Problems with SPAM

Discussion in 'Server Operation' started by Christovampaynes, Mar 12, 2016.

  1. Hello guys,

    I come a few days being listed in the Spamhaus CBL. CBL list reports that I have a virus on the network and that is sending emails as "localhost.localdomain". I found no viruses on workstations or any traffic destined for port 25 passing through the server.

    In search of data in the logs, I found a source, but not the cause. It is pretending to be a "spammer" trying to connect to my server.

    I need some help to find the form that is being used and how to fix.

    I have this log as rejected:

    Mar 11 10:33:15 mailgw01 postfix/smtpd[4885]: NOQUEUE: reject: RCPT from unknown[190.167.108.170]: 450 4.7.1 <170.108.167.190.d.dyn.codetel.net.do>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<170.108.167.190.d.dyn.codetel.net.do>


    Mar 11 10:06:12 mailgw01 postfix/smtpd[31614]: NOQUEUE: reject: RCPT from unknown[72.252.249.42]: 554 5.7.1 Service unavailable; Client host [72.252.249.42] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?72.252.249.42; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[72.252.249.42]>


    Mar 11 10:06:41 mailgw01 postfix/smtpd[31634]: NOQUEUE: reject: RCPT from unknown[112.196.29.187]: 554 5.7.1 Service unavailable; Client host [112.196.29.187] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?112.196.29.187; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[112.196.29.187]>



    And I have this successfully log: Have you changed the password, but it happens again.


    Mar 11 13:19:24 mailgw01 postfix/smtpd[28172]: connect from unknown[49.14.14.17]
    Mar 11 13:19:25 mailgw01 imapd: Failed to connect to socket /tmp/fam--
    Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: warning: restriction `check_policy_service' after `permit' is ignored
    Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: B49CE7F06AF: client=unknown[49.14.14.17]
    Mar 11 13:19:29 mailgw01 postfix/cleanup[25479]: B49CE7F06AF: message-id=<[email protected]>
    Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: B49CE7F06AF: from=<[email protected]>, size=5208, nrcpt=1 (queue active)
    Mar 11 13:19:29 mailgw01 postfix/pickup[26717]: 368347F06B1: uid=130 from=<[email protected]>
    Mar 11 13:19:29 mailgw01 postfix/pipe[28466]: B49CE7F06AF: to=<[email protected]>, orig_to=<[email protected]>, relay=filter, delay=1.8, delays=1.8/0/0/0.03, dsn=2.0.0, status=sent (delivered via filter service)
    Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: B49CE7F06AF: removed
    Mar 11 13:19:29 mailgw01 postfix/cleanup[27082]: 368347F06B1: message-id=<[email protected]>
    Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: 368347F06B1: from=<[email protected]>, size=5325, nrcpt=1 (queue active)
    Mar 11 13:19:29 mailgw01 postfix/virtual[27248]: 368347F06B1: to=<[email protected]>, relay=virtual, delay=0.07, delays=0.06/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
    Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: 368347F06B1: removed
    Mar 11 13:19:29 mailgw01 postfix/smtpd[28172]: disconnect from unknown[49.14.14.17]

    Thanks!
     
  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Code:
    Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: warning: restriction `check_policy_service' after `permit' is ignored
    
    looks like a messed up main.cf, please post main.cf / master.cf

    Do you have any websites hosted on your system which uses scripting languages? cgi/python/php.... ? That could also be a source if something got infected.
     
  3. thanks for the answer.
    This server has sites hosted on it. Sites in PHP. I did a scan on it, but have not found changes accordingly.

