[QMAIL] Find source of spam

[vincenzot]

Hello,

I have an problem, I have my server that send many email spam but I have problem to find the source of spam, the source don't is an php scripts, in the ehader of the email I see that:

Received: (qmail 4181 invoked from network); 1 Oct 2010 22:35:23 +0200
Received: from localhost (HELO www.DOMAINS.it) (127.0.0.1)
by localhost with SMTP; 1 Oct 2010 22:35:23 +0200
Received: (qmail 47240 invoked by uid 33); 01 Oct 2010 20:35:23 +0000
Date: 01 Oct 2010 20:35:23 +0000
Message-ID: <[email protected]>
Subject: ALL PILLS IN BEST ONLINE DRUGSTORE !!!!
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
From: <[email protected]>
To: [email protected]
X-Priority: 3

But network is an smtp auth users, but how I can find it if the ip is localhost (127.0.0.1) ? in the domain.it I have an address of my hosted site internet but without change the password the poblem don't is resolved, how I can block this problem? I use centos + qmail

I hope in your answer

Regards

 

[IgorG]

Did you tried to check your server with chkrootkit of with rkhunter at least?

Also you can try to investigate Plesk maillog /usr/local/psa/var/logs/maillog

 

[vincenzot]

Hello,

I have check already with chkrootkit nothing worn or other suspicius files found, I have read the maillog I view the spam message start and I see

Oct 4 09:22:04 web qmail: 1286176924.169129 starting delivery 996: msg 35128411 to remote [email protected]
Oct 4 09:22:04 web qmail: 1286176924.169192 status: local 0/10 remote 1/100
Oct 4 09:22:04 web qmail-remote-handlers[22575]: Handlers Filter before-remote for qmail started ...
Oct 4 09:22:04 web qmail-remote-handlers[22575]: [email protected]
Oct 4 09:22:04 web qmail-remote-handlers[22575]: [email protected]
Oct 4 09:22:04 web qmail-remote-handlers[22575]: hook_dir = '/usr/local/psa/handlers/before-remote'
Oct 4 09:22:04 web qmail-remote-handlers[22575]: recipient[3] = [email protected]'
Oct 4 09:22:04 web qmail-remote-handlers[22575]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/[email protected]'

I have many email send from rx_canadanline how I can find the username that send them?

For example I see that

Oct 4 09:22:07 web imapd: IMAP connect from @ [Server_IP_Address]INFO: LOGIN, [email protected], ip=[Server_IP_Address], protocol=IMAP

Is possible that this email account have the same ip of the server into both login?

 

[IgorG]

Check output of following sql query from psa database:

select * from mail where mail_name='rx_canadanline24117';

 

[vincenzot]

Hello

this is the result

mysql> select * from mail where mail_name='rx_canadanline24117';
Empty set (0.00 sec)

But the email don't is always the same the number 24117 change for every send email ...is possible to find the domain or another solution? My mailserver today is in blacklist

Thanks for your time

 

[IgorG]

Well. Looks like you have installed spamsender script somewhere in your system. I think that it would be better to contact support team if you can't find it by yourself. Check all temp directories like /tmp, /var/tmp for files and directories with suspicious names or with names beginning with a dot. Check all processes with 'ps aux' and try to find suspicious processes at least.

 

[lvalics]

Try to use mod_security and also to check which UID sending out and check which PHP file are requested too many times with a contact form (or send email)

 

[vincenzot]

Hello

no tmp suspicius fils anyway I have deleted all data into /tmp and /var/tmp.

The email don't is send from an phpscripts but is from account because the qmail is "invoked by network" other question, how I can see in /var/log/messages the username that do the login? I view only the ipaddress but how I can see the username?

I see many of that access:

Oct 4 21:29:49 web xinetd[2378]: START: smtp pid=26568 from=127.0.0.1
Oct 4 21:30:34 web xinetd[2378]: START: smtp pid=27030 from=127.0.0.1
Oct 4 21:31:06 web xinetd[2378]: START: smtp pid=27264 from=127.0.0.1
Oct 4 21:32:31 web xinetd[2378]: START: smtp pid=28301 from=127.0.0.1
Oct 4 21:32:33 web xinetd[2378]: START: smtp pid=28333 from=127.0.0.1
Oct 4 21:33:41 web xinetd[2378]: START: smtp pid=28897 from=127.0.0.1
Oct 4 21:34:05 web xinetd[2378]: START: smtp pid=29126 from=127.0.0.1
Oct 4 21:34:10 web xinetd[2378]: START: smtp pid=29162 from=127.0.0.1
Oct 4 21:34:57 web xinetd[2378]: START: smtp pid=29524 from=127.0.0.1
Oct 4 21:36:44 web xinetd[2378]: START: smtp pid=30459 from=127.0.0.1
Oct 4 21:37:05 web xinetd[2378]: START: smtp pid=30656 from=127.0.0.1
Oct 4 21:37:07 web xinetd[2378]: START: smtp pid=30682 from=127.0.0.1
Oct 4 21:37:48 web xinetd[2378]: START: smtp pid=30934 from=127.0.0.1
Oct 4 21:38:34 web xinetd[2378]: START: smtp pid=31315 from=127.0.0.1
Oct 4 21:39:32 web xinetd[2378]: START: smtp pid=32049 from=127.0.0.1
Oct 4 21:40:04 web xinetd[2378]: START: smtp pid=32346 from=127.0.0.1
Oct 4 21:40:27 web xinetd[2378]: START: smtp pid=32547 from=127.0.0.1
Oct 4 21:40:44 web xinetd[2378]: START: smtp pid=32659 from=127.0.0.1
Oct 4 21:41:54 web xinetd[2378]: START: smtp pid=726 from=127.0.0.1
Oct 4 21:42:48 web xinetd[2378]: START: smtp pid=1211 from=127.0.0.1
Oct 4 21:44:26 web xinetd[2378]: START: smtp pid=1989 from=127.0.0.1
Oct 4 21:47:28 web xinetd[2378]: START: smtp pid=3494 from=127.0.0.1
Oct 4 21:47:33 web xinetd[2378]: START: smtp pid=3537 from=127.0.0.1

The email are send from 127.0.0.1 but how I can see the email account that do this access? THe smtp is only for autenticated users

 

[Jorge Adrian]

Received: (qmail 47240 invoked by uid 33); 01 Oct 2010 20:35:23 +0000

uid 33 = User ID 33 should give you a clue as to who is sending out spam on your system.

 

[vincenzot]

Yes i know that, but UID33 don't exist into my /etc/passwd ...

 

[IgorG]

Look at this thread http://forum.parallels.com/showthread.php?t=103797
Maybe it will help.

 

[kevin anderson]

I would double check your /etc/passwd, otherwise your system has been seriously hacked. on my system, uid 33 is www-data aka apache, which means you have a php script most likely that is being abused, and used to send spam. check your site directories for 777 permissions, make sure your php applications are all the latest versions,

 

[CatalinS]

Hello,

I've used the following articles to find out spammers and it worked every time :

http://kb.odin.com/766
and
http://kb.odin.com/en/1711

You should be able to find the exact php script.