My Server Sending Sending Spam

[Andrew_Pa]

Hello to the forum.


Today I receive an email from spamcop that my server send spam.

The message is the following

Received: from vsmtp17.tin.it (192.168.70.176) by ims16c.cp.tin.it (8.6.033)
id 4FE09D8401B1B489 for x; Mon, 30 Jul 2012 01:32:28 +0200
Received: from MY_SERVER_DOMAIN (MY_SERVER_IP) by vsmtp17.tin.it (8.6.023.02)
id 4F653DC81A5963D6 for x; Mon, 30 Jul 2012 01:32:28 +0200
Received: from User (localhost.localdomain [127.0.0.1])
by MY_SERVER_DOMAIN (Postfix) with SMTP id 372CB130015;
Sun, 29 Jul 2012 23:26:52 +0000 (UTC)
Return-Path: <x>
Reply-To: <x>
From: "'Poste Italiane'" <[email protected]>
To: "x" <x>
Subject: Tentativi di accesso:3
Date: Mon, 30 Jul 2012 01:26:51 +0200
Message-ID: <2012__________________0015@MY_SERVER_DOMAIN>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00C6_01CD6DF5.09C653A0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMnvYgr5DMaWRxtucLN4AnRmHC+uA==

I 've check

/var/log/maillog

and

/usr/local/psa/var/log/maillog

But I didn't find anything similar with the message above.

Is there any command that I can use to find something?
?
And then should I block something (i.e. IP ?) to stop sending spam?

Thank you very much in advance

 

[abdi]

Investigating SPAM

Hi, first steps is to find how many mails you have in the queue, and perhaps if so many, then empty the queue. But before emptying the queue, please investigate the source of the SPAM:

Investigating SPAM

/var/qmail/bin/qmail-qstat
/var/qmail/bin/qmail-qread | more

returns like: 18 Jul 2005 15:03:07 GMT #2996948 9073 <[email protected]> bouncing done remote [email protected]

find /var/qmail/queue/mess/ -name 2996948
grep 10003 /etc/passwd

From the above, you should see the system user of the sender of SPAM
Otherwise,

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

This will on rear occassions help you find the script but it's worth a short. This will search for any PHP files containing the mail() function. From there, you can get an idea of which scripts are sending emails out.

find /var/www/vhosts/ -name *.php | xargs grep -w "mail("|more

Emptying the Queue

You can empty the queue either through Plesk -> Tools & Settings -> Mail Manager -> Queue

Better still you can use the this tool:

cd /root/
wget http://japanitup.com/scripts/qmailclear.sh
chmod +x qmailclear.sh
sh qmailclear.sh

Future monitoring and tracking of ALL mails through your sendmail (that is iff sendmail_path=/usr/sbin/sendmail -t -i in /etc/php.ini)

mv /usr/sbin/sendmail /usr/sbin/sendmail.act
vi /usr/sbin/sendmail

add the following contents

#!/usr/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) { print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";  }
else { print INFO "$date - $PWD - @info\n"; }
my $mailprog = '/var/qmail/bin/sendmail';
# For postfix please replace the above with the below, by commenting the above
#my $mailprog = '/var/sbin/sendmail.postfix';
foreach (@ARGV) {$arg="$arg" . " $_"; }
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) { print MAIL; }
close (INFO);
close (MAIL);

and finely

chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log

Now, by looking through or

tail -f /var/log/formmail.log

you shall be able to track ALL scripts/domains sending SPAM on your server.

I hope that helped.

 

[Andrew_Pa]

My friend abdi thank you very much!

I guess I have a stupid question....

When I enter the first 2 commands about the qmail, I take that :

No such file or directory

Do I have qmail installed???

 

[abdi]

Question is are you using Qmail or Postfix ?

OK, you can do the following to just quickly figure out what you are using ...

telnet mail.yourdomain.com 25

or

/etc/init.d/qmail status

if that fails then its NOT qmail, then you try

/etc/init.d/postfix status

if that is OK, then its postfix.

Let me know what you get ...

 

[Andrew_Pa]

After /etc/init.d/postfix status

master (pid 1824) is running...

I am using postfix!

PS: It's better to use qmail?

 

[abdi]

No no, actually postfix is a better MTA than QMail.

So with it, you can clear the Queue with the command

/usr/sbin/postsuper -d ALL

Also, give me the results of the below command:

grep "sendmail_path" /etc/php.ini

 

[Andrew_Pa]

Sorry for this delay!

I run

grep "sendmail_path" /etc/php.ini

and the results are

sendmail_path = /usr/sbin/sendmail -t -i

 

[abdi]

Well, in that case just go to the part (above):

Future monitoring and tracking of ALL mails through your sendmail (that is iff sendmail_path=/usr/sbin/sendmail -t -i in /etc/php.ini)

 

[Andrew_Pa]

Hello again!

When I run

mv /usr/sbin/sendmail /usr/sbin/sendmail.act

I take

mv: cannot stat `/usr/sbin/sendmail': No such file or directory

What Am I doing wrong?

 

[abdi]

TheGreatSeven is my Skype

 

[Statbat]

Similar issue

Hello All,

I also implemented the same solution.
I renamed my sendmail to sendmail.hidden and wrote new sendmail.

Now my problem is that php does not send email when I am using new wrapper.

I checked my new sendmail file from command line and it does WORK fine as well as write to the log.

/usr/sbin/sendmail -v [email protected] < test.mail

But php does not work, no matter what i try.
As soon as i rename back my original sendmail, it starts working.

/usr/local/lib/php.ini

sendmail_path = "/usr/sbin/sendmail -t -i"
sendmail_from = [email protected]

Please help.

 

[abdi]

If you are using Postfix then in the wrapper enable the following:

# For postfix please replace the above with the below, by commenting the above
my $mailprog = '/var/sbin/sendmail.postfix';

And remember to disable that of QMail just above postfix
#my $mailprog = '/var/qmail/bin/sendmail';

Also, ensure that /var/sbin/sendmail.postfix is existant otherwise if its not then edit the wrapper and instead replace /var/sbin/sendmail.postfix with /var/sbin/sendmail.hidden to what you renamed it to.

 

[Statbat]

I have enabled the correct line.
The code is correct that is why it is working in the command line.

Something that i should take care of in case of php ?

My exact code is here

#!/usr/bin/perl
# use strict;

use Env;
my $date = `date`;
chomp $date;

open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";

my $uid = $>;
my @info = getpwuid($uid);

if($REMOTE_ADDR)
{
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
}
else
{
print INFO "$date - $PWD - @infon\n";
}

my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV)
{
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";

while (<STDIN>)
{
print MAIL;
}
close (INFO);
close (MAIL);

Please help

 

[abdi]

Am so sorry I dont understand your question clearly, but if you mean for php scripts, YES that script will work fine in logging all mails sent through mail function / contact forms.

As long as in your php.ini file sendmail_path is to that wrapper.

sendmail_path = "/usr/sbin/sendmail -t -i"

 

[Statbat]

Am so sorry I dont understand your question clearly, but if you mean for php scripts, YES that script will work fine in logging all mails sent through mail function / contact forms.

As long as in your php.ini file sendmail_path is to that wrapper.

sendmail_path = "/usr/sbin/sendmail -t -i"

I know it should work, but what I am saying is, that it is not sending emails. In other words, it is not working.
I have edited my php.ini file just like as I said. I have my sendmail edited just like shown but after this my emails dont go from FORMMAILER

 

[abdi]

You can PM me your server details or come on Skype: thegreatseven I check it out for you!

 

[Omen]

Although is being while, can I ask for your abdi as well?