Sudden spam appearing

Discussion in 'Server Operation' started by tfboy, Nov 25, 2014.

  1. tfboy

    tfboy Member

    As of today, all of a sudden, I've started receiving an awful lot of "fax message" email spam, redirecting me to some get_message.php page on a hacked remote server.

    Now I'm fairly sure the problem has arisen because the originating email address is one on my server and as I understand it, there's no security preventing an email account on a given domain to send mail to that domain...

    What surprises me is that it's started all of a sudden - I'm getting an email every minute or so!

    My postfix / dovecot installation is that of the ISPconfig guide, running Ubuntu 12.0.4 LTS. Everything has been fine since I set it up (and I regularly apply security patches), so curious why this has started all of a sudden.

    I've done some reading up on SASL, but to be honest, I'm not too sure where to start fixing this.

    Here's a snippet of my /var/log/mail.log.
    Nov 25 14:23:37 myserver postfix/smtpd[28566]: connect from unknown[]
    Nov 25 14:23:40 myserver postfix/smtpd[28566]: 29276D2F7: client=unknown[]
    Nov 25 14:23:40 myserver postfix/cleanup[28568]: 29276D2F7: message-id=<[email protected]>
    Nov 25 14:23:40 myserver postfix/qmgr[3454]: 29276D2F7: from=<[email protected]>, size=999, nrcpt=1 (queue active)
    Nov 25 14:23:40 myserver dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
    Nov 25 14:23:40 myserver postfix/pipe[28569]: 29276D2F7: to=<[email protected]>, relay=dovecot, delay=0.62, delays=0.57/0.03/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
    Nov 25 14:23:40 myserver postfix/qmgr[3454]: 29276D2F7: removed
    Nov 25 14:23:40 myserver postfix/smtpd[28566]: disconnect from unknown[]
    Any idea where to start?
    Thanks in advance.
  2. tfboy

    tfboy Member

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    take a look at the mail que with

    postqueue -p

    if you see there some spam mails in the queue, inspect their content with postcat command. When the mails ares end over an authenticated account, then you see the authenticated header and can change the password. If the mails are send with a php script, then you should see a php header with the name of the script.
  4. tfboy

    tfboy Member

    Thanks Till.
    I don't have any in the queue at the moment, and they have pretty much stopped now as of an hour ago.
    Interestingly, there were at least a dozen originating servers and whilst a few of them were flagged on spamhaus, a lot were still OK. But I'm not getting any more right now...

    I'll bear the postqueue in mind if/when more come in.

Share This Page