-mail tutorial, link in my signature. Is the IP-number always the same? Block that IP from accessing your host.
it seems to be sending email to a nonexistant mailbox on my server. it WOULD get a bounceback right??? 'no such user' and THAT would get counted as spam, no? when it has one of the offending HELO strings??? I've blocked port 25 apart from my mail server... surely it has to be coming from my server somehow - but how? most recent complaint from SPAMHOUS includes these HELO lines: 174.64.32.157 2022-08-06 22:45:00 staticline-31-183-197-4.toya.net.pl 174.64.32.157 2022-08-06 17:40:00 ppp-94-66-136-211.home.otenet.gr 174.64.32.157 2022-08-03 16:15:00 host-45-232-144-165.static.federacionnet.com.ar But I dont find these lines in maillog anywhere: [root@ns10 log]# grep ppp-94-66 maillog* [root@ns10 log]# grep staticline-31-183-197-4.toya maillog* [root@ns10 log]# grep staticline-31-183-197 maillog* [root@ns10 log]# grep ppp-94-66-136-211 maillog* I've also wrapped sendmail (per suggestion to see if a php script is sending emails) and my /var/tmp/mail.send file only includes: [root@ns10 log]# cat /var/tmp/mail.send X-Additional-Header: /usr/local/ispconfig/server X-Additional-Header: /usr/local/ispconfig/server X-Additional-Header: /usr/local/ispconfig/server so it does not appear any rogue php i sending the emails. so what the HECK is going on? and how do I get out of spamhaus doghaus? <small pun>
ENLIGHTENMENT. looks like I had a spambot on a customer computer inside the local net. geez! putting in a rule in the router blocking all outgoing port 25 apart from that originating at my server seems to have stopped it! Now - how to find out what computer on internal network was generating the spam??