outgoing spam, unable to identify source

Discussion in 'Installation/Configuration' started by csabo, Sep 22, 2014.

  1. csabo

    csabo New Member

    Hello,
    We get bursts of outgoing messages that when viewed with mailq are certainly spam (the recipients are bogus, a lot of failed deliveries). I'm unable to tell what the source of this mail is, except i'm fairly certain its not coming from websites being hosted (i've blocked the www user from being able to send mail). Below is what i've already checked

    1.) auth.log only contains cron,ftp and ssh entries

    2.) mail.log and mail.info show the messages, and show connections from IPs in other countries (that are clearly not our customers). but no mention of authentication.

    3.) fail2ban has been enabled for sasl and postfix

    4.) from main.cf
    .smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination


    I'm honestly at a loss on how to stop this, i'm not sure if theres some loophole for unauth mail to go out, or an account was comprimised. Any help would be awesome.


    --------------------------------------------------------------------------------------------------------
    for the sake of completeness heres the output of the common issues php script

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***, ***.***.***.***
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.0.5.3


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 5.4.4-14+deb7u14
    [INFO] php-cgi (used for cgi php in default vhost!) is version 5.4.4-14+deb7u14

    ##### PORT CHECK #####

    [WARN] Port 8080 (ISPConfig) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 14562)
    [INFO] I found the following mail server(s):
    Postfix (PID 5431)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 5479)
    [INFO] I found the following imap server(s):
    Dovecot (PID 5479)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 23424)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [localhost]:9191 (32380/php-fpm:)
    [anywhere]:59783 (2039/rpc.statd)
    [localhost]:10024 (7782/amavisd-new)
    [localhost]:10025 (5431/master)
    [localhost]:9130 (37247/php-fpm:)
    [anywhere]:587 (5431/master)
    [localhost]:9164 (15824/php-fpm:)
    [localhost]:9133 (64769/php-fpm.conf))
    [localhost]:9197 (64769/php-fpm.conf))
    [localhost]:9165 (64769/php-fpm.conf))
    [anywhere]:110 (5479/dovecot)
    [anywhere]:143 (5479/dovecot)
    [localhost]:9039 (64769/php-fpm.conf))
    [localhost]:783 (3018/spamd.pid)
    [anywhere]:111 (2006/rpcbind)
    [localhost]:9104 (64769/php-fpm.conf))
    [anywhere]:10000 (4472/perl)
    [anywhere]:465 (5431/master)
    [localhost]:9043 (14929/php-fpm:)
    [localhost]:9108 (14365/php-fpm:)
    [localhost]:9044 (41879/php-fpm:)
    [anywhere]:21 (23424/pure-ftpd)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    ***.***.***.***:53 (29314/named)
    [localhost]:53 (29314/named)
    [anywhere]:22 (2972/sshd)
    [anywhere]:25 (5431/master)
    [localhost]:953 (29314/named)
    [localhost]:9081 (64769/php-fpm.conf))
    [localhost]:9177 (41898/php-fpm:)
    [localhost]:9018 (64769/php-fpm.conf))
    [localhost]:9087 (64769/php-fpm.conf))
    [localhost]:9183 (64769/php-fpm.conf))
    [anywhere]:993 (5479/dovecot)
    [localhost]:9026 (64769/php-fpm.conf))
    [anywhere]:10050 (2415/zabbix_agentd)
    [anywhere]:995 (5479/dovecot)
    *:*:*:*::*:3306 (5979/mysqld)
    *:*:*:*::*:587 (5431/master)
    [localhost]10 (5479/dovecot)
    *:*:*:*::*:37102 (2039/rpc.statd)
    localhost]43 (5479/dovecot)
    [localhost]11 (2006/rpcbind)
    *:*:*:*::*:80 (14562/apache2)
    *:*:*:*::*:465 (5431/master)
    *:*:*:*::*:8081 (14562/apache2)
    *:*:*:*::*:21 (23424/pure-ftpd)
    *:*:*:*::*:53 (29314/named)
    *:*:*:*::*:22 (2972/sshd)
    *:*:*:*::*:25 (5431/master)
    *:*:*:*::*:953 (29314/named)
    *:*:*:*::*:4443 (14562/apache2)
    *:*:*:*::*:443 (14562/apache2)
    *:*:*:*::*:993 (5479/dovecot)
    [localhost]0050 (2415/zabbix_agentd)
    *:*:*:*::*:995 (5479/dovecot)

    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
    fail2ban-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
    fail2ban-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
    fail2ban-postfix tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465
    fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-postfix (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-sasl (1 references)
    target prot opt source destination
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    you have to check the mail headers of the mails in the mailqueue with postcat. Thats the only way to find the source.
     
  3. csabo

    csabo New Member

    Till,
    Thanks for the heads up. the sender field is blank on the postcat -vq output..

    I do see "Regular_text: From: MAILER-DAEMON@..." in the message contents.

    is that of any significance?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    These are the messages that came back. Please try to find a message that got stuck when it was send out e.g. due to a blacklisting of your server and not a MAILER_DAEMON message.
     

Share This Page