spam from localhost

[B. W.]

Hi,
my Problem is that my Server sends a lot of Spam Mails like this:

Received: (qmail 31520 invoked from network); 9 Mar 2009 16:05:24 +0000
Received-SPF: pass (xxxxxx.server4you.de: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=localhost;
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Mar 2009 16:05:24 +0000
Message-ID: <01C9A0D0.4A450800@localhost>
X-Priority: 1 (High)
Reply-To: <[email protected]>
From: <[email protected]>
X-Mailer: Sendmail 3.84/3.84
To: <[email protected]>
Subject: Additional help in building body of your dream.
Date: Mon, 9 Mar 2009 16:05:24 +0400
Content-Type: multipart/alternative;
boundary="----01C9A0F26C823117"


and a lot of bounce mails hanging in the mail queue:

Received: (qmail 24564 invoked for bounce); 9 Mar 2009 22:19:39 +0000
Date: 9 Mar 2009 22:19:39 +0000
From: [email protected]
To: [email protected]
Subject: failure notice


Anyone an idea how to fix the Problem?

Global Mailsettings in Plesk:
Check the passwords for mailboxes in the dictionary: true
Enable message submission: true
Relaying: authorization is required: SMTP
Available Webmail clients: none

DomainKeys spam protection:
Allow signing outgoing mail: off
Verify incoming mail: off
Switch on SPF spam protection: true
SPF checking mode: Reject mails when SPF does not resolve to "pass"
Switch on spam protection based on DNS blackhole lists: true
Only use of full POP3/IMAP mail accounts names is allowed: true

Some Lines form the Maillog:

Mar 6 14:36:48 servername relaylock: /var/qmail/bin/relaylock: mail from xx.xx.xx.xxx:3607 (xxxxxxxxxxx.xxxxx.net)
Mar 6 14:36:57 servername relaylock: /var/qmail/bin/relaylock: mail from xx.xx.xxx.xx:1829 (xx-xx-xxx-xx.daomain.com)
Mar 6 14:37:23 servername relaylock: /var/qmail/bin/relaylock: Unable to query white list: not an error
Mar 6 14:37:23 servername relaylock: /var/qmail/bin/relaylock: mail from 127.0.0.1:60856 (localhost)
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: Handlers Filter before-queue for qmail started ...
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: [email protected]
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: [email protected]
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: hook_dir = '/opt/psa/handlers/before-queue'
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: recipient[3] = '[email protected]'
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: handlers dir = '/opt/psa/handlers/before-queue/recipient/[email protected]'
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: found handlers entry = '/opt/psa/handlers/before-queue/global/10-spf-EAmqvj'
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: call_handlers: call executable = '/opt/psa/handlers/info/10-spf-EAmqvj/executable'
Mar 6 14:37:23 servername spf filter[18438]: Starting spf filter...
Mar 6 14:37:23 servername spf filter[18438]: SPF result: pass
Mar 6 14:37:23 servername spf filter[18438]: SPF status: PASS
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: handlers_stderr: PASS
Mar 6 14:37:23 servername qmail-queue-handlers[18437]: starter: submitter[18439] exited normally
Mar 6 14:37:30 servername relaylock: /var/qmail/bin/relaylock: Unable to query white list: not an error
Mar 6 14:37:30 servername relaylock: /var/qmail/bin/relaylock: mail from 127.0.0.1:32907 (localhost)
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: Handlers Filter before-queue for qmail started ...
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: [email protected]
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: [email protected]
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: hook_dir = '/opt/psa/handlers/before-queue'
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: recipient[3] = '[email protected]'
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: handlers dir = '/opt/psa/handlers/before-queue/recipient/[email protected]'
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: found handlers entry = '/opt/psa/handlers/before-queue/global/10-spf-EAmqvj'
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: call_handlers: call executable = '/opt/psa/handlers/info/10-spf-EAmqvj/executable'
Mar 6 14:37:30 servername spf filter[18445]: Starting spf filter...
Mar 6 14:37:30 servername spf filter[18445]: SPF result: pass
Mar 6 14:37:30 servername spf filter[18445]: SPF status: PASS
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: handlers_stderr: PASS
Mar 6 14:37:30 servername qmail-queue-handlers[18444]: starter: submitter[18446] exited normally
Mar 6 14:39:04 servername relaylock: /var/qmail/bin/relaylock: mail from xxx.xxx.xx.xx:46884 (xxxxxxxx.mail.mud.yahoo.com)
Mar 6 14:39:04 servername qmail-queue-handlers[18569]: Handlers Filter before-queue for qmail started ...
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: [email protected]
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: [email protected]
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: hook_dir = '/opt/psa/handlers/before-queue'
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: recipient[3] = '[email protected]'
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: handlers dir = '/opt/psa/handlers/before-queue/recipient/[email protected]'
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: found handlers entry = '/opt/psa/handlers/before-queue/global/10-spf-EAmqvj'
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: call_handlers: call executable = '/opt/psa/handlers/info/10-spf-EAmqvj/executable'
Mar 6 14:39:05 servername spf filter[18570]: Starting spf filter...
Mar 6 14:39:05 servername spf filter[18570]: Error code: (2) Could not find a valid SPF record
Mar 6 14:39:05 servername spf filter[18570]: Failed to query MAIL-FROM: No DNS data for 'yahoo.com'.
Mar 6 14:39:05 servername spf filter[18570]: SPF result: none
Mar 6 14:39:05 servername spf filter[18570]: SPF status: PASS
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: handlers_stderr: PASS
Mar 6 14:39:05 servername qmail-queue-handlers[18569]: starter: submitter[18571] exited normally

