Hi All, I am running 2.2.27, CENTOS 5.2. Been running for over 2 years without a hiccup. Woke up this morning to 20,000 emails in my work inbox (separate domain to ISPCONFIG - I receive all emails for root) Checked mail logs on mail server and they are full of emails being generated by the local machine and they are trying to be relayed out to any and all mailservers. I have already received a warning from Yahoo about excessive traffic. Here is a grab from the maillogs Jan 7 10:01:48 web postfix/qmgr[3442]: D16EC2028D00: to=<[email protected]>, relay=none, delay=15492, delays=15158/333/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to c.mx.mail.yahoo.com[216.39.53.2]: Connection timed out) and this web postfix/smtp[4749]: 356182029285: to=<[email protected]>, relay=e.mx.mail.yahoo.com[216.39.53.1]:25, delay=4108, delays=3795/0.07/313/0, dsn=4.7.0, status=deferred (host e.mx.mail.yahoo.com[216.39.53.1] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.89.212.187 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) I have run a test for rootkits and viruses (RKHUNTER) and it came up clean. Checked it with an OPEN RELAY test and is passed all tests. I have made no modifications to the perfect setup and as I said it has been running flawlessy for 2 years. Please help, I am not sure where to look next... let me know if you need any more information. Kind Regards Matt
The most common scenarios are: 1) One of your email accounts has a too simple password. You can try to check this in the mail log and see if the spam mails have been sent by an authenticated user. 2) One of your websites runs a vulnerable cms or contact form script which is misused to send the spam.
Till, Thanks for showing me where to look. All I am seeing in the logs are lines like this: Jan 7 20:57:10 web postfix/qmgr[3538]: 83F1B20291AC: to=<[email protected]>, relay=none, delay=46688, delays=4 6638/50/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to ironx.multdia.com.br[200.166.1 04.28]: Connection refused) and this Jan 7 20:57:37 web postfix/smtp[29005]: B42BA2028B3E: to=<[email protected]>, relay=unix.barroco.com.br[200. 214.148.133]:25, conn_use=13, delay=61232, delays=61159/72/0.37/0.74, dsn=4.0.0, status=deferred (host unix.barroc o.com.br[200.214.148.133] said: 451 ACCESS DENIED! YOU ARE IN MY SPAM BLACKLIST! (in reply to RCPT TO command)) Does that give any clue to if it is an authenticated user? I had a hunch it may have been a web form - if I stop httpd and this stops the SPAM that would then point to that scenario? EDIT: I stopped HTTPD but the emails are still coming. Do I need to check each website for a vulnerable contact script? Goodness we have more than 50 sites on the server Kind Regards Matt
Well this problem is persisting The mail logs haven't helped me determine if it is an authenticated user - I don't think it is. So, I am slowly going through each website to try and find a rogue script or the like. One thing I have noticed is that all the emails are trying to be delivered to 2 or 3 domains only. Can you please tell me what I need to add to my Postfix configuration file to prevent my mail server from trying to send to specific domains? For example one of the domains is barroco.com.br, so any emails they are trying to be sent to this domain should not be allowed. It is only a workaround but at least it will cut down the SPAM and buy me a little time while I try and pin point the problem. Many thanks Matt
have you not got a line similar to Jan 8 09:08:48 ridcully postfix/smtpd[1835]: E8D1418200B2: client=host86-128-92-29.range86-128.btcentralplus.com[86.128.92.29], sasl_method=PLAIN, sasl_username=web1_forthe before the mails are sent? that shows someone has authenticated but it does echo a lot like the old mail.cgi script flaw :| i dont know if that helps any? Stevieb
Stevie, thanks for the advice mate I have had a good look at the logs and doesnt seem to be from an authenticated user - nothing evident that precedes the email being sent. Guess that means it is a script playing up - need to keep looking. Thanks for your help Matt
You can try to look into the mail files with the postcat command if some of them are still in the deferred mailqueue. Sometimes the mails contain hints (e.g. email addresses) in the header from the original mail script that was misused to send them.
