Spam Problem

[gianni.infodata]

Hi,
I've have a Plesk 9.2.1 with last update. Everyday my server signup into blacklist spam (eg. cbl, spamhaus...) I've control the log and I've find this:

Nov 5 21:24:59 62 before-remote[28137]: check handlers for addr: [email protected]
Nov 5 21:24:59 62 before-queue[28135]: check handlers for addr: [email protected]
Nov 5 21:24:59 62 postfix/qmgr[11935]: 13737A4C40FE: from=<[email protected]>, size=1058, nrcpt=1 (queue active)
Nov 5 21:25:13 62 before-remote[28207]: check handlers for addr: [email protected]
Nov 5 21:25:13 62 before-queue[28206]: check handlers for addr: [email protected]
Nov 5 21:25:13 62 postfix/qmgr[11935]: 8A51CA4C40FE: from=<[email protected]>, size=1273, nrcpt=1 (queue active)
Nov 5 21:30:04 62 postfix/smtp[28142]: 43BD9A4C410C: to=<[email protected]>, relay=c.mx.mail.yahoo.com[209.191.88.247]:25, delay=305, delays=0/0/305/0, dsn=4.4.2, status=deferred (conversation with c.mx.mail.yahoo.com[209.191.88.247] timed out while receiving the initial server greeting)
Nov 5 21:30:39 62 postfix/smtp[28209]: 98D91A4C4110: to=<[email protected]>, relay=b.mx.mail.yahoo.com[66.196.82.7]:25, delay=325, delays=0/0/325/0, dsn=4.7.0, status=deferred (host b.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS01] Messages from 62.149.172.239 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Nov 5 21:31:26 62 before-remote[1887]: check handlers for addr: [email protected]

This message is spam. But I can't find the origin of the message. I think that it was send from site as PhpNuke. There's a way to log the message from sites?

Thanks a lot.

 

[gianni.infodata]

By yesterday my server is full of spam. It is in any blacklist ( clb, spamhaus, sorbs...). Can anyone known a way to control the origin of these message? Maillog, sites log....

 

[Nataliya Zagr]

Hello,

Please, find the common recommendations which can help you to eliminate spam attack like using MAPS zones, spamassassin, rejecting emails for non-existing users. The following articles are devoted to troubleshooting spam and known issues with spamassassin:

Spam tracking:
http://kb.odin.com/en/6010
http://kb.odin.com/en/766

Known issues and questions about spamassassin functionality:
http://kb.odin.com/en/1428
http://kb.odin.com/en/3017
http://kb.odin.com/en/5538
http://kb.odin.com/en/1334
http://kb.odin.com/en/1393

Thank you

 

[gianni.infodata]

I've install the php script monitor (http://kb.odin.com/en/1711). But the spam don't sent from domains. Today, while I'm looking for a solution I've find this message in the maillog:

Dec 10 13:25:47 62 pop3d-ssl: Connection, ip=[127.0.0.1]
Dec 10 13:25:47 62 pop3d-ssl: LOGOUT, ip=[127.0.0.1]
Dec 10 13:25:47 62 pop3d: Connection, ip=[127.0.0.1]
Dec 10 13:25:47 62 pop3d: LOGOUT, ip=[127.0.0.1]
Dec 10 13:25:47 62 imapd-ssl: Connection, ip=[127.0.0.1]
Dec 10 13:25:47 62 imapd-ssl: 1260447947.901332 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=310, maildir=/
Dec 10 13:25:47 62 imapd: Connection, ip=[127.0.0.1]
Dec 10 13:25:47 62 imapd: 1260447947.904785 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=308, maildir=/
Dec 10 13:25:49 62 spamd[14114]: spamd: got connection over /tmp/spamd_full.sock
Dec 10 13:25:49 62 spamd[11501]: prefork: child states: II

These messages appear many times during all day. And later I've find this one:

qmail: 1260448523.473049 starting delivery 657: msg 48186588 to remote [email protected]
Dec 10 13:35:23 62 qmail: 1260448523.473152 status: local 0/10 remote 1/20
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: Handlers Filter before-remote for qmail started ...
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: from=
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: [email protected]
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: hook_dir = '/usr/local/psa/handlers/before-remote'
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: recipient[3] = '[email protected]'
Dec 10 13:35:23 62 qmail-remote-handlers[26083]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/[email protected]'

 

[atomicturtle]

See if you can ID the userid sending the spam using this procedure:

http://www.atomicorp.com/wiki/index.php/Spam

and post it here

 

[calderwood]

See if you can ID the userid sending the spam using this procedure:

http://www.atomicorp.com/wiki/index.php/Spam

and post it here

I have been having a similar problem, 1000's of emails being sent from the root account with no source. I ran your test and got this result:

qscand:x:10070:102:Qmail-Scanner Account:/var/spool/qscan:/bin/false

 

[atomicturtle]

That would imply that the mail is inbound

 

[calderwood]

The UID was from the outgoing message. Strange. I think the source of the mass mailing (800 emails before I stopped them) was coming from a cakePHP program someone had installed. I still haven't really confirmed this, but the mailing stopped when I disabled CRON.

 

[HostaHost]

The UID was from the outgoing message. Strange. I think the source of the mass mailing (800 emails before I stopped them) was coming from a cakePHP program someone had installed. I still haven't really confirmed this, but the mailing stopped when I disabled CRON.

I've found that outbound messages claiming to be from root are often cgi-based scripts being exploited while the messages will be from 'nobody' or 'apache' @ the local system name if they're php-based scripts being exploited since those run under the permissions of the web server user typically. If your user's domain is set to have php running as a cgi though that would fall under the first and have them showing as coming from root@servername for example. But yeah, it's a real pain in the a** to find the site where junk is being injected if the script that's being exploited doesn't leave any indication of which domain it's running on.

 

[calderwood]

I got hit yesterday with the same messages, 1000's per minute. Traced it to a domain and turned off that mail server which stopped it, but still didn't identify the program generating it. It is 9 days since the last attack. The only programs (php or cgi) logged as running at the time from the domain were phpBB3 forum.

I'm totally stumped and if anyone has any ideas on how to track the program generating the spam. The emails generated are all in spanish or portugeuse and seem to have a lot of Brazilian email addresses.

 

[HostaHost]

For that domain look for lots of POST requests in the web logs around the time the problem was occurring, if not a lot of those look for .php requests.

 

[atomicturtle]

I just finished backporting all the latest mail() logging features from PHP 5.3.1 to the latest atomic PHP 5.2.12 rpms. This would allow you to either insert a header into each message generated by mail() indicating the source php script used, or to log that action to a file. It might make tracking down the culprit script much faster.