 

[105547111]

With postfix it's easy to fix but I don't use qmail.

 

[B. W.]

Not very helpful...

but anyone an idea how to install postfix in Plesk 9.0.1?
It is not in the Update List and in Server Components listed as "not installed"

 

[105547111]

Very easy to switch

Run the installer from shell

In the mail select postfix

This will remove qmail and install postfix

Problem solved

 

[B. W.]

Done!

But still a lot of "UNDELIVERED MAIL RETURNED TO SENDER" Mails in queue...
Also some Spam Messages get through my settings.

main.cf:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = xxxxxxxx.server4you.de
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.server4you.de, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_client_restrictions = reject_rbl_client
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_sender,
reject_unlisted_recipient
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
transport_maps = hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1


Maillog:
postfix/smtpd[20939]: 7A9901544175: client=localhost.localdomain[127.0.0.1]:40058
postfix/cleanup[20940]: 7A9901544175: message-id=<[email protected]>
postfix/qmgr[11070]: 7A9901544175: from=<[email protected]>, size=1357, nrcpt=1 (queue active)
postfix/smtp[21026]: 7A9901544175: to=<[email protected]>, relay=none, delay=0.18, delays=0.11/0/0.07/0, dsn=4.4.1, status=deferred (connect to smiths-travel.co.uk[83.138.128.248]:25: Connection refused)

postfix/pickup[4895]: EC4D015440B2: uid=107 from=<drweb>
postfix/cleanup[5047]: EC4D015440B2: message-id=<[email protected]>
postfix/qmgr[4896]: EC4D015440B2: from=<[email protected]>, size=888, nrcpt=1 (queue active)
postfix/smtp[5572]: EC4D015440B2: to=<[email protected]>, orig_to=<drweb>, relay=127.0.0.1[127.0.0.1]:10027, delay=0.37, delays=0.06/0.12/0.04/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 29E4415440AE)
postfix/qmgr[4896]: EC4D015440B2: removed

postfix/qmgr[4896]: 07AD81544093: from=<>, size=3239, nrcpt=1 (queue active)
postfix/smtp[7300]: 07AD81544093: host mx1.bt.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 Message from (SERVER-IP) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
postfix/smtp[7300]: 07AD81544093: host mx1.bt.mail.yahoo.com[195.50.106.135] refused to talk to me: 421 Message from (SERVER-IP) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
postfix/smtp[7300]: 07AD81544093: to=<[email protected]>, relay=mx2.bt.mail.yahoo.com[195.50.106.135]:25, delay=23988, delays=23983/0.01/3.7/1.2, dsn=2.0.0, status=sent (250 ok dirdel)postfix/qmgr[4896]: 07AD81544093: removed

