Unusual Spam Problem Anyone an idea

**Koren** · Sep 8th 2016

Hi Everyone,

We currently have a larger spam issue on one of our servers. I think, that some customer hosted CMS is compromised and is sending spam e-mails out.
Unlike any other spam issue, i've ever seen, this time it is NOT sent via php's mail() feature. (I log that and there's nothing there).

In the postfix log, I can see, the mails are delivered by the server's own ip address (and, of course allowing it, since the local ip is in mynetworks).
The header's of the spam examples, that got reported to me, gives absolutely no hint on the root cause. (e.g. which customer etc). Envelope data, from fields, recipients
are all unknown (not from our customers) and seem to be fake.

Does anyone got an idea, on how to track this further ? Could it be a php script, delivering the mails via localhost:25 by having some smtp client implemented in php ? How would it
be possible to monitor that ?

I would be very happy for any hint, that could help me to get more insight and solve that problem.

Best regards

C

**theemstra** · Sep 8th 2016

Good morning,

Welcome to the i-MSCP forum, I see no one has welcomed you yet.

Please always report according to Reporting rules - Reminder
This way we can actually try to reproduce any problem, in this case we can check what plugins you use (Spamassassin or such?)

Please also post a (redacted?) version of your mail log.
Please also check your mailq (command mailq), then you can try to find the mails in your /var/spool/ folders.

**Koren** · Sep 8th 2016

Hi,

Understood. I try to provide you with all the information possible:

System:
- Debian GNU/Linux 8 (Jessie)
- I-MSCP 1.3.0 (Stable) with PHP5-FPM, ProFTPD, Postfix, Dovecot
- SpamAssassin Plugin Version 1.1.0 (From: 2016-06-25)

The Problem is, that the server is sending lots and lots of e-mails, that clearly are spam and we cannot find any cause. There are multiple sites on that server, using php and cgi applications.
We log any mail, that is sent through the php "mail()" mechanism, but that mails are not appearing there. All mails are seen as coming from the local machine.

One example out of mailq (that is from the bounce, since that is from the bounce:

Code

21A9865EDED 3191 Wed Sep 7 20:00:29 MAILER-DAEMON (connect to mx999.math.arizona.edu[128.196.224.2]:25: Connection timed out) redacted@swc.math.arizona.edu

Log-Lines related to that E-Mail:

Code

Sep 7 20:00:27 srv08 postfix/smtpd[24039]: 62FAE65B268: client=srv08.[our-hostname].de[our-ipv4-addr]Sep 7 20:00:27 srv08 postfix/cleanup[23382]: 62FAE65B268: message-id=<20160907214712.29570.qmail@srv08.[our-hostname].de>Sep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: from=<redacted@swc.math.arizona.edu>, size=990, nrcpt=1 (queue active)Sep 7 20:00:29 srv08 postfix/smtp[24620]: 62FAE65B268: to=<1254@hgf.fr>, relay=none, delay=1.6, delays=1.6/0/0/0, dsn=5.4.6, status=bounced (mail for hgf.fr loops back to myself)Sep 7 20:00:29 srv08 postfix/bounce[24621]: 62FAE65B268: sender non-delivery notification: 21A9865EDEDSep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: removed

The recipient address and the target address does not belong to any of our domains/e-mail addresses. The mail headers of the e-mail doesnt contain any information. In the logfiles, we can only see, that it is originating from the local machine and delivered to the postfix daemon via smtp. (Baybe with cgi/php smtp client?)

Example Mail-Headers:

Code

regular_text: --62FAE65B268.1473271229/srv08.[our-hostname].de
regular_text: Content-Type: message/rfc822
regular_text: Content-Transfer-Encoding: 8bit
regular_text:
regular_text: Return-Path: <charlottmeavet@swc.math.arizona.edu>
regular_text: Received: from srv08.[our-hostname].de (srv08.[our-hostname].de [our-ipv4-addr])
regular_text: by srv08.[our-hostname].de (Postfix) with SMTP id 62FAE65B268
regular_text: for <1254@hgf.fr>; Wed, 7 Sep 2016 20:00:27 +0200 (CEST)
regular_text: Received: (qmail 29570 invoked by uid 49356); 07 Sep 2016 21:47:12 -0000
regular_text: Date: 07 Sep 2016 21:47:12 -0000
regular_text: Message-ID: <20160907214712.29570.qmail@srv08.[our-hostname].de>
regular_text: From: "Redacted" <redacted@swc.math.arizona.edu>
regular_text: To: "1254" <redacted@hgf.fr>
regular_text: Subject: [REDACTED]
regular_text: Mime-Version: 1.0
regular_text: Content-Type: text/html
regular_text: Content-Transfer-Encoding: 8bit
regular_text: X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_FUTURE_03_06,
regular_text: HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,URI_WPADMIN
regular_text: autolearn=no autolearn_force=no version=3.4.0
regular_text: X-Spam-Level: ***
regular_text: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on srv08.[our-hostname].de
regular_text:
regular_text: --62FAE65B268.1473271229/srv08.[our-hostname].de--
pointer_record: 0
*** HEADER EXTRACTED deferred/2/21A9865EDED ***

