A lot of spam is sent from my server, using real Email addresses, which I find strange as normally, fake addresses are being randomly used. Also, I would normally find a X-PHP-Originating-Script header in these E-mails, and in this case, there is none. X-Mailer value is not always the same. Here is what I tried to this day:
- I ran Linux Malware Detect, ClamScan and ISPP Scan, Rkhunter multiple times on the whole system, negative.
- I changed passwords of Emails, root password of the database, admin password of ISPConfig, without any change
- Fail2ban is also running, it seems to detect and ban IPs associated with these Email sendings, but if I take a look to the log, there is a lot of mentions of IPs "already banned", so I'm not 100% sure it is working as it should. I could sometimes see the same IPs while running "netstat" watching on port 25, so I guess they have something to do with this, but I don't know what to do.
Information about my system : Debian 6, ISPConfig 3, PHP/MySQL hosting server; Postfix + ClamAV + Amavis
Sample of spam E-mail headers:
regular_text: Received: from MYHOST (localhost.localdomain [127.0.0.1])
regular_text: by MYHOST (Postfix) with ESMTP id 68BBA2016422;
regular_text: Thu, 23 Nov 2017 14:59:41 -0500 (EST)
regular_text: Received: from 62.112.5.169 (unknown [175.223.31.212])
regular_text: by MYHOST (Postfix) with ESMTP id 9F04D2016473;
regular_text: Thu, 23 Nov 2017 14:59:00 -0500 (EST)
regular_text: From: PayPal Update Center <support662@accounts.net>
regular_text: Subject: Regarding your information
regular_text: MIME-Version: 1.0
regular_text: X-Priority: 3
regular_text: X-MSMail-Priority: Normal
regular_text: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.6429
regular_text: X-Mailer: Microsoft Outlook Express 6.00.2600.6429
regular_text: Message-ID: <6BE2EBA74C8F3BFC4015DDFA0986CAFC@bk5h6y0SW3h.com>
regular_text: Content-Type: multipart/mixed; boundary="_NextPart_000_0077_87BE7816.3B325A4E"
regular_text: Date: Thu, 23 Nov 2017 14:59:00 -0500 (EST)
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_add_missing_headers = yes
always_bcc = mailarchive@localhost
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = scan:[127.0.0.1]:10025
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = ks4000003.ip-198-245-60.net, localhost, localhost.localdomain
myhostname = ks4000003.ip-198-245-60.net
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_destination_concurrency_limit = 5
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 20
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_error_sleep_time = 0
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_whitelist, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_sender_access regexp:/etc/postfix/sender_access.regexp hash:/etc/postfix/sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client truncate.gbudb.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/internal_clients_filter, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
If I shut down Postfix and watch the apache log, I can see things like that:
[Tue Nov 28 08:06:23 2017] [error] [client 168.1.128.35] Directory index forbidden by Options directive: /var/www/apps/
[Tue Nov 28 08:56:30 2017] [error] [client 66.249.64.210] File does not exist: /var/www/robots.txt
[Tue Nov 28 09:06:10 2017] [error] [client 169.53.184.5] Directory index forbidden by Options directive: /var/www/apps/
[Tue Nov 28 09:11:25 2017] [error] [client 66.249.64.31] File does not exist: /var/www/robots.txt
[Tue Nov 28 09:11:25 2017] [error] [client 66.249.64.4] File does not exist: /var/www/.well-known
[Tue Nov 28 09:44:14 2017] [error] [client 66.249.64.26] File does not exist: /var/www/robots.txt
[Tue Nov 28 09:44:14 2017] [error] [client 66.249.64.26] File does not exist: /var/www/.well-known
[Tue Nov 28 09:45:13 2017] [error] [client 66.249.64.26] File does not exist: /var/www/.well-known
[Tue Nov 28 09:52:50 2017] [error] [client 172.104.115.143] File does not exist: /var/www/favicon.ico
[Tue Nov 28 10:00:13 2017] [error] [client 212.83.150.38] File does not exist: /var/www/a2billing
[Tue Nov 28 10:01:25 2017] [error] [client 212.83.150.38] File does not exist: /var/www/a2billing
[Tue Nov 28 10:07:28 2017] [error] [client 139.162.87.250] Directory index forbidden by Options directive: /var/www/apps/
I find it strange that random IPs are trying to get to /var/www/apps and so on, as these are not directories that are normally reachable.
And here is an example of pathway the suspicious script use to send spam :
Nov 30 09:44:10 ks4000003 postfix/smtpd[5035]: warning: hostname 201-46-61-66.wireless.dynamic.sbr1.ce.faster.net.br does not resolve to address 201.46.61.66: Name or service not known
Nov 30 09:44:10 ks4000003 postfix/smtpd[5035]: connect from unknown[201.46.61.66]
Nov 30 09:44:14 ks4000003 postfix/smtpd[5035]: Anonymous TLS connection established from unknown[201.46.61.66]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 30 09:44:18 ks4000003 postfix/smtpd[5035]: warning: unknown[201.46.61.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 30 09:44:20 ks4000003 postfix/smtpd[5035]: warning: unknown[201.46.61.66]: SASL PLAIN authentication failed:
Nov 30 09:44:21 ks4000003 postfix/smtpd[5035]: NOQUEUE: reject: RCPT from unknown[201.46.61.66]: 554 5.7.1 <sundberg.randy@yahoo.com>: Recipient address rejected: Access denied; from=<info@guylabbe.ca> to=<sundberg.randy@yahoo.com> proto=ESMTP helo=<[201.46.61.66]>
Nov 30 09:44:21 ks4000003 postfix/smtpd[5035]: disconnect from unknown[201.46.61.66]
Any help will be appreciated, as I am getting pretty desperate about this. There must be a simple thing I can do about this.
Best Answer
That would happen, if the mail was sent from a vulnerable PHP script, as it may have been before. However, it seems that this mail is not originating from your server but uses your server as a relay.
Here, the
62.112.5.169
is an obfuscatedHELO
hostname and the mail is actually sent from175.223.28.0/22
belonging to Korea Telecom.From your configuration it's really hard to say what kind of limitations you actually have, because for example your
check_client_access
collects data from several sources and formats (regular expression, BerkeleyDB and even MySQL). You could e.g. have a loose regular expression that actually allows mail from these clients, effectively making your mail server an open relay.I would start by removing the most complicated sources from your configuration. Then I'd test them all separately using
postmap -q
to be sure that they actually do what you suppose they are doing.