Question spam from plesk

[sacco]

my server start sending spam, not many like 10 or 20 a day

but i cannot find where, does anyone can help?

this is the fact:
- spam has sent with different domain hosted in the server
- sometime mail sender is real mail box but some time is an existent alias with non existent mailbox
- phpmail.log and mail.log doesnt seem to help
- horde is disabled at this moment

this is header of those mail

Received: from myserver.tld (localhost.localdomain [127.0.0.1])
   by host1.myserver.tld (Postfix) with ESMTP id A67DE1167F7
   for <[email protected]>; Mon, 18 Jul 2016 12:15:28 +0200 (CEST)
Received-SPF: pass (host1.myserver.tld: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=domain.com;
Date: Mon, 18 Jul 2016 10:15:26 +0000 (UTC)
From: domain <[email protected]>
To: [email protected]
Message-ID: <[email protected]>

what i have found in log is:

named.log

Jul 27 07:29:33 host1 named[1441]: error (unexpected RCODE SERVFAIL) resolving '41.16.72.120.in-addr.arpa/PTR/IN': 202.137.115.23#53
Jul 27 07:29:33 host1 named[1441]: error (unexpected RCODE SERVFAIL) resolving '41.16.72.120.in-addr.arpa/PTR/IN': 202.137.115.65#53
Jul 27 07:29:34 host1 named[1441]: error (unexpected RCODE SERVFAIL) resolving '41.16.72.120.in-addr.arpa/PTR/IN': 202.137.115.23#53
Jul 27 07:29:35 host1 named[1441]: error (unexpected RCODE SERVFAIL) resolving '41.16.72.120.in-addr.arpa/PTR/IN': 202.137.115.65#53

maillog

host1 courier-imapd: Connection, ip=[::ffff:127.0.0.1]
Jul 27 16:10:25 host1 courier-imapd: LOGOUT, ip=[::ffff:127.0.0.1], rcvd=12, sent=365
Jul 27 16:10:25 host1 courier-imaps: Connection, ip=[::ffff:127.0.0.1]
Jul 27 16:10:25 host1 courier-imaps: LOGOUT, ip=[::ffff:127.0.0.1], rcvd=12, sent=356
Jul 27 16:10:25 host1 courier-pop3d: Connection, ip=[::ffff:127.0.0.1]
Jul 27 16:10:25 host1 courier-pop3d: LOGOUT, ip=[::ffff:127.0.0.1]
Jul 27 16:10:25 host1 courier-pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Jul 27 16:10:25 host1 courier-pop3s: Connection, ip=[::ffff:127.0.0.1]
Jul 27 16:10:26 host1 courier-pop3s: LOGOUT, ip=[::ffff:127.0.0.1]
Jul 27 16:10:26 host1 courier-pop3s: Disconnected, ip=[::ffff:127.0.0.1]

-----------

this is plesk postfix config

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
milter_connect_macros = j {daemon_name} {client_connections} {client_addr} {client_ptr} v
milter_default_action = accept
mydestination = localhost.$mydomain, localhost, localhost.localdomain
myhostname = host1.studiosacchetti.com
mynetworks = [::1]/128
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters =
plesk_virtual_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.11.5/samples
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
smtpd_milters = inet:127.0.0.1:12768 inet:127.0.0.1:12345
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_medium_cipherlist = HIGH:!aNULL:!MD5
transport_maps = , hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30

[root@host1 ~]#

 

[UFHH01]

Hi sacco,

to investigate, if scripts are sending spam on your server, you could follow:

Many email messages are sent from PHP scripts on the server. How to find the domains on which these scripts are running? ( for QMAIL ! KB - article 1711 )
Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used? ( For POSTFIX ! KB - article 114845 )
​

named.log

This log is irrelevant for your mail - server.

maillog

Pls. have a look at more decent entries. These lines from your log - file just point to login - attempts.
Consider to use Fail2Ban and the "recidive - jail", to block returning intruders over iptables on your server.

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

Pls. consider to use:

smtpd_sender_restrictions =
    check_sender_access hash:/var/spool/postfix/plesk/blacklists,
    permit_sasl_authenticated,
    reject_authenticated_sender_login_mismatch

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Pls. consider to use:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_recipient,
    reject_non_fqdn_sender,
    reject_unauth_destination,
    reject_unlisted_recipient,
    reject_unlisted_sender

smtpd_sasl_auth_enable = yes

Pls. consider to use:

smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

More postfix - configuration suggestions could be viewed at:

problem with fake email address ( Plesk forum thread )​

 

[sacco]

hi UFHH01

thx for your prompt response!!

- failtoban is enforced already
- trick to add X-Additional-Header is already active but it seems that no trace of sent spam mail there, but only undelivered return mail with this header "X-Additional-Header: /var/qmail/mailnames/domain.xxx/info" (info in this case i an alias not a real mail box)
- there is no strange login in maillog from external client or host, but is seems to be strange a login from 127.0.0.1



Andrea

 

[UFHH01]

Hi sacco,

but is seems to be strange a login from 127.0.0.1

this is only strange, if you permit sendmail usage, because as you know, sendmail is located on your server itself and therefore you will see such messages with your local IP.

Pls. try to solve your issue with the provided suggestions and report back with new log - files and the changed master.cf / main.cf , if you need further assistance.