Hi, My server recently been temporarily shut down by my ISP because it seem it is sending a lot of spam and I can't find the source. The mail.log shows nothing wrong. I have created a script to log the phpmail and there's also nothing wrong. I always keep an ssh "tail -f /var/www/mail.log" open to see the activity and it all looks normal. The server was built based on "The Perfect Server - Ubuntu 12.04 LTS (nginx, BIND, Dovecot, ISPConfig 3)" and some customizations for varnish, memcached, spdy and pagespeed. Not an open relay. Mailqueue (postqueue -p) is empty all the time. I'm using SSL and DKIM for clients that have email accounts, don't know if it can help. I searched the web a lot and this forum too, but still can't find what is causing this. There was A LOT of this in my mail.warn and I blocked this IP yesterday so I'm waiting the current day log on senderbase.org Code: Jul 8 18:37:47 orion postfix/smtpd[3188]: warning: unknown[185.40.4.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 8 18:38:28 orion postfix/smtpd[3188]: warning: hostname hosted-by.hostgrad.ru does not resolve to address 185.40.4.32: Name or service not known PLEASE! I would really appreciate your help on this. Tell me if you need anything else. In advance: Thank you for your help and time! I'm putting the main.cf , master.cf and postconf -d|grep mynetworks in a follow up because of the 10000 caracters limit.
Here is the Postfix main.cf (I changed the domain to domainrewritten.com) : Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters #smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem #smtpd_tls_key_file = /etc/ssl/private/postfix.pem smtpd_tls_cert_file = /etc/nginx/conf/ssl/orion/orion-ssl-bundle.crt smtpd_tls_key_file = /etc/nginx/conf/ssl/orion/orion.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = domainrewritten.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = domainrewritten.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_rbl_client, zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on maximal_queue_lifetime = 1h
And here is the Postfix master.cf: Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
And finally, here is the "postconf -d|grep mynetworks" result: Code: mynetworks = 127.0.0.0/8 127.0.0.2/32 192.241.115.194/32 192.241.115.195/32 192.241.115.196/32 192.241.115.197/32 192.241.115.206/32 192.241.115.207/32 [::1]/128 mynetworks_style = subnet parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps postscreen_access_list = permit_mynetworks proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks} smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Here the result of "netstat -ntap" command: I've change the IPs of the VPS to 111.111.111.111 - 111.111.111.116 and my IP to 55.55.55.55. I'm not sure what to look at in this big list. Part 1/3 Code: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9012 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9013 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1862/pure-ftpd (SER tcp 0 0 111.111.111.116:53 0.0.0.0:* LISTEN 800/named tcp 0 0 111.111.111.115:53 0.0.0.0:* LISTEN 800/named tcp 0 0 111.111.111.114:53 0.0.0.0:* LISTEN 800/named tcp 0 0 111.111.111.113:53 0.0.0.0:* LISTEN 800/named tcp 0 0 111.111.111.112:53 0.0.0.0:* LISTEN 800/named tcp 0 0 111.111.111.111:53 0.0.0.0:* LISTEN 800/named tcp 0 0 127.0.0.2:53 0.0.0.0:* LISTEN 800/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 800/named tcp 0 0 127.0.0.1:9014 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 644/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 14083/master tcp 0 0 127.0.0.1:9017 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 800/named tcp 0 0 127.0.0.1:9018 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9019 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11458/nginx tcp 0 0 127.0.0.1:9021 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9022 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 741/dovecot tcp 0 0 127.0.0.1:9023 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9024 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9025 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 741/dovecot tcp 0 0 127.0.0.1:9026 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 11506/varnishd tcp 0 0 127.0.0.1:9027 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 741/dovecot tcp 0 0 127.0.0.1:9028 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9029 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9030 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9031 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9032 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:8008 0.0.0.0:* LISTEN 11458/nginx ...
