Guys, I really need some help with this and I'm very much a noob. I followed the out of the box instructions to get my ISPconfig server up and running. I am getting dozens of bounced spam emails that are either being sent through my server or spoofed through my domain. How can I stop this? HELP
This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf
Also make sure that you have a correct SPF record setup for the domain to only use that server for outgoing email.
Another tip: Verify your mail.log files and try to find out via which user sends the spam. Also go to http://www.mxtoolbox.com/blacklists.aspx and check if your server is not blacklisted in te mean time. To check if you have an open relay, you can use the site http://www.abuse.net/relay.html If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser. If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions. If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.
Yes, but to go from zero to roughly 75 bounced emails in an hour it is an indication that SOMETHING changed and I have become a target. Successful or otherwise. What's the location of my mail log and I'll post?
Please have a look at your directory /var/log/. You can follow the activities within your log file with the command: tail -f /var/log/mail.log ctrl+C to exit your session.
main.cf contents Here's the /etc/postfix/main.cf content. I have removed my domain references and replaced with xxx. I'm also working on getting the mail log when I figure out where it is. # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = isp.xxx.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname #mydestination = isp.xxx.net, localhost.xxx.net, , localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_una$ smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom virtual_maps = hash:/etc/postfix/virtusertable mydestination = /etc/postfix/local-host-names
mail log Here is a excerpt from mail mail log. I tried to go back to when the problem was at it worst yesterday but appears the log doesn't retain information that long. The number of bounced spam messages has slowed quite a bit in the past 24 hours. Code: Jan 17 00:14:59 isp postfix/smtpd[8464]: connect from ftp.dbldistributing.com[208.51.73.51] Jan 17 00:15:00 isp postfix/smtpd[8464]: 32EA73E02F1: client=ftp.dbldistributing.com[208.51.73.51] Jan 17 00:15:00 isp postfix/cleanup[8469]: 32EA73E02F1: message-id=<[email protected]> Jan 17 00:15:02 isp postfix/qmgr[8170]: 32EA73E02F1: from=<[email protected]>, size=100369, nrcpt=1 (queue active) Jan 17 00:15:02 isp postfix/smtpd[8464]: disconnect from ftp.dbldistributing.com[208.51.73.51] Jan 17 00:15:06 isp postfix/pickup[8169]: 04FC53E033A: uid=10010 from=<web11_> Jan 17 00:15:06 isp postfix/cleanup[8469]: 04FC53E033A: message-id=<[email protected]> Jan 17 00:15:06 isp postfix/qmgr[8170]: 04FC53E033A: from=<[email protected]>, size=386, nrcpt=1 (queue active) Jan 17 00:15:07 isp postfix/local[8491]: 04FC53E033A: to=<[email protected]>, relay=local, delay=1.1, delays=0.05/0.01/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-) Jan 17 00:15:07 isp postfix/qmgr[8170]: 04FC53E033A: removed Jan 17 00:15:17 isp postfix/local[8470]: 32EA73E02F1: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=18, delays=2.6/0.01/0/15, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-) Jan 17 00:15:17 isp postfix/qmgr[8170]: 32EA73E02F1: removed Jan 17 00:15:49 isp postfix/smtpd[8464]: connect from unknown[62.117.127.3] Jan 17 00:15:49 isp postfix/smtpd[8464]: 6544B3E02F1: client=unknown[62.117.127.3] Jan 17 00:15:49 isp postfix/cleanup[8469]: 6544B3E02F1: message-id=<000701c858d0$06620afc$d433d496@csblewno> Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: from=<[email protected]>, size=880, nrcpt=1 (queue active) Jan 17 00:15:49 isp postfix/local[8491]: warning: required alias not found: postmaster Jan 17 00:15:49 isp postfix/local[8491]: 6544B3E02F1: to=<[email protected]>, relay=local, delay=0.37, delays=0.37/0/0/0, dsn=2.0.0, status=sent (discarded) Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: removed Jan 17 00:15:49 isp postfix/smtpd[8464]: disconnect from unknown[62.117.127.3] Jan 17 00:17:49 isp postfix/smtpd[8546]: connect from unknown[58.187.120.65] Jan 17 00:19:13 isp postfix/smtpd[8564]: connect from unknown[123.253.132.236] Jan 17 00:19:15 isp postfix/smtpd[8564]: 87CD23E02F1: client=unknown[123.253.132.236] Jan 17 00:19:16 isp postfix/cleanup[8566]: 87CD23E02F1: message-id=<[email protected]> Jan 17 00:19:16 isp postfix/qmgr[8170]: 87CD23E02F1: from=<[email protected]>, size=1260, nrcpt=1 (queue active) Jan 17 00:19:17 isp postfix/smtpd[8564]: disconnect from unknown[123.253.132.236] Jan 17 00:19:21 isp postfix/local[8569]: 87CD23E02F1: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=5.9, delays=0.79/0.01/0/5.