As of today, all of a sudden, I've started receiving an awful lot of "fax message" email spam, redirecting me to some get_message.php page on a hacked remote server. Now I'm fairly sure the problem has arisen because the originating email address is one on my server and as I understand it, there's no security preventing an email account on a given domain to send mail to that domain... What surprises me is that it's started all of a sudden - I'm getting an email every minute or so! My postfix / dovecot installation is that of the ISPconfig guide, running Ubuntu 12.0.4 LTS. Everything has been fine since I set it up (and I regularly apply security patches), so curious why this has started all of a sudden. I've done some reading up on SASL, but to be honest, I'm not too sure where to start fixing this. Here's a snippet of my /var/log/mail.log. Code: Nov 25 14:23:37 myserver postfix/smtpd[28566]: connect from unknown[184.68.44.206] Nov 25 14:23:40 myserver postfix/smtpd[28566]: 29276D2F7: client=unknown[184.68.44.206] Nov 25 14:23:40 myserver postfix/cleanup[28568]: 29276D2F7: message-id=<[email protected]> Nov 25 14:23:40 myserver postfix/qmgr[3454]: 29276D2F7: from=<[email protected]>, size=999, nrcpt=1 (queue active) Nov 25 14:23:40 myserver dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 25 14:23:40 myserver postfix/pipe[28569]: 29276D2F7: to=<[email protected]>, relay=dovecot, delay=0.62, delays=0.57/0.03/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 25 14:23:40 myserver postfix/qmgr[3454]: 29276D2F7: removed Nov 25 14:23:40 myserver postfix/smtpd[28566]: disconnect from unknown[184.68.44.206] Any idea where to start? Thanks in advance.
Aha. Looks like it's not just me. http://blog.dynamoo.com/2014/11/myfax-message-from-unknown-spam-leads.html
take a look at the mail que with postqueue -p if you see there some spam mails in the queue, inspect their content with postcat command. When the mails ares end over an authenticated account, then you see the authenticated header and can change the password. If the mails are send with a php script, then you should see a php header with the name of the script.
Thanks Till. I don't have any in the queue at the moment, and they have pretty much stopped now as of an hour ago. Interestingly, there were at least a dozen originating servers and whilst a few of them were flagged on spamhaus, a lot were still OK. But I'm not getting any more right now... I'll bear the postqueue in mind if/when more come in.