Part 2/3 Code: tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 941/amavisd (master tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 14083/master tcp 0 0 127.0.0.1:9033 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 14083/master tcp 0 0 127.0.0.1:9035 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 11586/memcached tcp 0 0 127.0.0.1:9036 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9037 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:12301 0.0.0.0:* LISTEN 1740/opendkim tcp 0 0 127.0.0.1:9038 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 741/dovecot tcp 0 0 127.0.0.1:9039 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 945/spamd.pid tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 741/dovecot tcp 0 0 127.0.0.1:9040 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11507/varnishd tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11458/nginx tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 14083/master tcp 0 0 127.0.0.1:9041 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9042 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9010 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9043 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 127.0.0.1:9011 0.0.0.0:* LISTEN 11562/php-fpm.conf) tcp 0 0 111.111.111.111:80 55.55.55.55:51890 TIME_WAIT - tcp 0 0 127.0.0.1:40473 127.0.0.1:11211 ESTABLISHED 11666/php-fpm: pool tcp 0 0 127.0.0.1:42577 127.0.0.1:11211 ESTABLISHED 11462/nginx: worker tcp 0 0 127.0.0.1:34725 127.0.0.1:11211 ESTABLISHED 11662/php-fpm: pool tcp 0 0 111.111.111.111:993 55.55.55.55:51112 ESTABLISHED 9180/imap-login tcp 0 0 111.111.111.111:80 55.55.55.55:51893 TIME_WAIT - tcp 0 0 127.0.0.1:47501 127.0.0.1:3306 ESTABLISHED 15000/amavisd (ch14 tcp 0 0 127.0.0.1:11211 127.0.0.1:40473 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:80 55.55.55.55:51892 TIME_WAIT - tcp 0 0 111.111.111.111:993 55.55.55.55:50978 ESTABLISHED 9149/imap-login tcp 0 0 127.0.0.1:11211 127.0.0.1:36302 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:34690 127.0.0.1:11211 ESTABLISHED 11659/php-fpm: pool tcp 0 0 127.0.0.1:11211 127.0.0.1:54818 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:36302 127.0.0.1:11211 ESTABLISHED 11672/php-fpm: pool tcp 0 0 127.0.0.1:11211 127.0.0.1:54442 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:993 55.55.55.55:51010 ESTABLISHED 9170/imap-login tcp 0 0 111.111.111.111:993 55.55.55.55:64038 ESTABLISHED 10553/imap-login tcp 0 0 127.0.0.1:8008 127.0.0.1:41822 ESTABLISHED 11461/nginx: worker tcp 0 0 111.111.111.111:993 55.55.55.55:50974 ESTABLISHED 9147/imap-login tcp 0 0 127.0.0.1:35752 127.0.0.1:11211 ESTABLISHED 11667/php-fpm: pool tcp 0 0 127.0.0.1:11211 127.0.0.1:46969 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:993 55.55.55.55:51028 ESTABLISHED 9172/imap-login tcp 0 0 127.0.0.1:8008 127.0.0.1:41892 ESTABLISHED 11461/nginx: worker tcp 0 0 127.0.0.1:35634 127.0.0.1:11211 ESTABLISHED 11669/php-fpm: pool tcp 0 0 127.0.0.1:34691 127.0.0.1:11211 ESTABLISHED 11660/php-fpm: pool tcp 0 8304 111.111.111.111:22 55.55.55.55:51898 ESTABLISHED 10647/1 tcp 0 0 127.0.0.1:8008 127.0.0.1:41896 ESTABLISHED 11461/nginx: worker tcp 0 0 127.0.0.1:11211 127.0.0.1:38621 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:57383 50.31.164.146:443 TIME_WAIT - tcp 0 0 111.111.111.111:993 142.169.78.168:22499 ESTABLISHED 9088/imap-login tcp 0 0 127.0.0.1:39290 127.0.0.1:11211 ESTABLISHED 11664/php-fpm: pool tcp 0 0 111.111.111.113:143 174.89.228.175:1406 ESTABLISHED 9381/imap-login tcp 0 0 111.111.111.111:80 70.28.30.241:1511 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:41892 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:43948 127.0.0.1:3306 ESTABLISHED 14691/amavisd (ch16 tcp 0 0 127.0.0.1:54442 127.0.0.1:11211 ESTABLISHED 11461/nginx: worker tcp 0 0 127.0.0.1:34679 127.0.0.1:11211 ESTABLISHED 11658/php-fpm: pool ...
