Question Spam sent by my server

[Maximilian Füsslin]

Hello,

I recently got an abuse mail by my hosting provider, stating that my server is sending spam.
The following excerpt was attached to the abuse mail:

[ SpamCop V4.8.7 ]
This message is brief for your comfort.  Please use links below for details.

Email from 94.130.34.42 / Sun, 18 Feb 2018 19:23:36 +0000
#spamcop link

[ Offending message ]
Received: from mail.microdream.co.uk
    by mail.microdream.co.uk with LMTP id 0KD1B7jSiVo9XQAADkLJhQ
    for <x>; Sun, 18 Feb 2018 19:23:36 +0000
Received: from mail.lotsearch.de ([94.130.34.42]:34284)
    by mail.microdream.co.uk with esmtp (Exim 4.89_1)
    (envelope-from <[email protected]>)
    id 1enUYU-0006CH-32
    for x; Sun, 18 Feb 2018 19:23:36 +0000
From: "eBay" <[email protected]>
To: "x" <x>
Subject: ***SPAM***  Ihre eBay-Rechnung für Februar ist ab jetzt online verfügbar
Date: Mon, 19 Feb 2018 05:23:15 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0AFC_01D3A961.70959750"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdOo7fjf7U04suYiTgKyysKAiejimQ==

This is a multipart message in MIME format.

------=_NextPart_000_0AFC_01D3A961.70959750
Content-Type: text/plain;
    charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
...
------=_NextPart_000_0AFC_01D3A961.70959750--

My IP: 94.130.34.42 (does the port 34284 indicate, that mail was sent through this port?)
I searched in the logs /var/log/mail.log for indicators... I found at around 19:23:36 the following logs:

Feb 18 19:22:39 zeus postfix/smtpd[18283]: connect from unknown[91.200.12.82]
Feb 18 19:22:39 zeus plesk_saslauthd[18324]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Feb 18 19:22:39 zeus plesk_saslauthd[18324]: privileges set to (111:116) (effective 111:116)
Feb 18 19:22:39 zeus plesk_saslauthd[18324]: failed mail authenticatication attempt for user 'Office' (password len=7)
Feb 18 19:22:39 zeus postfix/smtpd[18283]: warning: unknown[91.200.12.82]: SASL LOGIN authentication failed: authentication failure
Feb 18 19:22:39 zeus postfix/smtpd[18283]: lost connection after AUTH from unknown[91.200.12.82]
Feb 18 19:22:39 zeus postfix/smtpd[18283]: disconnect from unknown[91.200.12.82] ehlo=1 auth=0/1 commands=1/2
Feb 18 19:23:05 zeus postfix/smtpd[18283]: connect from localhost.localdomain[127.0.0.1]
Feb 18 19:23:08 zeus postfix/smtpd[18283]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.lotsearch.de>
Feb 18 19:23:09 zeus plesk_saslauthd[18324]: select timeout, exiting
Feb 18 19:23:10 zeus postfix/smtpd[18283]: lost connection after RSET from localhost.localdomain[127.0.0.1]
Feb 18 19:23:10 zeus postfix/smtpd[18283]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 rset=1 commands=3/4
Feb 18 19:23:10 zeus /usr/lib/plesk-9.0/psa-pc-remote[1388]: Message aborted.
Feb 18 19:23:10 zeus /usr/lib/plesk-9.0/psa-pc-remote[1388]: Message aborted.
Feb 18 19:23:24 zeus postfix/smtpd[18283]: warning: hostname walkerj235.example.com does not resolve to address 91.200.12.226: Name or service not known
Feb 18 19:23:24 zeus postfix/smtpd[18283]: connect from unknown[91.200.12.226]
Feb 18 19:23:24 zeus plesk_saslauthd[18355]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Feb 18 19:23:24 zeus plesk_saslauthd[18355]: privileges set to (111:116) (effective 111:116)
Feb 18 19:23:24 zeus plesk_saslauthd[18355]: failed mail authenticatication attempt for user 'setup' (password len=9)
Feb 18 19:23:24 zeus postfix/smtpd[18283]: warning: unknown[91.200.12.226]: SASL LOGIN authentication failed: authentication failure
Feb 18 19:23:24 zeus postfix/smtpd[18283]: lost connection after AUTH from unknown[91.200.12.226]
Feb 18 19:23:24 zeus postfix/smtpd[18283]: disconnect from unknown[91.200.12.226] ehlo=1 auth=0/1 commands=1/2
Feb 18 19:23:49 zeus dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<oneill>, method=PLAIN, rip=50.227.181.106, lip=94.130.34.42, session=<+IqxrYBlkmoy47Vq>
Feb 18 19:23:54 zeus plesk_saslauthd[18355]: select timeout, exiting