Display More

**Koren** · Sep 8th 2016

Heres another E-Mail header of an e-mail that is not a mailer-daemon one:

Code

regular_text: ------------=_57CCA388.6BD51A33regular_text: Content-Type: message/rfc822; x-spam-type=original regular_text: Content-Description: original message before SpamAssassinregular_text: Content-Disposition: attachmentregular_text: Content-Transfer-Encoding: 8bitregular_text:regular_text: X-Envelope-From: <abbeyalimio@hmspermedion.com>regular_text: X-Envelope-To: <isiah1216.lj@gmail.commail.com>regular_text: Received: from srv08.[our-hostname].de (srv08.[our-hostname].de [our-ipv4-address])regular_text: by srv08.[our-hostname].de(Postfix 2.11.3/8.13.0) with SMTP id unknownregular_text: Mon, 05 Sep 2016 00:43:15 +0200regular_text: (envelope-from <abbeyalimio@hmspermedion.com>regular_text: Received: from abbeyalimio by srv08.[our-hostname].de with local (Exim 4.22)regular_text: id igx43g-tvBEtz-w1regular_text: for isiah1216.lj@gmail.commail.com; Mon, 05 Sep 2016 10:02:37 +0200 regular_text: To: "isiah1216.lj" <isiah1216.lj@gmail.commail.com>regular_text: Subject: A meeting with a married girl, 717-895-0158 how about that!regular_text: Message-Id: <igx43g-tvBEtz-w1@srv08.[our-hostname].de>regular_text: From: "Bella Ramos" <abbeyalimio@hmspermedion.com>regular_text: Date: Mon, 05 Sep 2016 10:02:37 +0200regular_text: Mime-Version: 1.0regular_text: Content-Type: text/html; charset=us-ascii regular_text: Content-Transfer-Encoding: quoted-printableregular_text:*** HEADER EXTRACTED deferred/2/223E865D4F7 ***

It says, the e-mail would be coming from some "exim" on the local machine. But there clearly is no exim installed and/or running. Also checked the machine. There are no exim files. So I guess, that information is fake.
Also no suspicious processes are running. I can hardly find any viable information on this.

mail.log lines of that e-mail:

Code

Sep 5 00:43:15 srv08 postfix/smtpd[994]: AF55765A6D8: client=srv08.[our-hostname].de[our-ipv4-address]
Sep 5 00:43:15 srv08 postfix/cleanup[465]: AF55765A6D8: message-id=<igx43g-tvBEtz-w1@srv08.[our-hostname].de>
Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: from=<abbeyalimio@hmspermedion.com>, size=5624, nrcpt=1 (queue active)
Sep 5 00:43:21 srv08 postfix/smtp[1061]: AF55765A6D8: to=<isiah1216.lj@gmail.commail.com>, relay=none, delay=5.3, delays=5.3/0/0/0, dsn=5.4.6, status=bounced (mail for gmail.commail.com l\
oops back to myself)
Sep 5 00:43:21 srv08 postfix/bounce[1038]: AF55765A6D8: sender non-delivery notification: 223E865D4F7
Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: removed

Anyone got an idea based on this ?

**Nuxwin** · Sep 8th 2016

Could you give me an access to that server for checking?

**Koren** · Sep 8th 2016

Quote from Nuxwin

Could you give me an access to that server for checking?

Yes. That would be super great, if you could take look at this. I added your SSH key to the server and sent you the server-data via private forum message.

**Nuxwin** · Sep 8th 2016

@Koren

I'll have a look this evening.

Unusual Spam Problem Anyone an idea

Share

Daily visitors