Part 3/3 Code: tcp 0 0 111.111.111.113:993 54.200.133.165:47501 ESTABLISHED 1397/imap-login tcp 0 0 127.0.0.1:41896 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:41818 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:48026 127.0.0.1:11211 ESTABLISHED 11459/nginx: worker tcp 0 0 127.0.0.1:41822 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:34701 127.0.0.1:11211 ESTABLISHED 11661/php-fpm: pool tcp 0 0 111.111.111.111:80 55.55.55.55:51891 TIME_WAIT - tcp 0 0 111.111.111.113:993 54.200.133.165:46011 ESTABLISHED 9658/imap-login tcp 0 0 111.111.111.111:80 55.55.55.55:51895 TIME_WAIT - tcp 0 0 127.0.0.1:11211 127.0.0.1:35752 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:80 70.28.30.241:1512 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:11211 127.0.0.1:35634 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:11211 127.0.0.1:34679 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:11211 127.0.0.1:48026 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:8008 127.0.0.1:41894 ESTABLISHED 11461/nginx: worker tcp 0 0 111.111.111.111:993 55.55.55.55:64039 ESTABLISHED 10555/imap-login tcp 0 0 127.0.0.1:41285 127.0.0.1:8008 TIME_WAIT - tcp 0 0 111.111.111.111:993 55.55.55.55:50977 ESTABLISHED 9148/imap-login tcp 0 0 111.111.111.113:143 174.89.228.175:1456 ESTABLISHED 9390/imap-login tcp 0 0 127.0.0.1:11211 127.0.0.1:39290 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:80 70.28.30.241:1513 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:11211 127.0.0.1:39885 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:80 70.28.30.241:1510 ESTABLISHED 11507/varnishd tcp 0 0 111.111.111.111:443 46.20.45.18:60836 TIME_WAIT - tcp 0 0 127.0.0.1:11211 127.0.0.1:34725 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:993 55.55.55.55:50975 ESTABLISHED 9151/imap-login tcp 0 0 127.0.0.1:41895 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 111.111.111.113:143 174.89.228.175:1458 ESTABLISHED 9394/imap-login tcp 0 0 111.111.111.111:993 55.55.55.55:64040 ESTABLISHED 10558/imap-login tcp 0 0 127.0.0.1:38621 127.0.0.1:11211 ESTABLISHED 11668/php-fpm: pool tcp 0 0 111.111.111.111:80 70.28.30.241:1508 ESTABLISHED 11507/varnishd tcp 0 0 111.111.111.113:993 24.200.139.144:45172 ESTABLISHED 10328/imap-login tcp 0 0 127.0.0.1:35012 127.0.0.1:11211 ESTABLISHED 11663/php-fpm: pool tcp 0 0 127.0.0.1:39885 127.0.0.1:11211 ESTABLISHED 11665/php-fpm: pool tcp 0 0 111.111.111.111:993 55.55.55.55:51111 ESTABLISHED 9179/imap-login tcp 0 0 111.111.111.111:55801 50.31.164.148:443 TIME_WAIT - tcp 0 0 111.111.111.113:143 174.89.228.175:1457 ESTABLISHED 9392/imap-login tcp 0 0 127.0.0.1:38707 127.0.0.1:11211 ESTABLISHED 11670/php-fpm: pool tcp 0 0 127.0.0.1:11211 127.0.0.1:34691 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:41894 127.0.0.1:8008 ESTABLISHED 11507/varnishd tcp 0 0 111.111.111.113:143 205.151.64.16:61708 ESTABLISHED 9341/imap-login tcp 0 0 111.111.111.111:80 141.101.105.31:64866 TIME_WAIT - tcp 0 0 111.111.111.111:22 55.55.55.55:59613 ESTABLISHED 8474/3 tcp 0 0 127.0.0.1:11211 127.0.0.1:35012 