    main.cf.
    body_checks = regexp:/etc/postfix/body_checks
    header_checks = regexp:/etc/postfix/header_checks
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    append_dot_mydomain = no
    readme_directory = no
    sender_bcc_maps = hash:/etc/postfix/sender_bcc
    recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    debug_peer_level = 2
    debug_peer_list = domainclient.com.br

    myhostname = mail.domainclient.com.br
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = mail.domainclient.com.br
    mydestination = mail.domainclient.com.br, domainclient.com.br
    relayhost =
    mynetworks = 127.0.0.0/8, 192.168.0.0/16, hash:/var/lib/pop-before-smtp/hosts, IP EXTERNAL1, IPEXTERNAL2,
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    home_mailbox = Maildir/


    alias_maps = mysql:/etc/postfix/mysql-aliases.cf
    transport_maps = mysql:/etc/postfix/mysql-transport.cf
    virtual_maps = mysql:/etc/postfix/mysql-aliases.cf
    virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
    virtual_mailbox_base = /var/mail/virtual
    virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
    virtual_mailbox_limit = 51200000
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf

    smtpd_recipient_restrictions =
    permit_mynetworks,
    check_client_access hash:/etc/postfix/whitelist-ips,
    reject_unauth_destination,
    reject_unknown_sender_domain,
    reject_invalid_hostname,
    reject_unknown_hostname,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client sbl.spamhaus.org,
    permit

    check_policy_service unix:private/spfcheck,
    #check_policy_service inet:127.0.0.1:60000

    # reject_rbl_client relays.ordb.org,
    # reject_rbl_client list.dsbl.org,
    # reject_rbl_client sbl-xbl.spamhaus.org

    smtpd_client_restrictions =
    permit_mynetworks,

    header_checks = regexp:/etc/postfix/header_checks
    message_size_limit = 36214400

    #local_recipient_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
    local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

    ================================================ SMTPD AUTH
    smtpd_sasl_auth_enable = no

    bounce_queue_lifetime = 1d
    maximal_queue_lifetime = 1d

    master.cf

    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================

    #smtp inet n - - - - smtpd
    # -o content_filter=amavis-scan:[127.0.0.1]:10024
    # -o receive_override_options=no_address_mappings
    smtp inet n - - - - smtpd
    -o content_filter=filter:dummy

    submission inet n - n - - smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_sasl_application_name=smtpd
    -o broken_sasl_auth_clients=yes
    -o smtpd_reject_unlisted_sender=yes
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    #smtps inet n - - - - smtpd
    # -o smtpd_tls_wrappermode=yes
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - - - - smtp
    -o smtp_fallback_relay=
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - - - - showq
    error unix - - - - - error
    retry unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}
    amavis-scan unix - - n - 5 lmtp
    -o disable_dns_lookups=yes
    -o lmtp_send_xforward_command=yes
    -o lmtp_data_done_timeout=1200
    localhost:10026 inet n - n - 5 smtpd
    -o content_filter=
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o myhostname=mailgw01.domainclient.com.br

    filter unix - n n - 10 pipe
    flags=Rq user=filter null_sender=
    argv=/etc/postfix/filter -f ${sender} -- ${recipient}
     
  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    First thing I don't see is
    Code:
    smtpd_sender_restrictions = reject_unknown_sender_domain 
    default behaviour is to allow everything.

    Your SPF check is never done because its after a permit
    Code:
    check_policy_service unix:pivate/spfcheck
    permit
    
    permit is the default action in the end anyway.


    Edit: do you have a file /etc/mailname ? What's in it?
     
    Last edited: Mar 12, 2016
  5. It could be something?

    smtpd_sender_restrictions =
    permit_sasl_authenticated,
    check_sender_access hash:/etc/postfix/block,
    # Rejeita senders que não podem ser identificados
    reject_unknown_sender_domain,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_authenticated_sender_login_mismatch,
    reject_unauthenticated_sender_login_mismatch,
    reject_non_fqdn_sender,
    reject_unlisted_sender,
    reject_unauth_pipelining


    About SPF check, which must be improved to make it work?
     
  6. I need to carry out this change?

    smtpd_recipient_restrictions =
    permit_mynetworks,
    check_client_access hash:/etc/postfix/whitelist-ips,
    reject_unauth_destination,
    reject_unknown_sender_domain,
    reject_invalid_hostname,
    reject_unknown_hostname,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client sbl.spamhaus.org,
    check_policy_service unix:private/spfcheck,
    permit
     
  7. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Looks good so far if I'm not missing anything.
     
