Outgoing Mail Control Being Hijacked Mass Email Send Out

[Shawn1]

Hello, I keep having certain domains being hijacked and mass emails being sent from them somehow. I've disabled mail within domain control panel for each domain and issue keeps occurring. I've limited # of emails as well to 2-5 per hour but now so many are trying to be sent from my server it is clogging up mail queue and I have to log into server via ssh and run postsuper -d ALL every day or two. It is very frustrating. The only way I can stop it is to disable domain in plesk panel but that is not an option.

What can I do to find the cause of this issue and stop it?

 

[UFHH01]

Hi Shawn1,

am I correct, when I assume, that you use postfix and accept SASL - authentification for "anonymous" ? Please post your configuration file "etc/postfix/main.cf" for verification and include mail - log - files

Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

... for further investigations.
Please keep in mind, that "anonymous" - usage should be denied in your configuration, because it is unsecure, just to verify with a certificate, which is public ( see: "smtpd_tls_cert_file = /etc/postfix/postfix_default.pem". You can secure your mail - server ( using postfix ) for example like this:

...
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
...

... to enforce additional authentification with username + password, defnied at your smtpd - restrictions.

 

[Shawn1]

Hello UFHH01!

here's the contents of my main.cf file... not sure where my mail logs are stored?

Should I edit anything in this file? If so, what do I need to edit below? Thanks!!

message_size_limit = 10240000
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
inet_protocols = all
inet_interfaces = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
alias_maps = hash:/etc/aliases, nis:mail.aliases, hash:/var/spool/postfix/plesk/aliases
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , 127.0.0.0/8, [::1]/128
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
mydestination = localhost.$mydomain, localhost, localhost.localdomain
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1

 

[UFHH01]

Hi Shawn1,

not sure where my mail logs are stored?

Well, I gave you the link to the KB - article, WHERE you can find the mail - logs and configuration files:

... and include mail - log - files

Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )

Should I edit anything in this file? If so, what do I need to edit below? Thanks!!

... and I gave you as well the suggestion, WHAT you could add/modify in your "main.cf":

... for example like this:

...
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
...

 

[Shawn1]

UFHH01, I edited main.cf and added in these rows... I then restarted postfix via SSH (following link to KB article you sent)

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

I'll find mail log file and post shortly...

Since making change to main.cf, I'm still getting email being sent out

I'll post log soon!

 

[Shawn1]

Hello UFHH01, my mail log is empty... nothing inside of it.

I restarted server after adding code but still getting attempts to send outbound emails like crazy.

 

[Linulex]

it sounds to me like you have one or more infected websites or someone is abusing an email account to sent out spam. Limiting outgoing mail won't stop a spammer from using a hack he uploaded to a website.

Here are some things you can do to find the hacked sites and clean them:

- make sure all scripts like wordpress (and plugins/themes), joomla, drupal, etc... are up-to-date
--> you can use the wordpress module in plesk for wordpress but always make a good backup before you let automated scripts make changes.
- clean wordpress infected sites with wordpress scan plugins
- scan the sites with something like maldet

Here are some things that imho should always be on a server as part a standard security policy. Its always better to stop a hacker before he had a change to abuse a website

- install and configure maldet so you get an early warning when some hackers are at it again
- install clamav to extend the search range of maldet
- extend clamav with extra defenition files

- enable mod_security in plesk
- enable fail2ban in plesk

Actions to take before and after a spam attack
- test if your server is on blacklists
- have a good policy towards your clients about spam and updating websites, don't be afraid to disable a site if people are persistent in not updating there sites.

links to various sites
- scamp (clamav definitions script)
http://sourceforge.net/projects/scamp/

maldet
https://www.rfxn.com/projects/linux-malware-detect/

blacklisttest
http://multirbl.valli.org/

disclaimer: this works when the mailserver is qmail, i have no idea how to do this with postfix, maybe its the same, maybe not, someone else please comment on this.

There is also the posibility is that a user has a virus on there computer that steals passwords and the hackers are using there legitemate login/password combination to send mails. You can find this by filtering the maillog on these phrases
first "auth_smtp"
then on start filtering the various logins you see
"smtp_auth: smtp_auth: SMTP user [email protected]"

If some is abusing a stolen password you will see a lot of these

May 7 11:20:28 res1 smtp_auth: smtp_auth: SMTP user [email protected] : logged in from (xxx)@(xxx) [xxx.xxx.xxx.xxx]

The logins will come from ip addresses all over the world. If you have 3 logins within a minute from india, russia and brazil, its a pretty good sign that account is hacked.

I use the log module in webmin to do these filters. Maybe not geek-like enough for some, buts pretty fast and handy.

i hope this has given you some ideas and directions where to look and i hope you find the spammer.

regards
Jan