My server is sending spam. This snippet postcat shows for a mail in mailq: Code: regular_text: Date: Mon, 14 Sep 2020 03:53:24 -0700 regular_text: From: Lucian Dumitrescu <[email protected]> regular_text: To: undisclosed-recipients:; regular_text: Subject: Inquiry_Autoitalia 567892 regular_text: Message-ID: <[email protected]> regular_text: X-Sender: [email protected] regular_text: User-Agent: Roundcube Webmail/1.2.3 pointer_record: 1118311 regular_text: X-Spam: Yes Is it Roundcube that sends the e-mail? It does not say which account is sender, if that is the case. Or is it the website that is cracked to send spam? I have not managed to force the user to update that Wordpress site, so am considering shutting it down until it is updated. Another thing: how come my e-mail server sends e-mail where the sender domain is not on my server? pflogsumm shows in "Senders by message count" 12 messages by user@some-completely-alien-domain. Can I make RSPAM or someting to block sending messages like those? ISPConfig 3.1.15p3 on Debian GNU/Linux 9.13 (stretch).
Might be roundcube but might also be a faked user agent. If it's sent trough roundcube, then you should see matching POST requests in the global web server access.log for each mail for RoundCube. Beside that, there should be more mail headers, or is that's all?
Seems like Roundcube is indeed sending out the mail (but this could be spoofed), and your roundcube installation is outdated. For 1.2.X, 1.2.12 is the newest version. You can reject not matching login names (so [email protected] can't send as [email protected] or [email protected]) in postfix, see http://www.postfix.org/postconf.5.html under reject_sender_login_mismatch
There was 14000 lines in that poscat output, I posted the part I was most curious about. I can send complete output in private message if desired. I use Debian 9, where the latest version available is installed: Code: # LANG=C apt policy roundcube roundcube: Installed: 1.2.3+dfsg.1-4+deb9u7 Candidate: 1.2.3+dfsg.1-4+deb9u7 Version table: *** 1.2.3+dfsg.1-4+deb9u7 500 500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages 100 /var/lib/dpkg/status 1.2.3+dfsg.1-4+deb9u6 500 500 http://debian.mirrors.ovh.net/debian stretch/main amd64 Packages
Looking at database, the roundcube database in table identities has today added user with e-mail address [email protected]. That is the sender in the spam messages I have seen today. So some cracking has been happening. Is it a problem if I just remove that identity in PHPMYadmin?
Not sure if that table is connected with other tables. I would make a backup of the database and then remove it.
I assume this website access log lines is when the cracker makes that extra identity to roundcube: Code: 193.176.87.250 - - [14/Sep/2020:12:37:16 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0. 4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:38:17 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0. 4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:16 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:46 +0300] "POST /webmail/ HTTP/1.1" 200 4863 "http://www.customerdomain.fi/webmail/?_task=settings&_action=edit-identity&_iid=87&_framed=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:56 +0300] "GET /webmail/?_task=mail&_mbox=INBOX HTTP/1.1" 200 10537 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:57 +0300] "GET /webmail/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1600076396085 HTTP/1.1" 200 793 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:57 +0300] "GET /webmail/?_task=mail&_action=list&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1600076396255&_=1600076396084 HTTP/1.1" 200 3605 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:39:59 +0300] "GET /webmail/?_task=mail&_action=list&_refresh=1&_mbox=Trash&_page=1&_remote=1&_unlock=loading1600076398361&_=1600076396086 HTTP/1.1" 200 3301 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" 193.176.87.250 - - [14/Sep/2020:12:40:02 +0300] "GET /webmail/?_task=mail&_mbox=Trash&_action=compose HTTP/1.1" 302 612 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=Trash" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
What I do not understand is how nothing in logs shows what e-mail account is used for sending. I think I can see what website is used, but that user has several mailboxes. And the identity the cracker created to Roundcube (I removed that identity with PHPMyadmin after taking a backup of the roundcube db, so far I have not seen any side effects).
You might find something in the mail.log file, when the spam sender authenticates at roundcube, then roundcube authenticates him via imap. Beside that, roundcube might provide logs as well and the identity that you find in roundcube might be linked to an account in roundcube via some kind of ID.
Note the "Reject sender and login mismatch" setting in Server Config won't work for this until 3.2 (or recent 3.1dev), as it actually used reject_authenticated_sender_login_mismatch. If you set mail.add_x_header = On in your php.ini, mail sent with php's mail() function will include the script filename. I don't know if roundcube uses that at all, or only smtp (where it wouldn't help). But if eg. a bug in roundcube is being exploited to send mail, rather than an account being abused, it might prove useful. Ensure you have roundcube set to send via authenticated smtp, and the mail server should add a Received header showing what account authenticated to send the message. (Also mail log will show the sender as @till mentioned.)
I found the sending mailbox account reading /var/lib/roundcube/logs/sendmail. I should have read that log first, but did not find it until now.
I checked my /etc/roundcube/config.inc.php. It has Code: // SMTP port (default is 25; use 587 for STARTTLS or 465 for the // deprecated SSL over SMTP (aka SMTPS)) $config['smtp_port'] = 25; // SMTP username (if required) if you use %u as the username Roundcube // will use the current username for login $config['smtp_user'] = ''; // SMTP password (if required) if you use %p as the password Roundcube // will use the current user's password for login $config['smtp_pass'] = ''; I tried to find in Roundcube wiki what those settings mean, but did not find it. Does roundcube not authenticate at all when smtp_user is set to empty?
Yes, as far as I know. But you can also use placeholders there for the currently logged in user %u and %p in the password field. We had a thread here in the priority forum in the past weeks where Thom posted his example config, if I remember correctly.
See https://www.howtoforge.com/community/threads/disable-smtp-sending-not-working.85026/ I would advice you to enable authentication as noted in that thread