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-) Jan 17 00:19:21 isp postfix/qmgr[8170]: 87CD23E02F1: removed Jan 17 00:21:35 isp postfix/smtpd[8599]: warning: 201.209.4.30: hostname 201-209-4-30.genericrev.cantv.net verification failed: Name or service not known Jan 17 00:21:35 isp postfix/smtpd[8599]: connect from unknown[201.209.4.30] Jan 17 00:21:36 isp postfix/smtpd[8599]: 0F0043E030C: client=unknown[201.209.4.30] Jan 17 00:21:36 isp postfix/cleanup[8601]: 0F0043E030C: message-id=<[email protected]> Jan 17 00:21:36 isp postfix/qmgr[8170]: 0F0043E030C: from=<[email protected]>, size=1248, nrcpt=1 (queue active) Jan 17 00:21:36 isp postfix/smtpd[8599]: disconnect from unknown[201.209.4.30]
If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server.
Yes but I'm not certain that's all they are doing. Are you? It appeared from the logs that they attained one of the ISPconfig account names (ie: web2_bob) and were sending with that. That is not something that would typically be visible to someone that just tried spoofing an email address (ie: [email protected]).
Just my brief thoughts on this: Firstly, you can find older log files in the same directory as the maillog, but with different suffixes - on my system the relevant files are in /var/log: Code: [root@mail ~]# ls -al /var/log/mail* -rw------- 1 root root 835677 Jan 19 17:18 /var/log/maillog -rw------- 1 root root 182263 Jan 13 04:06 /var/log/maillog.1 -rw------- 1 root root 184045 Jan 6 04:06 /var/log/maillog.2 -rw------- 1 root root 155908 Dec 30 04:06 /var/log/maillog.3 -rw------- 1 root root 98734 Dec 23 04:06 /var/log/maillog.4 You will see from the dates that the log rotates every few days when it gets beyond a certain size, and the old one gets archived (as in /var/log/maillog.x) the bigger 'x' is, the older the file. In my system, it only keeps 4 copies. Also with reference to your worries about spam, I would say that you are very likely to see ISPConfig usernames in the log files, simply because the incoming e-mail addresses at some point get rewritten to that. Just because you're seeing those usernames doesn't necessarily mean anything's wrong - you would see those even if you received a normal mail. What generally happens in these cases is that a third party sends out SPAM mail using an address on one of your domains as the sending address. This kind of sender forgery is unfortunately very common, and the mere fact that the domain is even registered is often enough for spammers to have a go. Of course the vast majority of this spam is send to non-existent addresses, or gets bounced by a spam filter, so of course your mailserver, as the one genuinely responsible for handling mail for the domain, gets hit with the bounces. This is sometimes called "backscatter", and simply handling the volume can present problems for any system administrator. I think the important things are to check that you really are not an open relay (ie. anyone can send using your SMTP server) - Hans provided a good link to a site which tests that, and also make sure you haven't got any misbehaving CGI/PHP programs running on your server. Common examples of these would be feedback forms on websites - they usually provide a mechanism for sending e-mail to an address configured in the form's hidden fields, which can often be used malitiously for spamming. Older versions of formmail.pl had this problem, but it's been fixed in newer versions. Any custom written scripts might have this problem of course! The golden rule really should be never send e-mail to an address given in a web form... Hope all that is some sort of help! Neil
