Server sending spam!

Discussion in 'Installation/Configuration' started by mattltm, Jan 14, 2016.

  1. mattltm

    mattltm Member

    5 days ago my ISPConfig server started to send spam.
    Here's an extract from the mail.info log:

    Jan 14 22:21:09 viking postfix/smtpd[8352]: connect from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54]
    Jan 14 22:21:12 viking postfix/smtpd[8352]: warning: LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54]: SASL Login authentication failed: UGFzc3dvcmQ6
    Jan 14 22:21:12 viking postfix/smtpd[8352]: lost connection after AUTH from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54]
    Jan 14 22:21:12 viking postfix/smtpd[8352]: disconnect from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54]
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 32946EA5A: from=<[email protected]>, size=2178, nrcpt=1 (queue active)
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 79B69EA0E: from=<[email protected]>, size=2232, nrcpt=1 (queue active)
    <!--LOTS MORE LIKE THIS -->
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 802B3E8FE: from=<[email protected]>, size=2214, nrcpt=1 (queue active)
    Jan 14 22:21:14 viking postfix/smtp[11764]: 79B69EA0E: host ip2in.temple.edu[155.247.166.38] refused to talk to me: 554-ip2in.temple.edu 554 Your email was Rejected. IP Address: xxx.xxx.xxx.xxx has a NEGATIVE SenderBase Reputation. We do not accept email from any MTA with a negative reputation. Contact your ISP and have them visit http://www.senderbase.org to learn how to resolve this issue.

    I've taken a look at the mail queue and ran:

    postcat /var/spool/postfix/deferred/X/XXXXXXXXXXXX

    on one of the messages. This is the returned message:

    *** ENVELOPE RECORDS /var/spool/postfix/deferred/5/56083E9FE ***
    message_size: 2191 680 1 0 2191
    message_arrival_time: Tue Jan 12 06:58:21 2016
    create_time: Tue Jan 12 06:58:21 2016
    named_attribute: log_ident=56083E9FE
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost.localdomain
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=45790
    named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost.localdomain
    named_attribute: reverse_client_name=localhost.localdomain
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=45790
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS /var/spool/postfix/deferred/5/56083E9FE ***
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by viking.serverdomin.com (Postfix) with ESMTP id 56083E9FE
    for <[email protected]>; Tue, 12 Jan 2016 06:58:21 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.co.uk;
    h=x-mailer:date:date:message-id:subject:subject:mime-version
    :content-transfer-encoding:content-type:content-type:from:from;
    s=default; t=1452581901; x=1454396302; bh=XQLLnRAO+1CKmSQOaUFyk
    OfyFkTN8iR6ltukE12kU38=; b=7qRpvSF94YCuD27L76P1vE5XsNe4jqeX7WRxf
    k16jYZD6b/k85gmuMEIxoU8eGkMOAYmianiL+nznMgK6ZoL1qp+wj+IZA32WMG2F
    oEZb12AoTawVwJtXv8aSksLXBzIk1aJfp4qXCYzsCN5qVnN23kzw0+JYvHHylP+X
    /pAbWHRS6/5ksA0myJsKaON1wjybdIC2s95uAKi0Gv1+0DuqYqPjQNC40Gma3pAf
    tdQPK8KHRs88iOzTAJ8Z8ber64U0MwlwwDJfXKmVGDmcNQcsaT1iOK81wovaERhN
    Ut6zLttaL7dHAEjQxUEOYv0eAt0ZaQdDF+9+3cENbTcIOpKo4tpSh2SN4k5FLAIs
    WBHYAzkbh3SOd/jf6Fn060ZAkRXViqi+TssZ/n0nHURn67Nnx+1iNbip4lLchazf
    8tU5SeJEF+jU8QlsokkVYs8Dq2wErHcMwCs32F0krcWyGrxDtvRiQYFKi4DO2svB
    g771H9WioZcyXKablW+IGAbuUzYKpBG/iFsr3xNh21ILdnj1FqnR9bK+GU72WRui
    ZV2Q5wPVWVCSPt5elMHsvTwJ16J5nCC4zqQNGzh7ktxiKSGIMc12iBcceEs4yHck
    +dQ8Zk/lxSZTlP8F4/MziHJvZHyZl12qHCjjXvm8I/8ky5MJvrZUuaehh+iA0+lY
    pueo5I=
    X-Virus-Scanned: Debian amavisd-new at viking.serverdomain.com
    Received: from viking.serverdomain.com ([127.0.0.1])
    by localhost (viking.serverdomain.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id bsclRkCG0W69 for <[email protected]>;
    Tue, 12 Jan 2016 06:58:21 +0000 (UTC)
    Received: from mydomain.co.uk (unknown [117.193.118.161])
    (Authenticated sender: [email protected])
    by viking.serverdomain.com (Postfix) with ESMTPA id 83742E9FC
    for <[email protected]>; Tue, 12 Jan 2016 06:58:19 +0000 (UTC)
    From: "Tammie Calingasan" <[email protected]>
    Content-Type: text/plain;
    charset=us-ascii
    Content-Transfer-Encoding: quoted-printable
    Mime-Version: 1.0 (1.0)
    Subject: hi Anthony
    Message-Id: <[email protected]>
    Date: Tue, 12 Jan 2016 07:58:18 +0100
    To: "Anthony" <[email protected]>
    X-Mailer: iPhone Mail (10A525)

    Salutations Anthony

    http://hinhgai.net/husband.php?hope=3D1qv0d4yu5pc9s



    Tammie Calingasan
    *** HEADER EXTRACTED /var/spool/postfix/deferred/5/56083E9FE ***
    named_attribute: encoding=7bit
    *** MESSAGE FILE END /var/spool/postfix/deferred/5/56083E9FE ***

    So it looks like someone/thing is authenticating with the [email protected] account and sending email from spoofed non existant user accounts.

    I've disabled SMTP for mydomain.co.uk and changes the mail account passwords but the emails just keep on comming!

    Where should I look next to hunt this down?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The emails are indeed send by [email protected]) according to the mail headers. Try to restart postfix, dovecot, courier-authdeameon, saslauthd (only the ones that exist on your server after you changed the password of this account. it might be that the old password is cached when the server is under a high load. and delete the spam mails in mailqueue.
     
  3. mattltm

    mattltm Member

    Thanks Till.

    I restarted the server and it's been fine for 24 hours.

    Am I correct in thinking that a users iPhone has been comprmised? Or could the X-Mailer be forged? Would be good if I can narrow down to the device.
     
  4. P.Habdak

    P.Habdak New Member

    User iPhone seems to be very unsafe for username ..
     
  5. mattltm

    mattltm Member

    There is no username called "iPhone". It's the X-Mailer header that is claiming the email is being sent via iPhone Mail.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    It is unlikely that the device of a user is used to send the spam. Normally they just steal the mail account password from the device (mobile phone, windows pc or whatever) and then hand it over to a botnet that uses the login details to send spam. So in my opinioon it's just a faked header and nothing that can be used to track down the device.
     
  7. nicram0

    nicram0 New Member

    Hi
    I had similar issue. Some users were sending thousands mail and my server was banned by many rbl servers :/
     

Share This Page