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:11211 127.0.0.1:34690 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:46969 127.0.0.1:11211 ESTABLISHED 11671/php-fpm: pool tcp 0 0 127.0.0.1:11211 127.0.0.1:42577 ESTABLISHED 11586/memcached tcp 0 69 111.111.111.111:993 55.55.55.55:51121 ESTABLISHED 9181/imap-login tcp 0 0 127.0.0.1:11211 127.0.0.1:34701 ESTABLISHED 11586/memcached tcp 0 0 127.0.0.1:8008 127.0.0.1:41818 ESTABLISHED 11461/nginx: worker tcp 0 0 111.111.111.111:993 55.55.55.55:51591 ESTABLISHED 9948/imap-login tcp 0 0 127.0.0.1:54818 127.0.0.1:11211 ESTABLISHED 11460/nginx: worker tcp 0 0 111.111.111.111:80 70.28.30.241:1509 ESTABLISHED 11507/varnishd tcp 0 0 127.0.0.1:8008 127.0.0.1:41895 ESTABLISHED 11461/nginx: worker tcp 0 0 111.111.111.111:80 55.55.55.55:51894 TIME_WAIT - tcp 0 0 111.111.111.113:143 24.200.139.144:34953 ESTABLISHED 10331/imap tcp 0 0 127.0.0.1:11211 127.0.0.1:38707 ESTABLISHED 11586/memcached tcp 0 0 111.111.111.111:993 55.55.55.55:50976 ESTABLISHED 9150/imap-login tcp6 0 0 :::21 :::* LISTEN 1862/pure-ftpd (SER tcp6 0 0 :::53 :::* LISTEN 800/named tcp6 0 0 :::22 :::* LISTEN 644/sshd tcp6 0 0 :::25 :::* LISTEN 14083/master tcp6 0 0 ::1:953 :::* LISTEN 800/named tcp6 0 0 :::4190 :::* LISTEN 741/dovecot tcp6 0 0 :::993 :::* LISTEN 741/dovecot tcp6 0 0 ::1:6082 :::* LISTEN 11506/varnishd tcp6 0 0 :::995 :::* LISTEN 741/dovecot tcp6 0 0 :::3306 :::* LISTEN 809/mysqld tcp6 0 0 :::587 :::* LISTEN 14083/master tcp6 0 0 :::110 :::* LISTEN 741/dovecot tcp6 0 0 :::143 :::* LISTEN 741/dovecot tcp6 0 0 :::80 :::* LISTEN 11507/varnishd tcp6 0 0 :::465 :::* LISTEN 14083/master tcp6 0 0 127.0.0.1:3306 127.0.0.1:43948 ESTABLISHED 809/mysqld tcp6 0 0 127.0.0.1:3306 127.0.0.1:47501 ESTABLISHED 809/mysqld
I runned rkhunter, chkrootkit and maldet on /var/www/ directory and nothing was found. I have to say that i disabled the string length option in maldet because it was putting a lot of wordpress files in quarantine and screw the website. After some google research, it seems there were false positive: rkhunter = Checking loaded kernel modules [ Warning ] chkrootkit = Checking `bindshell'... INFECTED (PORTS: 465) master Could a script or web form exploit send a lot of mail without being logged in the php "mail.log = /var/log/phpmail.log" ?
Thats a known false positive, so you can ignore that. To find out if your server is sending spam, take a look at the mailqueue with: postqueue -p any suspicious mails there or a large amount of mails in the queue? If yes, then inspect these mails with the postcat command.
Hi, First, thank's for the help. It is REALLY appreciated. elmacus: Yes, I'm looking at senderbase everyday since the first shut down. Like I said earlier, I was waiting for the new senderbase report since I've made some change on the Postfix config, but today I see that the number of spam sent is just growing. 2015-07-07 = 2.5 2015-07-08 = 2.8 2015-07-09 = 2.9 Till: I did the postqueue -p a couple of times but it always show empty queue. Is it possible that mail is sent without letting any traces in the logs?
