Server sending spam but no logs

[FrancescoF]

Hi all,

My server IP is being blacklisted by spamhaus,live,... because it's apparently sending spam.
I'm using Plesk 10 with Qmail.

So i manage to invistigate this and log all outgoing mail with the sendmail-wrapper. All mail are correctly logged (SMTP and mail sent by script) but there is no trace of spamming mail. I also analysed the maillog and nothing strange, no trace of spamming...

Here is an abuse report with headers of mail being apparently sent by my server:

Delivery-date: Tue, 26 Jun 2012 14:22:47 -0700
Received: from mon.domaine.com ([XX.XXX.XX.XX])
by pascal.junkemailfilter.com with smtp (Exim 4.77)
id 1SjdDT-0005yJ-J9 on interface=184.105.182.180
for [email protected]; Tue, 26 Jun 2012 14:22:47 -0700
Received: (qmail 11472 invoked by uid 732); 27 Jun 2012 00:27:11 -0000
Date: 27 Jun 2012 00:27:11 -0000
Message-ID: <[email protected]>
From: "Dionna" <[email protected]>
To: "XXXX" <[email protected]>
Subject: You have got a private message from Lilu
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Sender-Domain: mon.domaine.com
X-Spamfilter-host: pascal.junkemailfilter.com - http://www.junkemailfilter.com
X-Mail-from: [email protected]
X-Relay-Countries: CODE_PAYS
X-Spam-Report: SpamAssassin 3.3.2 (2011-06-06) on spamd3.ctyme.com
Spam Tests:
* 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 0.9994]
* 4.5 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
* 0.0 HTML_EXTRA_CLOSE BODY: HTML contains far too many close tags
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 10 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net
* 1.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
* trust
* [XX.XXX.XX.XX listed in list.dnswl.org]
* 3.0 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
* above 50%
* [cf: 100]
* 3.0 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 3.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
X-Spam-Class: SPAM-HIGH - SpamAssassin - Score=35 [3 Spam]
X-Spam-Class: SPAM-HIGH - SpamAssassin rejected - Score=35 (15) X=pascal H=mon.domaine.com [XX.XXX.XX.XX] HELO=[mon.domaine.com] F=[[email protected]] T=[[email protected]] S=[You have got a private message from Lilu] - X=pascal H=mon.domaine.com [XX.XXX.XX.XX] HELO=[mon.domaine.com] F=[[email protected]] T=[[email protected]] S=[You have got a private message from Lilu]
X-Spamsave: Yes - SpamAssassin rejected - Score=35 (15) X=pascal H=mon.domaine.com [XX.XXX.XX.XX] HELO=[mon.domaine.com] F=[[email protected]] T=[[email protected]] S=[You have got a private message from Lilu] - X=pascal H=mon.domaine.com [XX.XXX.XX.XX] HELO=[mon.domaine.com] F=[[email protected]] T=[[email protected]] S=[You have got a private message from Lilu]
X-Sender-Host-Address: XX.XXX.XX.XX
X-Sender-Host-Name: mon.domaine.com
X-Spam-Flag: yes

Then i tried to find the UID 732 in my passwd file

Received: (qmail 11472 invoked by uid 732); 27 Jun 2012 00:27:11 -0000

but it's not present...

Have you some other ideas where the problem is? Is my IP being spoofed?

Thanks in advance for your help!

 

[abdi]

Outbound SPAM

Try using the set-up below to truck ALL outgoing mails through Horde, FormMails (sendmail).
The instructions are already organized, you may copy and paste:

mv /usr/sbin/sendmail /usr/sbin/sendmail.act
vi /usr/sbin/sendmail

add the following contents

#!/usr/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) { print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";  }
else { print INFO "$date - $PWD - @info\n"; }
my $mailprog = '/var/qmail/bin/sendmail';
# For postfix please replace the above with the below, by commenting the above
#my $mailprog = '/var/sbin/sendmail.postfix';
foreach (@ARGV) {$arg="$arg" . " $_"; }
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) { print MAIL; }
close (INFO);
close (MAIL);

and finely

chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log

Now you may try (and see all emails as they get logged with the sender's domain logged too):

tail -f /var/log/formmail.log

 

[FrancescoF]

Thank you for your tip. It's logging mail sent by scripts but my IP is continuing to be blacklisted...

 

[Faris Raouf]

Getting yourself off blacklists is either automatic after some days of no spam, or you need to manually request deblacklisting. It depends on the blacklist.

If you use something like http://multirbl.valli.org/lookup/ you can find our which blacklists you are on, and then take the appropriate action.

It can be time-consuming and frustrating, I'm afraid. But this means it is also essential that you deal with the problem completely before trying to de-blacklist yourself.

Sorry if I'm telling you stuff you already know. I wasn't sure what you were asking from your reply.

 

[FrancescoF]

Thank you Faris for your help.

Yes I have already this site on my bookmarks.

I have to manually deblacklist my IP from the blacklists but when I do that, the day after it's another time blacklisted.

I don't know how to solve my problem... Should I take another IP and forget the one that is beeing blacklisted because all logs on my server doesn't show anything about this supposed spam emails...

 

[Faris Raouf]

If you keep on getting blacklisted after removal than your systems is still sending spam. There's no other reason to get added to a blacklist again after you've been removed. In this case getting a new IP will not help, as it will also get blacklisted.

If there's nothing in the logs -- even the script log -- then maybe someone has set up a php-based smtp server which might bypass the logs. I'm not 100% sure. To combat that sort of thing you need to disable a number of php functions, but this can cause problems with legitimate scripts (including webmail) if you aren't careful.