Thanks Till, postcat gives alot of information when I run it against the messages in the deffered queue. Can you please have a look at this and help me decipher it? I can't see anything that relates to a customer website, but there is alot of guff in there. Below is the output from postcat on one of the messages that are trying to be sent as SPAM. Is there a configuration error on my mail server? Can I block either domains or IPs through postfix or the ehlo connection? I see the from sender and the to address but I can't see how they are generating the message?? Any help much appreciated Thanks Matt *** ENVELOPE RECORDS deferred/0/0CD50202952A *** message_size: 5184 592 1 0 message_arrival_time: Wed Jan 7 09:27:32 2009 create_time: Wed Jan 7 09:27:32 2009 named_attribute: rewrite_context=local named_attribute: [email protected] sender: [email protected] named_attribute: log_client_name=web.berginct.com named_attribute: log_client_address=127.0.0.1 named_attribute: log_message_origin=web.berginct.com[127.0.0.1] named_attribute: log_helo_name=web.berginct.com named_attribute: log_protocol_name=ESMTP named_attribute: client_name=web.berginct.com named_attribute: reverse_client_name=web.berginct.com named_attribute: client_address=127.0.0.1 named_attribute: helo_name=web.berginct.com named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS deferred/0/0CD50202952A *** Received: from web.berginct.com (web.berginct.com [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by web.berginct.com (Postfix) with ESMTP id 0CD50202952A for <[email protected]>; Wed, 7 Jan 2009 09:27:32 +1100 (EST) Received: (from apache@localhost) by web.berginct.com (8.13.8/8.13.8/Submit) id n06MRV2J006088; Wed, 7 Jan 2009 09:27:31 +1100 Date: Tue Jan 6 21:57:28 EST 2009 From: Caixa Economica Federal <[email protected]> To: [email protected] Subject: Correcao para o Cadastramento de Computadores X-Mailer: UmailNG .NET (powered by Microsoft Windows 2003) Mime-Version: 1.0 content-type: text/html Reply-To: "[email protected]" <"adraiana82@"@gmail.com> X-OriginalArrivalTime: Tue 06 Jan 2009 09:57:29 PM EST -0.762217 seconds Message-Id: <[email protected]> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <STYLE>.hmmessage P { PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px } BODY.hmmessage { FONT-SIZE: 10pt; FONT-FAMILY: Verdana } </STYLE> <META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD> <BODY class=hmmessage bgColor=#ffffff> <DIV><FONT face=Arial></FONT><BR> <STYLE> .ExternalClass .EC_style2 {font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;} .ExternalClass {;} .ExternalClass .EC_style4 {font-size:10px;} .ExternalClass .EC_style5 {font-size:12px;} .ExternalClass .EC_style6 {font-size:12px;font-family:Verdana, Arial, Helvetica, sans-serif;} .ExternalClass .EC_style7 {font-size:12px;} </STYLE> </DIV> <TABLE borderColor=#022986 height=436 width=755 align=center border=0> <TBODY> <TR> <TD width=780 bgColor=#022986><IMG height=57 hspace=0 src="http://www.caixa.gov.br/_newimages/icaixa/header_caixa.jpg" width=140 border=0><IMG height=57 hspace=0 src="http://www.caixa.gov.br/_newimages/icaixa/O_banco_que_acredita.jpg" width=141 border=0></TD></TR> <TR> <TD height=364> <DIV align=center> <DIV class=EC_EC_EC_ExternalClass id=EC_EC_EC_MsgContainer style="WIDTH: 765px; HEIGHT: 388px"> <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN class=EC_style7><SPAN class=EC_style5><STRONG><FONT size=3></FONT></STRONG></SPAN></SPAN></SPAN></SPAN> <P align=left> <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN class=EC_style7><SPAN class=EC_style5><STRONG><FONT size=3><img src="http://cleese.lima-city.de/images/meioqj3.jpg"></FONT></STRONG></SPAN></SPAN></SPAN></SPAN> <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN class=EC_style7><SPAN class=EC_style5><STRONG><FONT size=3></FONT></STRONG></SPAN></SPAN></SPAN></SPAN> <p align="left"> </p> <p align="left"><strong><font size="2">Prezado Cliente,</font></strong></p> <p> </p> <p align="left"><font size="2">Foi lançada uma nova correção para o Cadastramento de Computadores, esta corrige uma falha de nível crítico do sistema de identificação do cliente, que pode ocasionar perdas de dados e problemas no acesso.</font></p> <p align="left"> </p> <p align="left"><font size="2">A atualização é simples e rápida, basta clicar no link abaixo e em seguida completar todos os dados que pedirão para efetuar uma atualização completa.</font></p> <p align="left"> </p> <p align="left"><font size="2"><a href="http://200.165.72.234/webmail/logs/atualizacao.php?download=www.caixa.gov.br/download/atualizacao/seguranca/20349582095802210481328409128035971094701324870193257891247013294701357813274891327489127358971238947132094712095718932479138257918327410923742571492871489151344.php?seguranca=index">http://www.caixa.gov.br/segurança/download/atualização/</a></font></p> <p align="left"> </p> <p align="left"><font size="2"><strong>Atenção:</strong> Todos os usuários devem se cadastrar e atualizar o Cadastramento de Computadores. Caso a correção não seja realizada, seu computador será <strong>bloqueado e o desbloqueio só poderá ser realizado nas agências da CAIXA.</strong></font></p> <p align="left"> </p> <p align="left"><font size="2"><strong>Em caso de dúvidas, ligue para o Help Desk CAIXA 0800 726 0104</strong></font><br> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"><img src="http://cleese.lima-city.de/images/fimqj3.jpg"><br> </p> </DIV></DIV></TD></TR></TBODY></TABLE> </BODY></HTML> *** HEADER EXTRACTED deferred/0/0CD50202952A *** *** MESSAGE FILE END deferred/0/0CD50202952A ***
Received: (from apache@localhost) by web.berginct.com (8.13.8/8.13.8/Submit) id n06MRV2J006088; Till will correct me if I am wrong but, that suggests to me more and more that its a webmail form, running through a loop from a database/csv file. Stevieb
This is now becoming unsettling I just received this email, that was sent to undisclosed recipients and the content was "this is a spam email to show how easy it is to bypass your logins" ...what is that meant to mean??? Here are the headers of the email, taken from Outlook. Microsoft Mail Internet Headers Version 2.0 X-PMWin-Spam: Gauge=IIIIIIII, Probability=8, Report='__MIME_VERSION 0, __CT 0, __CT_TEXT_PLAIN 0, __CTE 0, __HAS_MSGID 0, __SANE_MSGID 0, NO_REAL_NAME 0, __SUBJ_MISSING 0, EMPTY_BODY 0.1, BODY_SIZE_10_99 0, __MIME_TEXT_ONLY 0, BODY_SIZE_5000_LESS 0, SMALL_BODY 0, BODY_SIZE_1000_LESS 0, SUBJ_MISSING 0' X-PMWin-SpamScore: 8 X-PMWin-Version: 3.0.1.0, Antispam-Engine: 2.6.1, Antispam-Data: 2009.1.10.14322, Antivirus-Engine: 2.82.1, Antivirus-Data: 4.37E Received: from web.berginct.com ([203.89.212.187]) by berginct.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 10 Jan 2009 12:55:19 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Received: by web.berginct.com (Postfix) id 6E17C2028002; Sat, 10 Jan 2009 12:55:19 +1100 (EST) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Delivered-To: [email protected] Received: from localhost.localdomain (host86-141-201-247.range86-141.btcentralplus.com [86.141.201.247]) by web.berginct.com (Postfix) with SMTP id 832952028001 for <apache@localhost>; Sat, 10 Jan 2009 12:55:18 +1100 (EST) Message-ID: <[email protected]> Date: Sat, 10 Jan 2009 12:55:18 +1100 (EST) From: <[email protected]> To: <undisclosed-recipients:> Return-Path: <[email protected]> X-OriginalArrivalTime: 10 Jan 2009 01:55:19.0627 (UTC) FILETIME=[7DCA49B0:01C972C6] Has someone hijacked the apache user? Do I need to start taking down websites until I find the culprit? Thanks Matt
£$%£$% thats where it went :| i was testing something out on my host but was cutting and pasting :| you have the same "hole" ive got via smtp logins, whereas you can send emails through from apache@localhost ..... i dont know how you managed to get it though, unless i still had your url in the "copy" when i ssh'd in .. was late but i was wondering why it had sent. yet never arrived anywhere on my system ... i sent 5 through. i received 3 .. so there are 2 floating about somewhere :\ 1 you have. i can tell you the issue but cant give you a solution atm hen i have found it ill let you know :/
I actually did get two! So that accounts for the two your missing How do you generate the emails to my system? You have the same hole....hmmm....maybe Falko or Till can shed some light on it and how we can patch it. What distro are you running? Thanks Stevie Matt
No. Emails sent by the apache user mean that you have a vulnerable email script or cms system installed. No, not nescessarily. It just means that you both have a vulnerable script or cms system on your server.
You can try to replace the sendmail wrapper program which is used by php to send mail with some kind of custom wrapper script to filter and examine emails before they get frwarded to the email system.
Well i have actually beel looking for ages to find a solution to log phpmail function, and this lead me to the right track. I found a wrapper on http://www.iezzi.ch/archives/217 Havent tried it out yet but am defently gonna try it out when i come home tonight.
A little update on this script It works perfectly it logs all mails send with php. All you have to do is remember to manually create a folder in /var/www/ called common and put a php file called php_set_envs.php containing it dont need to be php anabled or annything.
For some reason this wont work wit su_php installed it sais common is not within allowed path of /var/www/web*/