Yes, thats possible but it is very rare as this would mean that the mail is not send trough your mailsystem, instead an attacker would have to send the mails directly with its own smtp software from your server. Do you see any unusual activity on your server e.g. a high load or do you see suspicious outgoing connections to port 25 on other servers (check e.g. with netstat command)?
The server load is not high. htop shows Load average: 0.05 0.12 0.16 It sometime goes a little higher but I can replicate the same augmentation when browsing on a hosted wordpress website with a lot of mysql request (online catalog of around 5000 products). netstat -pnlt | grep ':25' shows: Code: tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1860/master tcp6 0 0 :::25 :::* LISTEN 1860/master ps -ef | grep 1860 shows: Code: root 1860 1 0 00:29 ? 00:00:00 /usr/lib/postfix/master postfix 1865 1860 0 00:29 ? 00:00:00 qmgr -l -t fifo -u postfix 2328 1860 0 00:30 ? 00:00:00 tlsmgr -l -t unix -u -c postfix 15721 1860 0 08:49 ? 00:00:00 pickup -l -t fifo -u -c postfix 16712 1860 0 09:23 ? 00:00:00 anvil -l -t unix -u -c root 16986 15750 0 09:34 pts/0 00:00:00 grep --color=auto 1860 Not sure if that last command is correct... Anything suspicious?
No, thats all ok. Is the server behind a router together with other servers, s that maybe another node has sent spam that has the same external IP?
It's a OpenVZ SSD Cached Linux VPS from ServerMania. But I don't think other nodes got the same IP. I have setup an SSL mail server so I highly recommend my users to setup their account through ports 993,995 and 465. Should I completely block port 25 or is it used by phpmail/web forms?
I was inspecting old form from an old html only website hosted on the server and I think it's poorly coded. What do you think? I chanded the URL to website.com Code: <FORM METHOD="POST" ACTION="http://scripts.iwebgroup.com/cgi-bin/formmail.pl" ENCTYPE="x-www-form-urlencoded"> <div align="left"> <table width="700" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td> <center> <p> </p> <p align="center"> <input type="hidden" name="recipient" value="[email protected]"> <input type="hidden" name="subject" value="Contactez-nous"> <input type="hidden" name="redirect" value="http://www.website.com/merci.html"> <input type="hidden" name="required" value="Nom,Prenom,Ville,Courriel,Commentaires"> <input type="hidden" name="missing_fields_redirect" value="http://www.website.com/erreur.html"> </p> <p align="center"><font face="Arial, Times New Roman, Tahoma" size="3">Si vous avez des questions ou des commentaires, n'hésitez pas à nous contacter.</font> <BR> <FONT COLOR="#b9210b" SIZE="-1" FACE="Verdana">Tous les champs accompagnés d'une étoile (*) sont obligatoires</FONT> <FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">.</FONT> </p> <TABLE BORDER="0" CELLSPACING="2" CELLPADDING="2" WIDTH="100%"> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Nom :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Nom" TYPE="text" id="Nom" SIZE="40" MAXLENGTH="40"> <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B> </TD> </TR> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Prénom :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Prenom" TYPE="text" id="Prenom" SIZE="40" MAXLENGTH="40"> <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B> </TD> </TR> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Adresse :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Adresse" TYPE="text" id="Adresse" SIZE="40" MAXLENGTH="80"> <B></B> </TD> </TR> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Ville :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Ville" TYPE="text" id="Ville" SIZE="40" MAXLENGTH="40"> <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B> </TD> </TR> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Téléphone :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Code_regional" TYPE="text" id="Code_regional" SIZE="5" MAXLENGTH="5"> <INPUT NAME="Telephone" TYPE="text" id="Telephone" SIZE="15" MAXLENGTH="15"> <B></B> </TD> </TR> <TR> <TD WIDTH="174"> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Courriel :</FONT> </TD> <TD WIDTH="394"> <INPUT NAME="Courriel" TYPE="text" id="Courriel" SIZE="40" MAXLENGTH="40"> <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B> </TD> </TR> <TR> <TD COLSPAN="2"> <P> </P> <P> <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Vos commentaires ou questions :<B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT> </B> </FONT> </P> <P> <TEXTAREA NAME="Commentaires" COLS="65" ROWS="8" id="Commentaires"></TEXTAREA> </TD> </TR> <TR> <TD COLSPAN="2" ALIGN="CENTER" HEIGHT="81"> <p> <BR> <INPUT name="submit" TYPE="submit" id="submit" VALUE="Soumettre"> <INPUT NAME="nom2" TYPE="reset" VALUE="Effacer"> </p> <p> </p> <p align="center"> </p> <p align="center"> </p> </TD> </TR> </TABLE> </center> </td> </tr> </table> <!-- fin du code à insérer --> </div> </FORM>
I really hope my last post didn't not made you facepalm to death If it was the problem, I'm really sorry not to have thought about it first, but that old ugly website never came to my mind. I deleted the page were the suspicious form was and the last day senderbase log shows 0. I'll keep an eye on these reports since looking at the history also show some days with 0. I can also say that the load seems to have dropped a little. Today, the CPU started to freak out and load went up to around 0.4 - 0.6 so I looked at the logs. nginx access.log shows a A LOT of these and similar requests (I'm NOT hosting these domains): Code: 127.0.0.1 - - [11/Jul/2015:18:13:26 -0400] "GET http://img01.taobaocdn.com/bao/uploaded/i1/788371593/T2FVeiXgRbXXXXXXXX_!!788371593.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=16921075269" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0" 127.0.0.1 - - [11/Jul/2015:18:13:46 -0400] "GET http://d6.yihaodianimg.com/V00/M01/45/54/CgQDsVSOty-AcZnzAAT0rKLfGCE44800_360x360.jpg HTTP/1.1" 404 31 "http://item.yhd.com/item/42166607" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0" 127.0.0.1 - - [11/Jul/2015:18:13:50 -0400] "GET http://gd1.alicdn.com/bao/uploaded/http://gd1.alicdn.com/bao/uploaded/i1/TB1FUbeIXXXXXaYXFXXXXXXXXXX_!!0-item_pic.jpg_400x400.jpg_.webp HTTP/1.1" 302 5 "http://item.taobao.com/item.htm?id=520531436835" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0" 127.0.0.1 - - [11/Jul/2015:18:13:28 -0400] "GET http://img04.taobaocdn.com/bao/uploaded/i4/112776785/T2KQa2XnRbXXXXXXXX_!!112776785.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=37875871485" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0" 127.0.0.1 - - [11/Jul/2015:18:49:39 -0400] "GET http://www.baidu.com/ HTTP/1.1" 302 5 "www.baidu.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WebSaver; .NET CLR 2.0.50727)" And this too from a hosted domain: Code: 127.0.0.1 - - [11/Jul/2015:18:14:10 -0400] "GET http://real-hosted-domain.com/wp-signup.php?new=gd1.alicdn.com HTTP/1.1" 200 11463 "http://item.taobao.com/item.htm?id=37645037149" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0" 127.0.0.1 - - [11/Jul/2015:18:49:02 -0400] "GET /wp-content/plugins/contact-form-7/includes/js/scripts.js HTTP/1.0" 200 11200 "http://real-hosted-domain.com/wp-signup.php?new=www.baidu.com" "NgxNativeFetcher mod_pagespeed/1.7.30.3-3721" While "tail -f /var/log/nginx/access.log" I was looking at the fail2ban log and decided to block these IP that were mostly from China and surroundings with "iptables -A INPUT -s IP-ADDRESS -j DROP". The requests started to drop and the CPU calmed down. And me too. I didn't find anything about these weird requests. Can you tell me what that is? Thank you!
I did not changed the IP. It was really 127.0.0.1. I'm using Varnish though and the Nginx build is really basic. No --with-http_realip_module. Code: root@orion:~# nginx -V nginx version: nginx/1.5.11 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --user=www-data --group=www-data --with-http_ssl_me --with-mail --add-module=/root/ngx_pagespeed-1.7.30.3-beta --add-module=/root/ngx_cache_purge-2.1 What I can say now is that it's been 2 days senderbase reports 0 and that my New Relic server monitor clearly show a more relax setup.
