The system is debian wheezy, ispc3 V3.0.5.4p5 The mail system has several domains installed but only one actually in use. All the other domains have their MX records pointing to the ISP's mail server. Today the ISP reported that spam was being sent from the server. One of the ~/maildir/new boxes now contains hundreds of Non Delivered Messages with the local address. The corresponding mailbox on the ISP's server has hundreds of Non Delivered Messages but with the spam recipient's address. I have run Rkhunter but there was nothing unusual. I have now disabled all the mail boxes using ispc3. I have changed the passwords for root and the only user account As the performance was being compromised I have stopped postfix. If I restart it, it commences pumping out the spam. I have searched all the websites but I cannot see any mailto or cgi formmail that point to that mail domain or box. Any ideas?
Are you running any websites? You can remove all Mails from the queue with postsuper -D ALL - be carefull: this will remove ALL mails. To find out who is sending spam, run postcat with one of the IDs shown by mailq. You may find additional informations here: https://www.howtoforge.com/communit...g-spam-ispconfig3-debian-7.70470/#post-331775
You can also enable php.ini logging of all forms being sent out. We always keep tabs on that and easily can find outdated wordpress site that some script is running in the background. Using .htaccess or BulletProof addons and or websecurity will disable most/all scripts running. It is almost a must, you can detailed log(s) such as: Code: [02-Jul-2015 06:18:19 UTC] mail() on [/var/www/clients/client1/webXX/web/wp-includes/class-phpmailer.php:603]: To: [email protected] Headers: Date: Thu, 2 Jul 2015 06:18:19 +0000 Return-Pat h: <[email protected]> From: The Client <email@address> Message-ID: <[email protected]> X-Priority: 3 X-Mailer: PHPMailer 5.2.7 (https://github. com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Good luck,
Looks like they got in through a mail link in a website. While searching through the sites I discovered a mass of permission "inconsistencies" presumably as a result of the change of OS from Suse to Debian. So I have decided to reinstall. Not quite the 45 minutes claimed in a post advising somebody else to migrate from Suse but all went reasonably well until I got to pure-ftpd. Can't login using TLS Looks like a Filezilla issue. Anyway, I've got the sites working so I'll fix the rest when I get back from holiday. Thanks for the help
New versions of Filezilla default to using TLS with FTP. You can change that if Filezilla Site Manager to plain FTP. To get FTP working with TLS on Your site, set FTP server passive port range and open those ports in ISPConfig firewall. I learned this a week ago from this forum when my question was answerd.