Antispam solution /add in postfix main.cf stop 90% of all spam myhostname = host.domain.com myorigin = host.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname #mydestination = host.domain.com, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_command = mailbox_size_limit = 0 recipient_delimiter = + #inet_interfaces = all inet_interfaces = host.domain.com localhost inet_protocols = ipv4 message_size_limit = 10485760 notify_classes = resource, software bounce_size_limit = 1024 invalid_hostname_reject_code = 554 access_map_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 non_fqdn_reject_code = 554 unknown_sender_reject_code = 554 unverified_sender_reject_code = 554 unverified_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 multi_recipient_bounce_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 disable_vrfy_command = yes smtpd_restriction_classes = verify_sender verify_sender = reject_unverified_sender, permit ## in order of processing. restrictions/anti-spam smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, # reject_unknown_client smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit smtpd_sender_restricitons = permit_sasl_authenticated, permit_mynetworks, check_relay_domains, permit_tls_all_clientcerts, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_unknown_sender_domain smtpd_delay_reject = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unknown_sender_domain, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/verify_sender.map reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client bogusmx.rfc-ignorant.org, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, # reject_rbl_client cbl.anti-spam.org.cn, # reject_rbl_client blackholes.five-ten-sg.com, # reject_rbl_client dnsbl.ahbl.org, # reject_rbl_client dnsbl.njabl.org, # reject_rbl_client multi.surbl.org, # reject_rbl_client bl.spamcop.net, # reject_rbl_client cbl.abuseat.org, # reject_rbl_client ix.dnsbl.manitu.net, # reject_rbl_client l1.apews.org, # reject_rbl_client l2.apews.org, # reject_rbl_client t1.dnsbl.net.au, # reject_rbl_client combined.rbl.msrbl.net, # reject_rbl_client rabl.nuclearelephant.com, # reject_rbl_client dnsbl.sorbs.net, # reject_rhsbl_sender rhsbl.sorbs.net, reject_non_fqdn_recipient, reject_unauth_destination smtpd_data_restrictions = reject_unauth_pipelining, permit # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom home_mailbox = Maildir/ ### see also local.cf from spamassassin, add header if user auth over smtp smtpd_sasl_authenticated_header = yes virtual_maps = hash:/etc/postfix/virtusertable mydestination = /etc/postfix/local-host-names extra files. /etc/postfix/helo.regexp /^localhost$/ 550 Don't use my own hostname /^host\.domain\.com$/ 550 Don't use my own hostname /^127\.0\.0\.1$/ 550 Don't use my own IP address /^\[180\.169\.9\.91]$/ 550 Don't use my own IP address /^\[180\.169\.9\.92]$/ 550 Don't use my own IP address #/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant #/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant /etc/postfix/verify_sender.map ## reverse check the email adresses. ## Example: domain.extention verify_sender earthlink.net verify_sender hotmail.com verify_sender lycos.com verify sender msn.com verify_sender netscape.com verify_sender netscape.net verify_sender yahoo.com verify_sender gmail.com verify_sender gmail.nl verify_sender live.com verify_sender charter.net verify_sender and dont forget to postmap verify_sender.map !!! and reload postfix ( /etc/init.d/postfix reload ) Im running this setup on my company's server, without the zen.spamhouse i get about 1600 spam mails a day. with about 160, add urirbl + verify sender + rfc ignorat and i saves again 5-8 % of spam. so just 2 % comes in my netwerk, .. and than it comes in the antispam server. I get only 1 spam message a week for about 100 user. goodluck. the remarded lines you better leave the remarkt. these can block webmail of roaming users.
I just got another round of bounces from spam that appears to be from my server. I'm assuming that by adding the above spam changes I'll need to change all of the 'host.domain.com' to match my domain(s) correct? Or, are there no changes that need to be made?
