Facebook
Twitter
PleskyStuff
New Pleskian
Hi there,
We've been hit with spammers and having a hard time finding the source. I have followed the guidelines for identifying potential PHP scripts and no scripts are found to be malicious. We were running qmail but we moved to postfix. The problem started with qmail with spam coming from localhost. Here are the main.cf configs:
In the mail queue we see a number of: "Undelivered Mail Returned to Sender" with the sender being "[email protected]". The header info is as followed:
When when I search for the message id in the maillog I see:
The problem is that the queue isn't filling up with massive amounts of spam, which would make troubleshooting much easier, but only a certain amount per hour... enough to keep us blacklisted on the spam lists which is making life miserable. We have fail2ban running on postfix, proftpd, apache-badbot.
As mentioned we haven't found any nefarious scripts and we can't seem to pinpoint a client email account that is causing the spam.
Any help is appreciated. Thanks.
We've been hit with spammers and having a hard time finding the source. I have followed the guidelines for identifying potential PHP scripts and no scripts are found to be malicious. We were running qmail but we moved to postfix. The problem started with qmail with spam coming from localhost. Here are the main.cf configs:
Code:
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_sender_login_mismatch, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit
non_smtpd_milters =
smtpd_milters = , inet:127.0.0.1:12768
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtp_send_xforward_command = yes
smtpd_sasl_auth_enable = yes
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_reject_unlisted_sender = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
disable_vrfy_command = yes
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_delay_reject = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destinationIn the mail queue we see a number of: "Undelivered Mail Returned to Sender" with the sender being "[email protected]". The header info is as followed:
Code:
Received: by mydomain.com (Postfix)
id EAF7616C0F94; Mon, 3 Apr 2017 07:01:32 -0700 (PDT)
Date: Mon, 3 Apr 2017 07:01:32 -0700 (PDT)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="AB75F16C089F.1491228092/mydomain.com"
Message-Id: <[email protected]>When when I search for the message id in the maillog I see:
Code:
Apr 3 07:01:32 webserver postfix/cleanup[21189]: EAF7616C0F94: message-id=<[email protected]>
Apr 3 07:01:32 webserver postfix/bounce[21225]: AB75F16C089F: sender non-delivery notification: EAF7616C0F94
Apr 3 07:01:32 webserver postfix/qmgr[19275]: EAF7616C0F94: from=<>, size=8381, nrcpt=1 (queue active)
Apr 3 07:01:32 webserver postfix/qmgr[19275]: AB75F16C089F: removed
Apr 3 07:01:33 webserver postfix/smtp[21224]: EAF7616C0F94: host cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70] refused to talk to me: 554 ERROR: Mail Refused - See http://www.spamhaus.org/query/bl?ip=209.15.246.206
Apr 3 07:01:33 webserver postfix/smtp[21224]: EAF7616C0F94: to=<[email protected]>, relay=dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]:25, delay=0.39, delays=0.02/0/0.37/0, dsn=4.0.0, status=deferred (host dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70] refused to talk to me: 554 ERROR: Mail Refused - See http://www.spamhaus.org/query/bl?ip=209.15.246.206)The problem is that the queue isn't filling up with massive amounts of spam, which would make troubleshooting much easier, but only a certain amount per hour... enough to keep us blacklisted on the spam lists which is making life miserable. We have fail2ban running on postfix, proftpd, apache-badbot.
As mentioned we haven't found any nefarious scripts and we can't seem to pinpoint a client email account that is causing the spam.
Any help is appreciated. Thanks.
Last edited:
