Mail server attempting to send out 1000s of SPAM emails

Discussion in 'Installation/Configuration' started by punto, Jan 7, 2009.

  1. punto

    punto New Member

    Hi All,

    I am running 2.2.27, CENTOS 5.2. Been running for over 2 years without a hiccup. Woke up this morning to 20,000 emails in my work inbox (separate domain to ISPCONFIG - I receive all emails for root)

    Checked mail logs on mail server and they are full of emails being generated by the local machine and they are trying to be relayed out to any and all mailservers. I have already received a warning from Yahoo about excessive traffic.

    Here is a grab from the maillogs

    Jan 7 10:01:48 web postfix/qmgr[3442]: D16EC2028D00: to=<[email protected]>, relay=none, delay=15492, delays=15158/333/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to[]: Connection timed out)

    and this

    web postfix/smtp[4749]: 356182029285: to=<[email protected]>,[]:25, delay=4108, delays=3795/0.07/313/0, dsn=4.7.0, status=deferred (host[] refused to talk to me: 421 4.7.0 [TS01] Messages from temporarily deferred due to user complaints -; see

    I have run a test for rootkits and viruses (RKHUNTER) and it came up clean. Checked it with an OPEN RELAY test and is passed all tests. I have made no modifications to the perfect setup and as I said it has been running flawlessy for 2 years.

    Please help, I am not sure where to look next... let me know if you need any more information.

    Kind Regards
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The most common scenarios are:

    1) One of your email accounts has a too simple password. You can try to check this in the mail log and see if the spam mails have been sent by an authenticated user.

    2) One of your websites runs a vulnerable cms or contact form script which is misused to send the spam.
  3. punto

    punto New Member


    Thanks for showing me where to look. All I am seeing in the logs are lines like this:

    Jan 7 20:57:10 web postfix/qmgr[3538]: 83F1B20291AC: to=<[email protected]>, relay=none, delay=46688, delays=4
    6638/50/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to[200.166.1
    04.28]: Connection refused)

    and this

    Jan 7 20:57:37 web postfix/smtp[29005]: B42BA2028B3E: to=<[email protected]>,[200.
    214.148.133]:25, conn_use=13, delay=61232, delays=61159/72/0.37/0.74, dsn=4.0.0, status=deferred (host unix.barroc[] said: 451 ACCESS DENIED! YOU ARE IN MY SPAM BLACKLIST! (in reply to RCPT TO command))

    Does that give any clue to if it is an authenticated user?

    I had a hunch it may have been a web form - if I stop httpd and this stops the SPAM that would then point to that scenario?

    EDIT: I stopped HTTPD but the emails are still coming. Do I need to check each website for a vulnerable contact script? Goodness we have more than 50 sites on the server :(

    Kind Regards
    Last edited: Jan 7, 2009
  4. punto

    punto New Member

    Well this problem is persisting :(
    The mail logs haven't helped me determine if it is an authenticated user - I don't think it is. So, I am slowly going through each website to try and find a rogue script or the like.

    One thing I have noticed is that all the emails are trying to be delivered to 2 or 3 domains only. Can you please tell me what I need to add to my Postfix configuration file to prevent my mail server from trying to send to specific domains?

    For example one of the domains is, so any emails they are trying to be sent to this domain should not be allowed. It is only a workaround but at least it will cut down the SPAM and buy me a little time while I try and pin point the problem.

    Many thanks
  5. stevieb_

    stevieb_ New Member

    have you not got a line similar to

    Jan 8 09:08:48 ridcully postfix/smtpd[1835]: E8D1418200B2:[], sasl_method=PLAIN, sasl_username=web1_forthe

    before the mails are sent?
    that shows someone has authenticated :D

    but it does echo a lot like the old mail.cgi script flaw :| i dont know if that helps any?

  6. punto

    punto New Member

    Stevie, thanks for the advice mate :)
    I have had a good look at the logs and doesnt seem to be from an authenticated user - nothing evident that precedes the email being sent.

    Guess that means it is a script playing up - need to keep looking.

    Thanks for your help
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to look into the mail files with the postcat command if some of them are still in the deferred mailqueue. Sometimes the mails contain hints (e.g. email addresses) in the header from the original mail script that was misused to send them.
  8. punto

    punto New Member

    Thanks Till, postcat gives alot of information when I run it against the messages in the deffered queue. Can you please have a look at this and help me decipher it? I can't see anything that relates to a customer website, but there is alot of guff in there. Below is the output from postcat on one of the messages that are trying to be sent as SPAM.

    Is there a configuration error on my mail server? Can I block either domains or IPs through postfix or the ehlo connection? I see the from sender and the to address but I can't see how they are generating the message??

    Any help much appreciated


    *** ENVELOPE RECORDS deferred/0/0CD50202952A ***
    message_size: 5184 592 1 0
    message_arrival_time: Wed Jan 7 09:27:32 2009
    create_time: Wed Jan 7 09:27:32 2009
    named_attribute: rewrite_context=local
    named_attribute: [email protected]
    sender: [email protected]
    named_attribute: log_client_address=
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_address=
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS deferred/0/0CD50202952A ***
    Received: from ( [])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by (Postfix) with ESMTP id 0CD50202952A
    for <[email protected]>; Wed, 7 Jan 2009 09:27:32 +1100 (EST)
    Received: (from [email protected])
    by (8.13.8/8.13.8/Submit) id n06MRV2J006088;
    Wed, 7 Jan 2009 09:27:31 +1100
    Date: Tue Jan 6 21:57:28 EST 2009
    From: Caixa Economica Federal <[email protected]>
    To: [email protected]
    Subject: Correcao para o Cadastramento de Computadores
    X-Mailer: UmailNG .NET (powered by Microsoft Windows 2003)
    Mime-Version: 1.0
    content-type: text/html
    Reply-To: "[email protected]" <"[email protected]">
    X-OriginalArrivalTime: Tue 06 Jan 2009 09:57:29 PM EST -0.762217 seconds
    Message-Id: <[email protected]>

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
    <STYLE>.hmmessage P {
    BODY.hmmessage {
    FONT-SIZE: 10pt; FONT-FAMILY: Verdana

    <META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
    <BODY class=hmmessage bgColor=#ffffff>
    <DIV><FONT face=Arial></FONT><BR>
    .ExternalClass .EC_style2
    {font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;}
    .ExternalClass .EC_style4
    .ExternalClass .EC_style5
    .ExternalClass .EC_style6
    {font-size:12px;font-family:Verdana, Arial, Helvetica, sans-serif;}
    .ExternalClass .EC_style7
    <TABLE borderColor=#022986 height=436 width=755 align=center border=0>
    <TD width=780 bgColor=#022986><IMG height=57 hspace=0
    src="" width=140
    border=0><IMG height=57 hspace=0
    width=141 border=0></TD></TR>
    <TD height=364>
    <DIV align=center>
    <DIV class=EC_EC_EC_ExternalClass id=EC_EC_EC_MsgContainer
    style="WIDTH: 765px; HEIGHT: 388px">
    <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
    class=EC_style7><SPAN class=EC_style5><STRONG><FONT
    <P align=left>&nbsp;
    <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
    class=EC_style7><SPAN class=EC_style5><STRONG><FONT
    size=3><img src=""></FONT></STRONG></SPAN></SPAN></SPAN></SPAN>
    <P align=left><SPAN class=EC_style4><SPAN class=EC_style5><SPAN
    class=EC_style7><SPAN class=EC_style5><STRONG><FONT
    <p align="left">&nbsp;</p>
    <p align="left"><strong><font size="2">Prezado Cliente,</font></strong></p>
    <p align="left"><font size="2">Foi lan&ccedil;ada uma nova corre&ccedil;&atilde;o para o Cadastramento
    de Computadores, esta corrige uma falha de n&iacute;vel cr&iacute;tico
    do sistema de identifica&ccedil;&atilde;o do cliente, que pode ocasionar
    perdas de dados e problemas no acesso.</font></p>
    <p align="left">&nbsp;</p>
    <p align="left"><font size="2">A atualiza&ccedil;&atilde;o &eacute; simples e r&aacute;pida, basta
    clicar no link abaixo e em seguida completar todos os dados que pedir&atilde;o
    para efetuar uma atualiza&ccedil;&atilde;o completa.</font></p>
    <p align="left">&nbsp;</p>
    <p align="left"><font size="2"><a href="">ça/download/atualização/</a></font></p>
    <p align="left">&nbsp;</p>
    <p align="left"><font size="2"><strong>Aten&ccedil;&atilde;o:</strong> Todos os usu&aacute;rios devem se cadastrar e
    atualizar o Cadastramento de Computadores. Caso a corre&ccedil;&atilde;o
    n&atilde;o seja realizada, seu computador ser&aacute; <strong>bloqueado
    e o desbloqueio s&oacute; poder&aacute; ser realizado nas ag&ecirc;ncias
    da CAIXA.</strong></font></p>
    <p align="left">&nbsp;</p>
    <p align="left"><font size="2"><strong>Em caso de d&uacute;vidas, ligue
    para o Help Desk CAIXA 0800 726 0104</strong></font><br>
    <p align="left">&nbsp;</p>
    <p align="left">&nbsp; </p>
    <p align="left"><img src=""><br>

