0

I have a huge problem with my Debian Stretch installation. Out of the blue one client email address started sending a huge amounts o spam.

My server uses standard configuration. I installed it with ISPConfig, Postfix, Dovecot, Amavisd, SpamAssassin and ClamAV, I used 'Perfect server' tutorial from https://www.howtoforge.com/tutorial/perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1/.

I host a lot of email domains and mailboxes and lot of websites, most of them I'm forced to be running on old versions of PHP (5.3.3 is the oldest one). All of the spam is being sent from only one address and from what I can see it originates on my localhost. I immediately changed password for the account and disabled SMTP, but it sends spam like nothing happened.

I tried recursive maldet scan for /, it detected few potentially malicious PHP scripts in /var/www, but after deletion spam is still being sent, so it didn't help.

Enough talking, here are logs and config.

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
compatibility_level = 2
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = nibbler.manena.cz
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = nibbler.manena.cz, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtu$
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_$
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_do$
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_n$
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_acces$
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 10
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
smtpd_helo_required     = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

/var/log/mail.info | grep [one of the SPAM mail IDs]

Mar 14 06:26:38 nibbler postfix/smtpd[4982]: 23D6036D28F: client=localhost[127.0.0.1]
Mar 14 06:26:38 nibbler postfix/cleanup[9381]: 23D6036D28F: message-id=<1BA29DE2-21F4-ED35-7166-8D523B9A7F2E@client.com>
Mar 14 06:26:38 nibbler postfix/qmgr[25904]: 23D6036D28F: from=<client@client.com>, size=1958, nrcpt=23 (queue active)
Mar 14 06:26:38 nibbler amavis[9276]: (09276-16) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [178.156.44.57]:3446 [178.156.44.57] <client@client.com> -> <aalliijan@acusphere.com>,<ctbmwboy1@aol.com>,<mcarthur4258@aol.com>,<ennett@cogentqc.com>,<haymanls@comcast.net>,<lois.lawrence@comcast.net>,<johnnyponco@cox.net>,<sfriend6@cox.net>,<joncox@coxcapital.com>,<domd06@gmail.com>,<rakrecak@gmail.com>,<scobel.vandree@hamburg.de>,<grayturnock@hotmail.co.uk>,<rick.feldman@hotmail.com>,<sly_a_pup_s-57@qaxp.com>,<paul@reunionfriendly.com>,<rarnitz@tampabay.rr.com>,<stephen_pharaoh@yahoo.co.uk>,<dcidaho@yahoo.com>,<dropshotin@yahoo.com>,<jhill141@yahoo.com>,<mcoppage@yahoo.com>,<vision2020ab@yahoo.com>, Queue-ID: BB16D36D28E, Message-ID: <1BA29DE2-21F4-ED35-7166-8D523B9A7F2E@client.com>, mail_id: I8YkwYIYG_PS, Hits: -0.999, size: 908, queued_as: 23D6036D28F, dkim_new=default:client.com, 370 ms
Mar 14 06:26:38 nibbler postfix/smtp[8926]: BB16D36D28E: to=<aalliijan@acusphere.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.6, delays=5.2/0/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 23D6036D28F)
Mar 14 06:26:38 nibbler postfix/smtp[8926]: BB16D36D28E: to=<ctbmwboy1@aol.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.6, delays=5.2/0/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 23D6036D28F)
(...)

Do you have any idea what to do now? Any suggestion is very appreciated.

Get Schwifty
  • 13
  • 1
  • 2
  • Had a similar issue, only it was a compromised password/account and changing the password fixed it. Could be something on the clients own local computer sending from their machine via your outgoing server? – ivanivan Mar 14 '18 at 19:44
  • Highly unlikely since I changed the password and disabled SMTP. It's probably a local issue. – Get Schwifty Mar 14 '18 at 19:45
  • Tried connecting via telnet to SMTP? If you can do this without authentication then the server is set as relay open host, if not then it is a compromised authentication client. – Onyx Mar 14 '18 at 20:29
  • Via Telnet I'm able to set *MAIL FROM:* without any authentication. But when I try to set *RCPT TO:* it fails with *454 4.7.1 Relay access denied*. I'm able to send email without authentication only to my locally hosted domains. – Get Schwifty Mar 14 '18 at 20:40
  • Check if the user has any web forms on their site. These can often be compromised if they are unprotected. Another possibility may be a PHP shell - look for scripts running from /tmp. – Simon Greenwood Mar 14 '18 at 21:13
  • Probably not anything online, I killed all processes of php and Apache, but spam is still being sent. I don't see any processes from /tmp in *ps aux*. – Get Schwifty Mar 14 '18 at 21:29
  • I just notices two things. If i type *service postfix* and press *[TAB]*, Debian shows two services: *postfix* and *postfix@-*, is this normal? And second thing - when browsing thru mail logs I noticed that after almost every mail sent I get a warning that I'm overriding an already set entry in main.cf. That's ok, I know I'm doing that. The thing which seems off with this is that this line appears in the log all the time almost like postfix is being restarted/reloaded after each mail sent. Or is this also normal? – Get Schwifty Mar 14 '18 at 21:33

0 Answers0