Unusual Spam Problem Anyone an idea

  • Hi Everyone,


    We currently have a larger spam issue on one of our servers. I think, that some customer hosted CMS is compromised and is sending spam e-mails out.
    Unlike any other spam issue, i've ever seen, this time it is NOT sent via php's mail() feature. (I log that and there's nothing there).


    In the postfix log, I can see, the mails are delivered by the server's own ip address (and, of course allowing it, since the local ip is in mynetworks).
    The header's of the spam examples, that got reported to me, gives absolutely no hint on the root cause. (e.g. which customer etc). Envelope data, from fields, recipients
    are all unknown (not from our customers) and seem to be fake.


    Does anyone got an idea, on how to track this further ? Could it be a php script, delivering the mails via localhost:25 by having some smtp client implemented in php ? How would it
    be possible to monitor that ?


    I would be very happy for any hint, that could help me to get more insight and solve that problem.


    Best regards


    C

    I-MSCP 1.3.9 on Debian Linux 8

  • Good morning,


    Welcome to the i-MSCP forum, I see no one has welcomed you yet.


    Please always report according to Reporting rules - Reminder
    This way we can actually try to reproduce any problem, in this case we can check what plugins you use (Spamassassin or such?)


    Please also post a (redacted?) version of your mail log.
    Please also check your mailq (command mailq), then you can try to find the mails in your /var/spool/ folders.

  • Hi,


    Understood. I try to provide you with all the information possible:


    System:
    - Debian GNU/Linux 8 (Jessie)
    - I-MSCP 1.3.0 (Stable) with PHP5-FPM, ProFTPD, Postfix, Dovecot
    - SpamAssassin Plugin Version 1.1.0 (From: 2016-06-25)


    The Problem is, that the server is sending lots and lots of e-mails, that clearly are spam and we cannot find any cause. There are multiple sites on that server, using php and cgi applications.
    We log any mail, that is sent through the php "mail()" mechanism, but that mails are not appearing there. All mails are seen as coming from the local machine.


    One example out of mailq (that is from the bounce, since that is from the bounce:


    Code
    1. 21A9865EDED 3191 Wed Sep 7 20:00:29 MAILER-DAEMON (connect to mx999.math.arizona.edu[128.196.224.2]:25: Connection timed out) [email protected]


    Log-Lines related to that E-Mail:


    Code
    1. Sep 7 20:00:27 srv08 postfix/smtpd[24039]: 62FAE65B268: client=srv08.[our-hostname].de[our-ipv4-addr]Sep 7 20:00:27 srv08 postfix/cleanup[23382]: 62FAE65B268: message-id=<20160907214712.29570.qmail@srv08.[our-hostname].de>Sep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: from=<[email protected]>, size=990, nrcpt=1 (queue active)Sep 7 20:00:29 srv08 postfix/smtp[24620]: 62FAE65B268: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0/0/0, dsn=5.4.6, status=bounced (mail for hgf.fr loops back to myself)Sep 7 20:00:29 srv08 postfix/bounce[24621]: 62FAE65B268: sender non-delivery notification: 21A9865EDEDSep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: removed


    The recipient address and the target address does not belong to any of our domains/e-mail addresses. The mail headers of the e-mail doesnt contain any information. In the logfiles, we can only see, that it is originating from the local machine and delivered to the postfix daemon via smtp. (Baybe with cgi/php smtp client?)


    Example Mail-Headers:


    I-MSCP 1.3.9 on Debian Linux 8

    Edited once, last by Koren ().

  • Heres another E-Mail header of an e-mail that is not a mailer-daemon one:


    Code
    1. regular_text: ------------=_57CCA388.6BD51A33regular_text: Content-Type: message/rfc822; x-spam-type=original regular_text: Content-Description: original message before SpamAssassinregular_text: Content-Disposition: attachmentregular_text: Content-Transfer-Encoding: 8bitregular_text:regular_text: X-Envelope-From: <[email protected]>regular_text: X-Envelope-To: <[email protected]>regular_text: Received: from srv08.[our-hostname].de (srv08.[our-hostname].de [our-ipv4-address])regular_text: by srv08.[our-hostname].de(Postfix 2.11.3/8.13.0) with SMTP id unknownregular_text: Mon, 05 Sep 2016 00:43:15 +0200regular_text: (envelope-from <[email protected]>regular_text: Received: from abbeyalimio by srv08.[our-hostname].de with local (Exim 4.22)regular_text: id igx43g-tvBEtz-w1regular_text: for [email protected]; Mon, 05 Sep 2016 10:02:37 +0200 regular_text: To: "isiah1216.lj" <[email protected]>regular_text: Subject: A meeting with a married girl, 717-895-0158 how about that!regular_text: Message-Id: <igx43g-tvBEtz-w1@srv08.[our-hostname].de>regular_text: From: "Bella Ramos" <[email protected]>regular_text: Date: Mon, 05 Sep 2016 10:02:37 +0200regular_text: Mime-Version: 1.0regular_text: Content-Type: text/html; charset=us-ascii regular_text: Content-Transfer-Encoding: quoted-printableregular_text:*** HEADER EXTRACTED deferred/2/223E865D4F7 ***


    It says, the e-mail would be coming from some "exim" on the local machine. But there clearly is no exim installed and/or running. Also checked the machine. There are no exim files. So I guess, that information is fake.
    Also no suspicious processes are running. I can hardly find any viable information on this.


    mail.log lines of that e-mail:


    Code
    1. Sep 5 00:43:15 srv08 postfix/smtpd[994]: AF55765A6D8: client=srv08.[our-hostname].de[our-ipv4-address]
    2. Sep 5 00:43:15 srv08 postfix/cleanup[465]: AF55765A6D8: message-id=<igx43g-tvBEtz-w1@srv08.[our-hostname].de>
    3. Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: from=<[email protected]>, size=5624, nrcpt=1 (queue active)
    4. Sep 5 00:43:21 srv08 postfix/smtp[1061]: AF55765A6D8: to=<[email protected]>, relay=none, delay=5.3, delays=5.3/0/0/0, dsn=5.4.6, status=bounced (mail for gmail.commail.com l\
    5. oops back to myself)
    6. Sep 5 00:43:21 srv08 postfix/bounce[1038]: AF55765A6D8: sender non-delivery notification: 223E865D4F7
    7. Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: removed


    Anyone got an idea based on this ?

    I-MSCP 1.3.9 on Debian Linux 8

  • Could you give me an access to that server for checking?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Could you give me an access to that server for checking?

    Yes. That would be super great, if you could take look at this. I added your SSH key to the server and sent you the server-data via private forum message.

    I-MSCP 1.3.9 on Debian Linux 8

  • @Koren


    I'll have a look this evening.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206