0

My Config: Ubuntu 10.04 Postfix 2.7.0 Dovecot 1.2.9 ISPConfig 3.0.4.2

I've got the problem that a unknown / invalid user e.g dexter_rollins@xxxx> sends mails to different emails.

Every 5 - 7 min it's sending 10 emails with random senders and recipients but senders domain is managed by this server.

If I stop Apache it stops. Is there an solution how to find the error or miss configured form or is it possible to fix it with postfix?

mail.log shows this:

Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 342E47F580BA: from=, size=1826, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 3E9D77F58060: from=, size=1708, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: B482A179F8854: from=, size=1863, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 198117F58090: from=, size=1801, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 580787F58091: from=, size=1810, nrcpt=1 (queue active)

Jan 25 03:12:07 xxxx postfix/qmgr[20249]: 4BF9F179F85DE: from=<>, size=4497, nrcpt=1 (queue active) Jan 25 03:12:07 xxxx postfix/bounce[21727]: 60926179F85DF: sender non-delivery notification: 4BF9F179F85DE Jan 25 03:12:07 xxxx postfix/qmgr[20249]: 60926179F85DF: removed Jan 25 03:12:07 xxxx postfix/pipe[21681]: 4BF9F179F85DE: to=, relay=dovecot, delay=0.02, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (user unknown) Jan 25 03:12:07 v postfix/qmgr[20249]: 4BF9F179F85DE: removed

apache2ctl -t -D DUMP_MODULES

Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) expires_module (shared) fcgid_module (shared) include_module (shared) mime_module (shared) negotiation_module (shared) php5_module (shared) reqtimeout_module (shared) rewrite_module (shared) setenvif_module (shared) ssl_module (shared) status_module (shared) suexec_module (shared) suphp_module (shared) unique_id_module (shared) Syntax OK

httpd.conf is empty

apache2.conf: apache2conf

default vhost: default vhost

/etc/apache2/mods-available/

actions.load dav.load php5.load alias.load dav_lock.load proxy_ajp.load asis.load dbd.load proxy_balancer.load auth_basic.load deflate.load proxy_connect.load auth_digest.load dir.load proxy_ftp.load authn_alias.load disk_cache.load proxy_http.load authn_anon.load dump_io.load proxy.load authn_dbd.load env.load proxy_scgi.load authn_dbm.load expires.load reqtimeout.load authn_default.load ext_filter.load rewrite.load authn_file.load fcgid.load ruby.load authnz_ldap.load file_cache.load
setenvif.load authz_dbm.load filter.load speling.load authz_default.load headers.load ssl.load authz_groupfile.load ident.load status.load authz_host.load imagemap.load substitute.load authz_owner.load include.load suexec.load authz_user.load info.load suphp.load autoindex.load ldap.load unique_id.load cache.load log_forensic.load userdir.load cern_meta.load mem_cache.load
usertrack.load cgid.load mime.load version.load cgi.load mime_magic.load vhost_alias.load charset_lite.load mod-security.load dav_fs.load negotiation.load

/etc/apache2/mods-enabled

actions.load cgi.load reqtimeout.load alias.load deflate.load rewrite.load auth_basic.load dir.load setenvif.load auth_digest.load env.load ssl.load authn_file.load expires.load status.load authz_default.load fcgid.load suexec.load authz_groupfile.load include.load suphp.load authz_host.load mime.load unique_id.load authz_user.load negotiation.load autoindex.load php5.load

I've got this error message, too:

Return-Path: X-Original-To: py.brancom@SPAMTRAP.INVALID Received: from www.mydomaim.de (mail.mydomain.de [xxx.xxx.xxx.xxx]) by mx.selfip.biz (Spamtrap) with ESMTP for py.brancom@SPAMTRAP.INVALID; Sat, 04 Feb 2012 00:52:21 +0100 (CET) Date: Sat, 4 Feb 2012 00:52:20 +0100 To: py.brancom@SPAMTRAP.INVALID From: "Levitra Sales" Subject: Hi, get 64% better prices, quod hand carpalin Message-ID: <006201c45adb$abad5f76$6165497e@levitra.sales@mail2mitch.com> X-Priority: 3 X-Mailer: ZuckMail [version 1.00] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8"

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Max
  • 23
  • 1
  • 7
  • [Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Mar 08 '15 at 21:33

2 Answers2

1

If the behavior stops when apache is stopped, then it's likely that your apache configuration allows for some sort of proxy-ing, which is being abused by the spammer to send mail through your machine.

Start with this: http://wiki.apache.org/httpd/ProxyAbuse

Also, check your httpd log files, and look for suspicious entries, specifically ones that do not reference the URLs that you actually host.

malcolmpdx
  • 2,300
  • 1
  • 16
  • 12
  • Thanks for the reply. the apache proxy modul is not loaded. access.log xx.xx.xx.xx - - [22/Jan/2012:03:09:42 +0100] "GET http://174.xx.xx.xx/judge.php HTTP/1.1" 404 526 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Telnet: HTTP/1.1 408 Request Time-out apache2/error.log look normal – Max Jan 25 '12 at 10:23
  • edit: if found athis entry in the access.log 65.xx.xx.xx - - [22/Jan/2012:05:12:43 +0100] "POST http://65.xx.xx.xx:25/ HTTP/1.0" 200 297 "-" "-" – Max Jan 25 '12 at 12:00
  • It's that second one, with the POST 65.xx.xx.xx:25 that would appear to be the trigger. The 200 status code indicates that it worked, as far as apache is concerned, and so I still suspect that you have some sort of proxy installed. Check the httpd.conf, any included configs, anything in conf.d, and any .htaccess files for any mention of proxy. Also are you running mod_php or mod_perl? Maybe a full dump of your configs would be in order. – malcolmpdx Jan 25 '12 at 17:07
  • for the moment thanks a lot. i posted the apache2 and the default vhost setting. do you need more logs? – Max Feb 04 '12 at 12:57
  • I would also want to see /etc/apache2/mods-enabled/*.load and /etc/apache2/mods-enabled/*.conf, and /etc/apache2/httpd.conf – malcolmpdx Feb 05 '12 at 16:21
0

Check for suspicious or altered files in your virtualhost.

Check for active suspicious process (ps aux).

Check httpd access.log entries with date/time immediately before the postfix accepting mail for delivery notification.

Giovanni Toraldo
  • 2,587
  • 19
  • 27
  • i checked the access.logs of the websites and found malicious code in a wordpress install – Max Feb 11 '12 at 17:47
  • Are you using an outdated Wordpress? If yes, update it to the latest version. Are you using outdated plugins? If yes, update them to the latest version and if they are unmaintained for years switch to alternative plugins with similar functions but maintained. Since you cannot be sure to have completely cleaned your site, it's highly advisable to recreate from scratch the Wordpress install (re-downloading core and plugins), changing wp-config.php to point to the old database and then move you wp-content directory to the new install. – Giovanni Toraldo Feb 12 '12 at 07:09