postfix/smtpd[16488]: disconnect from localhost.localdomain[127.0.0.1]
postfix/smtp[16461]: E1335154409A: to=<[email protected]>, relay=none, delay=0.09, delays=0.08/0/0/0, dsn=5.4.6, status=bounced (mail for striker.ottawa.on.ca loops back to myself)
postfix/cleanup[16499]: 0296C15440A6: message-id=<[email protected]>
postfix/smtpd[16477]: lost connection after RSET from localhost.localdomain[127.0.0.1]
postfix/smtpd[16477]: disconnect from localhost.localdomain[127.0.0.1]
postfix/qmgr[11070]: 0296C15440A6: from=<>, size=3294, nrcpt=1 (queue active)
postfix/bounce[16503]: E1335154409A: sender non-delivery notification: 0296C15440A6
postfix/qmgr[11070]: E1335154409A: removed
postfix/smtpd[16452]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[16452]: warning: restriction reject_rbl_client requires domain name argument
postfix/smtpd[16459]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[16452]: NOQUEUE: client=localhost.localdomain[127.0.0.1]
postfix/smtpd[16459]: warning: restriction reject_rbl_client requires domain name argument
postfix/smtpd[16459]: 22B66154409A: client=localhost.localdomain[127.0.0.1]:56398
before-remote[16605]: check handlers for addr: [email protected]
before-remote[16605]: check handlers for addr: [email protected]
before-queue[16604]: check handlers for addr: [email protected]
before-queue[16604]: check handlers for addr: [email protected]
postfix/cleanup[16492]: 22B66154409A: message-id=<[email protected]>
postfix/qmgr[11070]: 22B66154409A: from=<[email protected]>, size=1340, nrcpt=1 (queue active)
postfix/smtpd[16459]: disconnect from localhost.localdomain[127.0.0.1]
postfix/smtp[16461]: 22B66154409A: to=<[email protected]>, relay=none, delay=0.08, delays=0.08/0/0/0, dsn=5.4.6, status=bounced (mail for striker.ottawa.on.ca loops back to myself)
postfix/cleanup[16499]: 3656315440AB: message-id=<[email protected]>
postfix/qmgr[11070]: 3656315440AB: from=<>, size=3305, nrcpt=1 (queue active)
postfix/bounce[16504]: 22B66154409A: sender non-delivery notification: 3656315440AB
postfix/qmgr[11070]: 22B66154409A: removed
postfix/smtpd[16452]: lost connection after RSET from localhost.localdomain[127.0.0.1]
postfix/smtpd[16452]: disconnect from localhost.localdomain[127.0.0.1]
postfix/smtp[16496]: connect to mx1.flipag.net[168.61.15.69]:25: Connection timed out
postfix/smtp[16520]: 2F80315440A2: to=<[email protected]>, relay=mail.redbanksurgery.com[216.196.247.78]:25, delay=1.8, delays=0.03/0/0.46/1.3, dsn=2.0.0, status=sent (250 2.0.0 Resetting)
postfix/qmgr[11070]: 2F80315440A2: removed
postfix/smtp[16514]: connect to mx1.flipag.net[168.61.15.69]:25: Connection timed out
postfix/smtp[16505]: C4ED7154409E: to=<[email protected]>, relay=gm-pool-sk.centrum.cz[90.183.38.21]:25, delay=2.9, delays=0.01/0/0.15/2.7, dsn=2.6.0, status=sent (250 2.6.0 message accepted)
postfix/qmgr[11070]: C4ED7154409E: removed
postfix/smtp[16501]: certificate verification failed for smtp.websense.com[204.15.69.25]:25: self-signed certificate
postfix/smtp[16501]: 3656315440AB: to=<[email protected]>, relay=smtp.websense.com[204.15.69.25]:25, delay=4.1, delays=0.01/0/4/0.09, dsn=2.0.0, status=sent (250 2.0.0 n2BBIoi9031564 Message accepted for delivery)
postfix/qmgr[11070]: 3656315440AB: removed
postfix/smtp[16496]: B8F7A15440A8: to=<[email protected]>, relay=mx3.flipag.net[168.61.15.75]:25, delay=65, delays=0.04/0/65/0.66, dsn=2.0.0, status=sent (250 OK)
postfix/qmgr[11070]: B8F7A15440A8: removed


Bounce Mail Header:
Received: by xxxxxxx.server4you.de (Postfix)
id BA35815442EB; Wed, 11 Mar 2009 15:41:36 +0000 (UTC)
Date: Wed, 11 Mar 2009 15:41:36 +0000 (UTC)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9CDE715442ED.1236786096/xxxxxxx.server4you.de"
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>



Anyone an idea how to stop this?!?