Especially is interesting as it does indicate the attempt to send a mail via postfix on my server:
Feb 18 19:23:08 zeus postfix/smtpd[18283]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.lotsearch.de>

If I interpret it correctly the attempt to send an unautorized mail via my server was declined (relay access denied). I found similar lines from the same from-address ([email protected]) in the log file more than 25 times.

What I did so far:

• changed passwords of all mail accounts
• added iptables rule
  

  iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT

  to only allow postfix using port 25 outgoing
• enabled dkim / dmarc / spf (I did this 8 months ago already)

Some more background:
We are sending out around 50 emails per day to our users as we are hosting a notification service (The users are registered at our website and created the notifications themselves; we also used double-opt-in to make sure that users want to receive our emails). It is like ebay where you get notified if an alert for a specific search term matches a new result in ebay's auctions.

How can I identify sources of spam on my server? How can I configure PLESK to prevent spammers using my server for their spam mails? Was the attached mail in the abuse email really sent by my server or would it be possible that the headers are spoofed?

Another thing: I have an catchall mailbox where all mails to non-existent users are sent to "[email protected]". Is it possible that the receiving mail server "otherserver.com" filed an abuse against my current server because I forward (suspicious / spam) mails to it (see attached screenshot)?


I am glad for any help. Thank you in advance.
Sincerely
Maximilian Füsslin

 

[AYamshanov]

Hi,

1)
Based on

Feb 18 19:23:08 zeus postfix/smtpd[18283]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.lotsearch.de>

I think it was some application ran locally because of connection was from 127.0.0.1. After access denied, a bad script could start sending emails by self without postfix.
Check temporary directories like /tmp, active processes on the server. Maybe try to log information about packets that trigger iptables' reject rule.

2) I have checked server's IP-address in blacklists, I find this Hostkarma Blacklist Removal Form. So, not only hosting provider detected spam.

 

[Maximilian Füsslin]

Thank you for your answer.
I attached a log of running processes - I think nothing bad is running:

USER      PID %CPU %MEM    VSZ   RSS TTY    STAT START   TIME COMMAND
root      273  0.0  0.0    0    0 ?       S<   Feb13   0:00 [raid5wq]
root      312  0.0  0.0    0    0 ?       S    Feb13   1:12 [jbd2/md2-8]
root      313  0.0  0.0    0    0 ?       S<   Feb13   0:00 [ext4-rsv-conver]
root      369  0.0  0.0  94772  1220 ?       Ss   Feb13   0:00 /sbin/lvmetad -f
root      378  0.0  0.0  12204  4792 ?       Ss   Feb13   0:39 /usr/sbin/haveged --Foreground --verbose=1 -w 1024
root      379  0.0  0.0  92984 52936 ?       Ss   Feb13   1:52 /lib/systemd/systemd-journald
root      380  0.0  0.0  45080  3584 ?       Ss   Feb13   0:01 /lib/systemd/systemd-udevd
root      517  0.0  0.0    0    0 ?       S    Feb13   0:00 [jbd2/md1-8]
root      518  0.0  0.0    0    0 ?       S<   Feb13   0:00 [ext4-rsv-conver]
web_lot+   622  0.0  0.0  45276  4000 ?       Ss   Feb17   0:00 /lib/systemd/systemd --user
web_lot+   623  0.0  0.0 225168  2124 ?       S    Feb17   0:00 (sd-pam)
systemd+   676  0.0  0.0 100324  2260 ?       Ssl  Feb13   0:00 /lib/systemd/systemd-timesyncd
root      802  0.0  0.0  31760  2444 ?       Ss   Feb13   0:01 /usr/sbin/cron -f
message+   807  0.0  0.0  42900  3680 ?       Ss   Feb13   1:45 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
syslog    819  0.0  0.0 256392  3648 ?       Ssl  Feb13   0:39 /usr/sbin/rsyslogd -n
root      832  0.0  0.0  28616  2860 ?       Ss   Feb13   0:42 /lib/systemd/systemd-logind
daemon    842  0.0  0.0  26044  1876 ?       Ss   Feb13   0:00 /usr/sbin/atd -f
root      895  0.0  0.0  13664  2136 ?       Ss   Feb13   0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
postfix   1388  0.0  0.0 398972  3396 ?       Ssl  Feb13   0:22 /usr/lib/plesk-9.0/psa-pc-remote -p inet:[email protected] -t 7210   -P /run/psa-pc-remote.pid -u postfix -g popuser -n
root    1395  0.0  0.0 432104 19852 ?       Ss   Feb13   0:07 sw-engine-fpm: master process (/etc/sw-engine/sw-engine-fpm.conf)
bind    1400  0.0  0.0 723488 27976 ?       Ssl  Feb13   0:00 /usr/sbin/named -f -u bind -f -t /var/named/run-root -c /etc/named.conf
root    1436  0.1  0.0 795852 20608 ?       Ssl  Feb13  17:36 /usr/bin/dockerd -H fd://
root    1502  0.0  0.0  18688  1460 tty1    Ss+  Feb13   0:00 /sbin/agetty --noclear tty1 linux
mysql    1561  0.7  0.6 2291284 404668 ?    Ssl  Feb13  72:27 /usr/sbin/mysqld
root    1635  0.0  0.0  42456  7880 ?       Ss   Feb13   0:00 sw-cp-server: master process /usr/sbin/sw-cp-serverd -c /etc/sw-cp-server/config
root    1650  0.0  0.0  18268  2672 ?       Ss   Feb13   0:13 /usr/sbin/dovecot
dovecot   1670  0.0  0.0   9760  2436 ?       S    Feb13   0:04 dovecot/anvil
sphinxs+  1805  0.0  0.0 113276  1524 ?       S    Feb13   0:00 /usr/bin/searchd
sphinxs+  1806  0.2  4.0 2987896 2637884 ?    Sl   Feb13  22:47 /usr/bin/searchd
dovenull  2219  0.0  0.0  19044  4948 ?       S    09:05   0:00 dovecot/imap-login
root    2220  0.0  0.0  25312  3808 ?       S    09:05   0:00 dovecot/config
popuser   2227  0.0  0.0  20168  4776 ?       S    09:05   0:00 dovecot/imap
root    2242  0.0  0.0 384428 33836 ?       Ss   Feb13   0:25 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
dovenull  2262  0.0  0.0  19044  4932 ?       S    09:07   0:00 dovecot/imap-login
root    2263  0.1  0.0 530748  7504 ?       Ssl  Feb13  11:16 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
popuser   2264  0.0  0.0  19328  3936 ?       S    09:07   0:00 dovecot/imap
dovenull  2265  0.0  0.0  19044  4860 ?       S    09:07   0:00 dovecot/imap-login
popuser   2266  0.0  0.0  19436  3944 ?       S    09:07   0:00 dovecot/imap
www-data  2309  0.0  0.0 384420  8400 ?       S    Feb13   0:00 php-fpm: pool www
www-data  2310  0.0  0.0 384420  8400 ?       S    Feb13   0:00 php-fpm: pool www
psaadm    2526  0.0  0.0 244948 10428 ?       S    Feb13   0:00 sw-engine-kv
root    2662  0.0  0.1 135384 87208 ?       Ss   Feb13   0:00 nginx: master process /usr/sbin/nginx
git      3082  0.0  0.0  45276  3628 ?       Ss   Feb13   0:01 /lib/systemd/systemd --user
git      3090  0.0  0.0  77688  2056 ?       S    Feb13   0:00 (sd-pam)
root    3203  0.0  0.0 102812  7528 ?       Ss   09:27   0:00 sshd: web_lotsearch [priv]
web_lot+  3212  0.0  0.0 102812  3484 ?       S    09:27   0:01 sshd: web_lotsearch@pts/0
web_lot+  3213  0.0  0.0  51628  5920 pts/0    Ss   09:27   0:00 -zsh
root    3217  0.0  0.0 102824  6888 ?       Ss   Feb13   0:00 sshd: git [priv]
git      3226  0.0  0.0 105232  5892 ?       S    Feb13   4:26 sshd: git
root    3264  0.0  0.0  71568  4900 pts/0    S    09:28   0:00 su root
root    3265  0.0  0.0  24432  4240 pts/0    S    09:28   0:00 bash
root    4433  0.0  0.0  65508  5700 ?       Ss   Feb13   0:12 /usr/sbin/sshd -D
root    4609  0.0  0.0  15056  1856 ?       Ss   Feb16   0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
root    12274  0.0  0.0    0    0 ?       S    11:53   0:00 [kworker/1:1]
root    14103  0.0  0.0 213384 16268 ?       Ss   12:20   0:00 /usr/sbin/apache2 -k start
www-data 14107  0.0  0.0 210672  5548 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
root    14110  0.0  0.0 383888  9544 ?       SNsl 12:20   0:00 Passenger watchdog
root    14113  0.0  0.0 1729900 15404 ?      Sl   12:20   0:01 Passenger core
www-data 14141  0.0  0.0 213708 13736 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
www-data 14142  0.0  0.0 213748 13744 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
www-data 14143  0.0  0.0 213636 13648 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
www-data 14144  0.0  0.0 213668 13668 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
www-data 14145  0.0  0.0 213644 13652 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
nginx    14251  1.4  0.2 597816 144540 ?      Sl   12:20   1:07 nginx: worker process
www-data 14286  0.0  0.0 213644 13640 ?       S    12:20   0:00 /usr/sbin/apache2 -k start
root    14540  0.0  0.0  65408  4668 ?       Ss   12:22   0:01 /usr/lib/postfix/sbin/master
postfix  14542  0.0  0.0  67476  4552 ?       S    12:22   0:00 pickup -l -t fifo -u -c
postfix  14544  0.0  0.0  67648  4516 ?       S    12:22   0:00 qmgr -l -t fifo -u
postfix  14637  0.0  0.0  80808  7204 ?       S    12:23   0:00 tlsmgr -l -t unix -u -c
root    16817  0.0  0.0  32448  3464 ?       Ss   Feb19   0:29 tmux
root    16818  0.0  0.0  26040  6164 pts/2    Ss   Feb19   0:00 -bash
root    17035  0.0  0.0    0    0 ?       S    12:59   0:00 [kworker/0:1]
www-data 17191  0.0  0.0 213632 13176 ?       S    13:01   0:00 /usr/sbin/apache2 -k start
dovenull 17250  0.0  0.0  19044  4960 ?       S    13:03   0:00 dovecot/imap-login
root    17255  0.0  0.0   9624   832 ?       S    13:03   0:00 dovecot/ssl-params
popuser  17256  0.0  0.0  19572  4124 ?       S    13:03   0:00 dovecot/imap
root    18497  0.0  0.0 102824  7584 ?       Ss   13:21   0:00 sshd: git [priv]
git    18506  0.0  0.0 105220  6496 ?       S    13:21   0:01 sshd: git
web_lot+ 19032  2.6  0.1 513212 67788 ?       S    13:33   0:10 php-fpm: pool lotsearch.de
web_lot+ 19274  2.6  0.0 512100 64888 ?       S    13:35   0:07 php-fpm: pool lotsearch.de
root    19434  0.0  0.0  23588  3144 pts/0    S+   13:38   0:00 tmux attach
postfix  19506  0.0  0.0 105164 10128 ?       S    13:39   0:00 smtpd -n smtp -t inet -u -c -o stress= -s 2
postfix  19507  0.0  0.0  67476  4484 ?       S    13:39   0:00 proxymap -t unix -u
postfix  19508  0.0  0.0  67472  4460 ?       S    13:39   0:00 anvil -l -t unix -u -c
root    19521  0.0  0.0 102812  7216 ?       Ss   13:39   0:00 sshd: web_lotsearch [priv]
web_lot+ 19530  0.1  0.0 102812  4064 ?       S    13:39   0:00 sshd: web_lotsearch@notty
web_lot+ 19531  0.0  0.0  10040   680 ?       Ss   13:39   0:00 sleep 60
root    19533  0.0  0.0  34252  4244 ?       S    13:39   0:00 dovecot/auth
root    19619  0.0  0.0  40116  3260 pts/2    R+   13:40   0:00 ps -aux
sw-cp-s+ 24301  0.0  0.0  42460  8144 ?       S    Feb17   0:00 sw-cp-server: worker process
root    24554  0.0  0.1 161500 79536 ?       Ss   06:30   0:04 /usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --daemonize --helper-home-dir=/var/qmail --max-children=5 --nouser-config --username=popuser --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin
popuser  24556  0.0  0.1 166800 83848 ?       S    06:30   0:00 spamd child
popuser  24557  0.0  0.1 161500 75484 ?       S    06:30   0:00 spamd child
root    25259  0.0  0.0   9760  2240 ?       S    Feb14   0:03 dovecot/log
root    27495  0.1  0.0 584748 20484 ?       Sl   Feb14  10:53 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
root    28059  0.0  0.0 102824  7236 ?       Ss   Feb18   0:00 sshd: web_lotsearch [priv]
web_lot+ 28068  0.0  0.0 102824  3680 ?       S    Feb18   0:00 sshd: web_lotsearch@notty
web_lot+ 28069  0.0  0.0  12880  1864 ?       Ss   Feb18   0:00 /usr/lib/openssh/sftp-server
uuidd    31793  0.0  0.0  30908  1104 ?       Ss   Feb15   0:00 /usr/sbin/uuidd --socket-activation
root    32215  0.0  0.0 490852 39020 ?       Ss   Feb14   0:45 php-fpm: master process (/opt/plesk/php/7.1/etc/php-fpm.conf)

