Undelivered Mail Returned to Sender

Hi Mark, thanks for helping me out. Just an update about my mail server problem. I noticed that my www-data is the one sending out ALOT of stuff which I think is spam. Dunno why it's doing that. I remembered before that someone was able to hijack our servers by installing Medusa. I immediately removed it, but I think it was too late because that was the time that all these mess started to happen..being blacklisted, server sending spam, etc. If I reinstall again, can you tell me what are the "security" that I need to ensure in my new installation so it won't happen again? Thanks in advance.

 

If you follow the how-to you have a good base installation. After that you can install fail2ban, rkhunter and setup a cronjob to scan you drive with clamav on a daily/weekly base.

 

i have reinstalled postfix, installed fail2ban, rkhunter, and amavisd-new. I am about to change the public IP of my server, but I'm afraid that I haven't solved the problem and how to prevent it from happening again. My current IP is still blacklisted so I can't test my new setup if it's working.

My question is, because I have determined that [email protected] is sending spam. How can I fix this? Can I block it from sending mails or filter any outgoing mail that might be a spam?

 

if your server is still sending out spam with [email protected] .. then your machine is still compromised and you need to find out who/what is sending those mails .. it must be a process the is run through apache (www-data)

get your ip unbanned (most lists have a unban option), then switch ip, test and hf

 

That is my problem, I'm unable to determine who/what is sending those mails. Except for the fact that it's using my www-data to send spam. Do you have any ideas where to look and how to fix it? Thanks again for your help.

 

with

Code:

ps flax

you can see running processes .. www-data = UID 33

It could be that there is running a cgi/php script that sends those mails .. you have to dig deeper to find the problem. if all else fails, pm me i can take a look at your machine if you want.

 

I have read one post here that is similar to my issue. It says that it could be a faulty contact form on our website. So what I did is remove that component from our site and monitor now what happens next. I requested a configuration to our DNS from our ISP, to be pointed to the new IP address that we will use. Crossing my fingers* Thanks again mark

 

yep, a contact form is also a possibility, you can add a CAPTCHA code to the form to avoid bots abuse your form.

gl!