 

[105547111]

Make these changes to main.cf

(some maybe done already and depending on the OS tweak the paths)

# REJECTING MAIL FOR UNKNOWN LOCAL USERS
local_recipient_maps = $virtual_mailbox_maps

# JUNK MAIL CONTROLS
header_checks = regexp:/etc/postfix/header_checks

(read the postfix site on how to setup header_checks the file is empty no rules)

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org

For this last rule, this includes your rbl servers you use so edit what is there. I highly recommend you add these rules:
check_client_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/check_backscatterer
check_client_access hash:/etc/postfix/check_spamcannibal
check_client_access cidr:/etc/postfix/postfix-dnswl-permit

These four rules run BEFORE the RBL checks. So if you play in plesk and save your mail config re-edit this line it messes it up and puts these last . This allows for whitelisting and backscatter checks stopping these **** emails, but also not blocking real emails...


**whitelist

a simple file with IPs or mail server names and a OK to pass them then NO MORE CHECKS are performed, so really only whitelist what is really absolutely necessary and never someone's email address as these are easily faked:

10.0.0.1 OK


**check_backscatterer

<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org

this parses any email with only from postmaster or MAILER-DAEMON through backscatter.org and will reject these spammy bounces.

**check_spamcannibal

<> reject_rbl_client bl.spamcannibal.org
postmaster reject_rbl_client bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client bl.spamcannibal.org

Same deal here but uses spamcannibal.org

You MUST hash these files for postfix use by:

# postmap check_spamcannibal creates "check_spamcannibal.db" from "check_spamcannibal"
etc
etc


To use the postfix-dnswl-permit

Set up for root a cron in plesk:

/usr/bin/rsync --times rsync1.dnswl.org::dnswl/postfix-dnswl-permit /etc/postfix/ >/dev/null 2>&1 and run say twice a day. This updates the postfix-dnswl-permit list. Really works well in NOT blocking real emails.

Enjoy!

 

[105547111]

Also check the plesk KB and make sure your running the hotfix postfix-local and postfix-queue these are NOT in plesk 9.01!

 

[B. W.]

Hi,

all settings updated, but still some spam got through...

postfix/smtpd[11160]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[11173]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[11160]: NOQUEUE: client=localhost.localdomain[127.0.0.1]
postfix/smtpd[11173]: ABA6F15440BC: client=localhost.localdomain[127.0.0.1]:52723
before-remote[12707]: check handlers for addr: [email protected]
before-queue[12706]: check handlers for addr: [email protected]
postfix/cleanup[12692]: C36AA15440C6: message-id=<[email protected]>
postfix/qmgr[11104]: C36AA15440C6: from=<>, size=3376, nrcpt=1 (queue active)
postfix/smtp[11213]: C36AA15440C6: to=<[email protected]>, relay=spam.uyemura.com.tw[211.74.160.42]:25, delay=3.6, delays=0.02/0/1.9/1.7, dsn=2.0.0, status=sent (250 2.0.0 n2CBIEnc033401 Message accepted for delivery)
postfix/qmgr[11104]: C36AA15440C6: removed

Any idea?

 

[Ragefast]

Perhaps this is coming from an exploited form hosted on this server? Sometime ago, and not only once, I had trouble with badly coded websites that could be easily exploited, and the default php which comes with the distro doesn't include anything in mail headers that can indicate what script generated those messages. you can try recompiling php with this patch here:

http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/

 

[B. W.]

Don't think so....its only a data server for ebay shops and there are no web sites etc. on it.
So...what else could it be?

 

[trialotto]

Hint: have a quick look at the presence of a rootkit.

Advice: run rootkithunter from the command line and read the file rkhunter.log carefully.

Furthermore: analyze your daemons, note and write down the date and time of spam activity and try to find daemon activity in your machine at the same time.

Most of the programs sending mail (spam or not) are well hidden and have names that resemble names of good programs. Often a simple d is added to the name of good programs, suggesting that you are dealing with a daemon.

However, those malicious programs are often simple scripts. Not daemons. So some form of grep will also give you a hint whether scripts are mimicking daemons.

NOTE: most of malicious scripts do come back. If you do not delete all files, they just return. Be aware of that and clean the machine very well if suspicious scripts are found.