    *** HEADER EXTRACTED deferred/0/0CD50202952A ***
    *** MESSAGE FILE END deferred/0/0CD50202952A ***
  9. stevieb_

    stevieb_ New Member

    Received: (from [email protected])
    by (8.13.8/8.13.8/Submit) id n06MRV2J006088;

    Till will correct me if I am wrong but,

    that suggests to me more and more that its a webmail form, running through a loop from a database/csv file.

  10. punto

    punto New Member

    This is now becoming unsettling :confused: I just received this email, that was sent to undisclosed recipients and the content was

    "this is a spam email to show how easy it is to bypass your logins"

    ...what is that meant to mean???

    Here are the headers of the email, taken from Outlook.

    Microsoft Mail Internet Headers Version 2.0
    X-PMWin-SpamScore: 8
    X-PMWin-Version:, Antispam-Engine: 2.6.1, Antispam-Data: 2009.1.10.14322, Antivirus-Engine: 2.82.1, Antivirus-Data: 4.37E
    Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Sat, 10 Jan 2009 12:55:19 +1100
    MIME-Version: 1.0
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    Received: by (Postfix) id 6E17C2028002; Sat, 10 Jan 2009 12:55:19 +1100 (EST)
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
    Delivered-To: [email protected]
    Received: from localhost.localdomain ( []) by (Postfix) with SMTP id 832952028001 for <[email protected]>; Sat, 10 Jan 2009 12:55:18 +1100 (EST)
    Message-ID: <[email protected]>
    Date: Sat, 10 Jan 2009 12:55:18 +1100 (EST)
    From: <[email protected]>
    To: <undisclosed-recipients:>
    Return-Path: <[email protected]>
    X-OriginalArrivalTime: 10 Jan 2009 01:55:19.0627 (UTC) FILETIME=[7DCA49B0:01C972C6]

    Has someone hijacked the apache user?
    Do I need to start taking down websites until I find the culprit?

  11. stevieb_

    stevieb_ New Member

    thats where it went :|
    i was testing something out on my host but was cutting and pasting :|
    you have the same "hole" ive got via smtp logins, whereas you can send emails through from [email protected] .....
    i dont know how you managed to get it though, unless i still had your url in the "copy" when i ssh'd in .. was late but i was wondering why it had sent. yet never arrived anywhere on my system ... i sent 5 through. i received 3 .. so there are 2 floating about somewhere :\ 1 you have.

    i can tell you the issue but cant give you a solution atm hen i have found it ill let you know :/
    Last edited: Jan 10, 2009
  12. punto

    punto New Member

    I actually did get two! So that accounts for the two your missing :D

    How do you generate the emails to my system?

    You have the same hole....hmmm....maybe Falko or Till can shed some light on it and how we can patch it. What distro are you running?

    Thanks Stevie

  13. till

    till Super Moderator Staff Member ISPConfig Developer

    No. Emails sent by the apache user mean that you have a vulnerable email script or cms system installed.

    No, not nescessarily. It just means that you both have a vulnerable script or cms system on your server.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to replace the sendmail wrapper program which is used by php to send mail with some kind of custom wrapper script to filter and examine emails before they get frwarded to the email system.
  15. bernholdt

    bernholdt Member

    Well i have actually beel looking for ages to find a solution to log phpmail function, and this lead me to the right track.

    I found a wrapper on Havent tried it out yet but am defently gonna try it out when i come home tonight.
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Thanks for the link!
  17. bernholdt

    bernholdt Member

    A little update on this script
    It works perfectly it logs all mails send with php. All you have to do is remember to manually create a folder in /var/www/ called common and put a php file called php_set_envs.php containing
    it dont need to be php anabled or annything.
  18. punto

    punto New Member

    Thanks for the link - will be a useful tool to track where the email was originating from!

  19. bernholdt

    bernholdt Member

    For some reason this wont work wit su_php installed it sais common is not within allowed path of /var/www/web*/
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to put all files in the website root.

Share This Page