[Postfix] Spam attack on my server : how to stop it ?

  • Hi,


    On one of my server, I have a spam problem.
    Here the /var/log/mail.log file :


    Code
    1. Aug 8 13:51:27 servername postfix/smtp[5004]: 5FAF9227B5: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.67.27]:25, delay=1, delays=0.03/0.4/0.03/0.56, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.67.27] said: 550-5.7.1 [207.73.100.36 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. lk7si2833406wic.68 - gsmtp (in reply to end of DATA command))Aug 8 13:51:27 servername postfix/cleanup[4788]: 646E32278E: message-id=<[email protected]>Aug 8 13:51:27 servername postfix/smtp[4974]: 62BCB227AA: to=<[email protected]>, relay=spool.mail.gandi.net[217.70.184.6]:25, conn_use=3, delay=0.01, delays=0/0/0/0, dsn=5.7.1, status=bounced (host spool.mail.gandi.net[217.70.184.6] said: 550 5.7.1 <[email protected]>: Recipient address rejected: bounce limit for domaine2.org (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 62BCB227AA: removedAug 8 13:51:27 servername postfix/bounce[4780]: 5FAF9227B5: sender non-delivery notification: 646E32278EAug 8 13:51:27 servername postfix/qmgr[27088]: 646E32278E: from=<>, size=3388, nrcpt=1 (queue active)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: host mta7.am0.yahoodns.net[98.138.112.37] said: 421 4.7.0 [TS01] Messages from 207.73.100.36 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM command)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TOAug 8 13:51:27 servername postfix/qmgr[27088]: 5FAF9227B5: removedAug 8 13:51:27 servername postfix/smtp[5006]: 5DA85223A1: to=<[email protected]>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, conn_use=5, delay=0.03, delays=0/0.02/0/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <[email protected]>... User unknown (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 5DA85223A1: removedAug 8 13:51:27 servername postfix/smtp[4950]: 62118223B4: to=<[email protected]>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, delay=0.04, delays=0.01/0.01/0.01/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <[email protected]>... User unknown (in reply to RCPT TO command))


    It's look like a robot is using my server as spam relay.


    postqueue -p :

    Code
    1. 86D8332E9A 758 Fri Aug 8 13:14:46 [email protected] [email protected] 654 Fri Aug 8 13:13:44 [email protected] [email protected] 703 Fri Aug 8 13:09:20 [email protected] [email protected] 630 Fri Aug 8 13:12:43 [email protected] [email protected] 561 Fri Aug 8 13:14:07 [email protected] [email protected] 655 Fri Aug 8 13:13:10 [email protected] [email protected]


    domain2.com exist on my server, but not the user [email protected]


    ps aux | grep "postfix" :


    My server is a little bit older and it's running a legacy version of i-MSCP (ispCP 1.0.3 OMEGA build: 20091224 Codename: Priamos).
    Please don't laught about it : it's not so easy to migrate this kind of server with lots of customers on it (I also looking for a way to do this easily ;) ).
    So maybe there is a security hole on it, but my question is how can I stop this spam attack.
    And I came here to post my question because several member of the original ispCP team moved here and there is no chance to get answer over there :(


    Thanks a lot for your help.

  • Here my /etc/postfix/main.cf : http://p.mufff.in/?f3692398a23…xzWb3Zehk1VJ60nYHCRLPDoY=


    And my /etc/postfix/master.cf : http://p.mufff.in/?c65c71a398b…Rab07H4vgUMoDKYMrITFzeQI=



    ~# ps aux | grep nc

    Code
    1. root 60 0.0 0.0 0 0 ? S 13:06 0:00 [async/mgr]
    2. root 232 0.0 0.0 0 0 ? S 13:06 0:00 [sync_supers]
    3. www-data 16799 0.0 0.0 0 0 ? Z 15:27 0:00 [apache2] <defunct>
    4. postfix 17438 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
    5. postfix 17500 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
    6. postfix 18445 0.0 0.1 5528 1804 ? S 15:29 0:00 bounce -z -n defer -t unix -u -c
    7. postfix 18570 0.0 0.1 5528 1872 ? S 15:29 0:00 bounce -z -t unix -u -c
    8. postfix 18589 0.0 0.1 5528 1876 ? S 15:29 0:00 bounce -z -t unix -u -c
    9. postfix 18628 0.0 0.1 5528 1832 ? S 15:29 0:00 bounce -z -t unix -u -c
    10. root 18635 0.0 0.0 3036 792 pts/0 S+ 15:29 0:00 grep nc
  • It is of course nothing i-MSCP related.


    Hower, check the Mailheader of the queued Mails to identify the sender/webspace owner.
    If you have the correct owner - disable the webspace.
    Check for PHP-Scripts or something and remove them.

  • thanks BeNe for the process to check the correct owner.
    I had a 9 customers (on 70) touched by a hack on a CMS I used in the past.
    Thanks to my backups, it's all clean now.
    Thanks again and sorry for the wrong forum...

  • Fine. But a Backup only is not a solution. Die you closed the leak, changed passwords? Backup is not compromised?


    Gesendet von meinem Nexus 7 mit Tapatalk

  • simply disable mail() function @ spammers webspace.
    After disabling that function your clients will be looking for you why is disabled.
    On case of Wordpress shell upload bug the client is responsable to correct the failure(WP update to newest version)