My mail server is sending a lot of spam using my domain
Solution 1
I found the solution
The first big step towards a definitive solution occurred when the apache2 service was stopped, the sending of the spam mails also stopped, that is to say that the mails were being sent from a script of php.
The following step was to add the following lines to php.ini
mail.add_x_header = On
mail.log = /var/log/phpmail.log
This page help me: https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/
Assign the var/log/phpmail.log file to the user and group www-data
chgrp -R www-data /var/log/phpmail.log
chown -R www-data /var/log/phpmail.log
When restarting the apache2 service the spams returned, but this time they were registered in the file /var/log/phpmail.log
Stop the apache2 service and look in /var/log/phpmail.log for the spam-causing scripts, they were php files that were marked as php.suspected in a wordpress folder on the apache server (/var/www/). Delete all those files and since I was not using that wordpress folder, I gave it the 440 permission to remain as read only.
Restart the service apache2 and the spam disappeared definitively.
Solution 2
Well, if www-data is sending SPAM this means that your web server has been compromised.
You should immediately stop your web server and check it for unwanted scripts and backdoors used to send SPAM.
You could use maldet (https://www.rfxn.com/projects/linux-malware-detect/) to find suspicious files.
Or use this approach: https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/
If you want to be real save, check your database too or make a fresh installation.
Related videos on Youtube
12 : 19
03 : 59
15 : 29
07 : 12
02 : 54
Emilio Galarraga
Updated on September 18, 2022Comments
-
Emilio Galarraga almost 2 years
A lot of spam is being sent through my mail server. the spams are using alias that don't belong to the registered users. the mailq command output show message like these:
487A1600698C2 1901 Fri Jan 27 09:35:15 [email protected] (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from www.xxx.yyy.zzz temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) [email protected]
491A4600698AE 1265 Fri Jan 27 09:36:43 [email protected] (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.36] while sending RCPT TO) [email protected]
4888D600698B9 1280 Fri Jan 27 09:34:58 [email protected] (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.36] while sending RCPT TO) [email protected]
As you can see, even the user www-data is sending spam. I run the command postsuper -d ALL to delete all queue emails but this also include the valid ones.
I use /etc/postfix/sender_access to blacklist all alias or unauthorized senders, actually the file has over 8000 entries
This is the output of postconf -n command
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = no
inet_interfaces = all
mailbox_size_limit = 0
mydestination = mail, localhost.localdomain, localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 172.16.16.0/24
readme_directory = no
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mydomain.com Microsoft Exchange Server 2003
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org,
smtpd_data_restrictions = reject_multi_recipient_bounce,reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/sender_access, permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = hash:/etc/postfix/sender_access,check_sender_access hash:/etc/postfix/sender_access,permit_mynetworks, reject_sender_login_mismatch,reject_unknown_sender_domain,reject_non_fqdn_sender,permit_sasl_authenticated
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = ldap:/etc/postfix/ldap-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /
virtual_mailbox_domains = mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:5000I need help to stop these spams, please
a sample of /var/log/mail.log
Jan 29 16:33:22 mail postfix/pickup[1960]: 312676037EE39: uid=33 from=<www-data> Jan 29 16:33:22 mail postfix/cleanup[64497]: 312676037EE39: message-id=<[email protected]> Jan 29 16:33:22 mail postfix/qmgr[60188]: 312676037EE39: from=<[email protected]>, size=783, nrcpt=1 (queue active) Jan 29 16:33:22 mail dovecot: imap-login: Login: user=<validuser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2213, secured, session=<MjoQnEFH3AB/AAAB> Jan 29 16:33:22 mail dovecot: imap(validuser): Disconnected: Logged out in=93 out=837 Jan 29 16:33:22 mail postfix/pickup[1960]: 4DBEB6037EE3A: uid=33 from=<www-data> Jan 29 16:33:22 mail postfix/cleanup[61997]: 4DBEB6037EE3A: message-id=<[email protected]> Jan 29 16:33:22 mail postfix/qmgr[60188]: 4DBEB6037EE3A: from=<[email protected]>, size=844, nrcpt=1 (queue active)I'm using debian 7, installed maldet I run the command maldet -m /usr/local/ and it returns:
Linux Malware Detect v1.5 (C) 2002-2016, R-fx Networks <[email protected]> (C) 2016, Ryan MacDonald <[email protected]> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(13019): {mon} existing inotify process detected (try -k): 53745But I don't know how use this information for detect a malicious script
-
kasperd over 7 yearsPossible duplicate of How do I deal with a compromised server? -
Michael Hampton over 7 yearsLook up the message IDs in your mail logs to find out more information, such as where the messages came from. -
Emilio Galarraga over 7 yearsa sample of /var/log/mail.log
-
Michael Hampton over 7 yearsRight, those messages originated with your web application, so it looks like it's been compromised.
-
-
Tim over 7 yearsThis is not an answer. Please edit your question to include this information. -
Aaron Hudon over 6 yearsLooks like an answer to me and has some additional debugging steps.