1 (edited by ag 2013-05-28 15:33:48)

Topic: My server sends SPAM - help!!!

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian 6
- Related log if you're reporting an issue:
====

Please I need quick help, my server from yesterdey send a lot of SPAM. How can i block it????

I read somewhere to turn SASL but how can i do that??

Header of the SPAM message:

Return-Path: <www-data@mydomain.com>
Received: from localhost (mydomain.com [127.0.0.1])
    by mydomain.com (Postfix) with ESMTP id D00DB621F41
    for <sweet747@wowway.com>; Tue, 28 May 2013 09:28:31 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mydomain.com
Received: from mydomain.com([127.0.0.1])
    by localhost (mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id zGkClHEtJW94 for <sweet747@wowway.com>;
    Tue, 28 May 2013 09:28:29 +0200 (CEST)
Received: by mydomain.com (Postfix, from userid 33)
    id D4881621F43; Tue, 28 May 2013 09:28:19 +0200 (CEST)
To: sweet747@wowway.com
Subject: Shipping Info
X-PHP-Originating-Script: 1009:7c32.php(1) : eval()'d code
From: "First-Class Mail Service" <support@sendpostalmail.com>
X-Mailer: lightbulbruffiansof6
Reply-To: "First-Class Mail Service" <support@sendpostalmail.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------136972609951A45C931D21A"
Message-Id: <20130528072819.D4881621F43@mydomain.com>
Date: Tue, 28 May 2013 09:28:19 +0200 (CEST)

------------136972609951A45C931D21A
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by camel1cz 2013-05-28 17:11:14)

Re: My server sends SPAM - help!!!

From what I see, you run some website/s on the same server as you run iRedMail and you have somewhere badly configured/infected PHP script. This script is sending those emails via the local iRedMail server.

I would suggest to investigate you webserver logs and/or DocumentRoots of all locally hosted web domains, find the script sending the spam and fix it/remove it from you DocumentRoot.

If your server sends a lot of spam, it should be easy to see the corresponding hits in the apache access.log

This is kind of hint, first of all look for a PHP script named as noted in the email:

X-PHP-Originating-Script: 1009:7c32.php(1) : eval()'d code

3

Re: My server sends SPAM - help!!!

Yes, i finally track it and you have right but not every mail have this code in his header:

X-PHP-Originating-Script: 1009:7c32.php(1) : eval()'d code

Some irresponsible user have his password saved in TotalCommander and this script was in CSS of his Drupal blog.

I have change the name of the public_html folder for test and undelivered mail stop coming.

I hope that this 12-14 hour spam sending would not have negative impact and my IP wont get at blacklists...

This script was only sending mails or could mess up with other stuff? But it could not get out outside this ftp account, right?

4

Re: My server sends SPAM - help!!!

ag wrote:

I hope that this 12-14 hour spam sending would not have negative impact and my IP wont get at blacklists...

The only thing you can do now is to check the blacklists and in case you'll get listed, immediately request delisting with reason "compromised account/problem fixed"

ag wrote:

This script was only sending mails or could mess up with other stuff? But it could not get out outside this ftp account, right?

Directly was affected only files accessible via this FTP account, but theoretically the attacker could upload a PHP script modifying also other files. But this seems to be "only" dumb spam bot...

For better security when running PHP, consider adding disable_functions (to disable dangerous and usually not usefull functions like exec, eval, ...) and open_basedir (to rectrict access for file manipulating functions like fwrite only to listed folders. Just note you have to add also paths for PHP shared libraries like Zend Framework, PEAR as this directive restrict also include/require) in your virtual configs/php.ini

Good luck with your problem!

5

Re: My server sends SPAM - help!!!

A temporary solution: don't allow Apache daemon user send out email, then try to figure out which PHP application has this weakness.

Set Postfix parameter in main.cf like below:

authorized_submit_users = root, !static:all

NOTES:

*) It allows root user to send out email on localhost, denies other system users.
*) If you want to allow more system users to send out email on localhost, just append them to the parameter.
*) Restarting Postfix service is required.

6

Re: My server sends SPAM - help!!!

Thanks for replies.

I have one more question, when I type

mailq

I still have some spam emails pending to send, how can I remove them?

7

Re: My server sends SPAM - help!!!

Have a look on postsuper(1) - the switch -d will be of interest to you.

Example of oneliner deleting emails from/to specific adresses is eg. here.

8

Re: My server sends SPAM - help!!!

Thanks for quick answer smile