Mac server infected with spam agent

Question

We have a huge trouble :( .. Our mac server makes a spam delivery. Our IP already blacklisted in about a dozen of servers (checked with http://mxtoolbox.com/). We have another computers in the same networks, including PC. What I already did and discovered:

I found a spam emails in the "Server Admin app"->Mail->Maintenance->Mail Queue (attached image).
I managed to get one of those emails from /var/spool/postfix/ folder. Here is the link - simple HTML file (http://www.sendspace.com/file/wbyjov).
I searched for malware with ClamXav on the server - with no help
I re-checked PC computers with antivirus - with no help

Also, the fact that these emails appears in "Mail Queue" means that Mac OS server sends them by itself, right? Or is it possible that another computer in the same network sends them?

Thank you in advance for you answers!!!!

* Added two screenshots of server Logs: SMTP logs and IMAP logs *

* Added a screenshot of Access logs. I know for sure that "fitkit.medicine" account shouldn't be used at this time at all. Does it means that some malware hacked several accounts on the server? *

enter image description here

score 5 · Accepted Answer · answered Sep 26 '13 at 16:05

5

Spam messages in the postfix message queue could mean a number of things:

Your mail server is acting as an open relay. An open relay means that your server is accepting messages from any client on the Internet, and relaying them onward. Open Relays are quickly picked-up by spammers and quickly blacklisted. To see if your mail server is acting as an open relay, you could use this site:

http://www.unlocktheinbox.com/openrelaytest/

For a discussion on OS X server and open relays, also see:

https://discussions.apple.com/message/8036841#8036841

Looking at the message from the postfix message queue, I see that the client address (the IP address of the SMTP client that submitted the email message for delivery) is in the 31.129.xxx.xxx IP range. If this IP range belongs to you, it's something within your network.
There is a machine within your network that's been compromised and is now acting as a botnet client for spam. In this case, you'll need to determine which PC it is that's sending all these messages, and shut that machine down. Because the IP address of the client is a public IP, I'm guessing this is not the case.
Someone has hacked an account on your mail server (if you require SMTP authentication) and is using that account to send messages. From the message you've attached, I see that the spam bot is using authentication (sasl_username=test, sasl_method=LOGIN). Is there a chance you have a "test" account with no password on this server? If so, set a password on it or disable the account.

answered Sep 26 '13 at 16:05

Hari

211
1
3

Thanks for awesome response! (1) Just checked the first variant with open relay - and the web site says "Test Results: Good news! Server is NOT an open relay!". And, "31.129.xxx.xxx" - isn't our IP at all – Dmitry Sep 26 '13 at 16:33
(2) This is the problem - how to find it? In the LOGs I searched for IP like 192.168.1.* (our network mask) but with no help – Dmitry Sep 26 '13 at 16:34
(3) wow, good catch, I didn't notice that. I really have a user with the name "test". I already removed it. Do you think it may help if I will just change all the passwords for all users? – Dmitry Sep 26 '13 at 16:35
One thing: I just noticed this line in Access logs "Login: user=, method=CRAM-MD5, rip=192.168.1.1". I know for sure that this account can not be used now. Does it means that some malware from local network hacked several accounts on the server? – Dmitry Sep 26 '13 at 16:44
The mail log shows both SMTP messages and IMAP/POP3 messages. "postfix" messages log email sent via your server. "dovecot" messages are logs of people with accounts on your server fetching email from the server. The spam problem is SMTP-related. "Login: user=" is a dovecot message: someone likely still has that account configured on their mail client. You should now clear the mail queue. That's explained here: https://discussions.apple.com/thread/2684493?start=0&tstart=0 Be aware that clearing the queue will delete all messages, including legitimate ones! – Hari Sep 26 '13 at 17:14
Oh, I just noticed that you can also delete individual messages using the OS X server mail console, so you could also do that for the spam instead of nuking all messages. And yes, asking all users to change their passwords is a good idea when an account has been compromised. It's also a good time to audit all the accounts you have on the server and delete any unused accounts. – Hari Sep 26 '13 at 17:22
changed passwords. removed all the messages (40k+ !!!). cleared all logs. Will be looking at it tomorrow. Hope it will help. But you answer worth to be marked as correct anyway! Thanks! – Dmitry Sep 26 '13 at 19:17

score 1 · Answer 2 · answered Sep 26 '13 at 15:46

1

OSX Server has a real mail server build in. You should be able to see in the logs from which clients the mails are sent to the server. Here is the Apple KB where the logs are located.

https://support.apple.com/kb/PH8771

The obvious answer is, that if you don't use the mail server turn it off.

answered Sep 26 '13 at 15:46

chewbakka

401
4
8

I attached a screenshots of logs. Unfortunately nothing helpful there :( Also, we need this server - I can't just turn it off... – Dmitry Sep 26 '13 at 16:30

Mac server infected with spam agent

2 Answers2