  8. I have these other settings in another email server. I will add. What do you think?

    smtpd_helo_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_helo_access regexp:/etc/postfix/regras_ehlo,
    reject_invalid_hostname,
    reject_unauth_pipelining
    reject_non_fqdn_hostname


    smtpd_client_restrictions =
    reject_invalid_hostname,
    reject_unverified_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining


    On my initial post, the problem was happening due to not having the set smtpd_sender_restrictions?
    Can you explain the reason for this?
     
  9. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Yes, you can add those restrictions, of course.
    Well I'm not 100% sure if my usggestion will solve your issue since I did not look at all of your configuration / can only assume what you're doing at body and header checks and so on.
    ( Btw. it would be nice to put stuff in BB-Code tags like code or quote to increase readability.
    You're also mixing up seperations.
    Code:
    something = a,b,c
    something = a b c
    something = a
      b
      c
    
    are all doing the same ( don't miss the whitespaces at the 3rd example ). It's just about some style :)


    However I found a good explaination for my suggestion and other things on centos wiki.
    Seems I did miss some useful stuff

    Among this I've only seen issues regarding having mails sent with localhost.localdomain extension when postfix automatically appends
    dot mydomain ( mails without domain can come from cronjobs running and so on ) which is turned off in your config.

    Even if not, you did set your myhostname / myorigin to a valid hostname, so assumptions wether you have localhost.localdomain in your /etc/hosts or /etc/mailname probably can be ignored.

    So I tried looking for what's missing, and this has been missing, so I hope it will fix your issue.
     
    Last edited: Mar 12, 2016
    Christovampaynes likes this.
  10. I will keep indented.
    I had seen this link.

    In /etc/hosts and /etc/mailname own the FQDN.

    I will apply the changes and monitor.
    Thanks for the help.
    Hugs.
     
    ztk.me likes this.
  11. Hello guys.
    Made changes to main.cf and firewall. Still, every morning I am listed in the blacklist of http://www.abuseat.org/ - CBL. My relay is closed.
    I find nothing in the logs. Any tips on how to identify this list?
    I was looking for quickly and some forum have reported the possibility of viruses on workstations. It could be something?

    Follow the rules of FW.


     
  12. florian030

    florian030 Well-Known Member HowtoForge Supporter

    If you IP is listed on a blacklist, your server sends spam or send spam in the last days. You should scan your websites for malware (http://ispprotect.com/) and make sure, that your mailserver is not an open relay(http://mxtoolbox.com/)
     
    Christovampaynes likes this.
  13. update:
    On the possibility of some Malware.
    I've used chkrootkit, rkhunter and Lynis. But I found nothing.
     
  14. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    None of that tools are made for detecting infected wordpress plugin page beeing abused to send spam for example.
     
  15. DDArt

    DDArt Member

    Have you gone through their proper channel to request and be unlisted? There is process and steps to take in order to have your request from what I recall and explanation of what happen and steps you took to fix it.
     
  16. Hello,
    Discover a few days it was due to a compromised account. I mentioned in the first post.
    Thank you all for your help
    Hugs.
     
  17. DDArt

    DDArt Member

    You didn't mention if you went through their request for removal on their site and block list you might on. If you are on multiple lists you might need to request multiple times multiple locations. Some Auto remove you after X amount of days of no spam but no guarantee. I'm glad you found the problem, maybe someone would chime in and see if they have the munin and monit services running and if it shows the mail or traffic of emails and if you see a huge spike you know something is going on.
     
    Last edited: Mar 31, 2016
    Christovampaynes likes this.
  18. Excuse me. I did not say removal of the blacklist, every day. I spoke only of the account that has been compromised password.
    I will follow the idea of Monit. Thanks again.
     
  19. DDArt

    DDArt Member

    For email actually it is the Mailgraph.
    They have a howto here for Ubuntu and Debian works as well.
    -Link: https://www.howtoforge.com/tutorial/postfix-monitoring-with-mailgraph-on-ubuntu-14-04/
     

Share This Page