I did notice the blacklisting too. I also ran maldet to search for malware / viruses but nothing found.
TMP directory seems to be ok too. Only weird thing were multiple folders called "passenger.hiz2q81" (or "passenger.XXXX") with files "read_only_admin_password.txt" and "full_admin_password.txt" in it. Are these files generated by plesk?

 

[MarkM]

Those txt files are passenger related.

 

[Maximilian Füsslin]

Thank you for your answer.
Do you have tips how to do monitoring of mail traffic? I found Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used? but it seems that the logfile "mail.send" is not filled with data. I tried using How to send an email using PHP script and check it on Linux
to send a mail via php script.

Is there another way to monitor outgoing mail traffic? Is this traffic always delivered via port 25 or do I have to monitor other ports aswell?

Thank you for your help.

 

[MarkM]

You could parse /usr/local/psa/var/log/maillog which is where mail stats are calculated from.....

 

[Maximilian Füsslin]

Thank you again for your help.
One more thing:
If I want to allow only postfix to send mails through port 25, can I specify a firewall rule?
For iptables it would be something like:

iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT

But I saw that many mails cannot be sent with this rule in my iptables setup. Which unix-user is used to do mail sending in Plesk? Is there a way to just allow sending via authenticated smtp (no webmailing) and restrict everything else via firewall rule? I use authenticated smtp for sending mails in my webscript anyway, because of the SPF / DKIM stuff which is not working via naiive php "mail()"-function.

EDIT: One more question about limiting outgoing mails with Plesk: If I send f.e. 50 emails at 7 pm and my limit is set to 30 emails per hour. Are the remaining 20 emails queued and sent at 8pm (or some minutes later, when postfix tries again to flush the mail queue) or are they dropped entirely?

 

[MarkM]

Did you make sure Postfix is running under its own user account. (it should)

 

[Maximilian Füsslin]

Did you make sure Postfix is running under its own user account. (it should)

Yes I think so:

postfix    924 19080  0 12:21 ?        00:00:00 smtpd -n smtp -t inet -u -c -o stress= -s 2
postfix    925 19080  0 12:21 ?        00:00:00 proxymap -t unix -u
postfix   4559 19080  0 12:17 ?        00:00:00 anvil -l -t unix -u -c
postfix   8942     1  0 11:50 ?        00:00:00 /usr/lib/plesk-9.0/psa-pc-remote -p inet:[email protected] -t 7210   -P /run/psa-pc-remote.pid -u postfix -g popuser -n
postfix   9000 19080  0 11:50 ?        00:00:00 pickup -l -t fifo -u -c
postfix   9001 19080  0 11:50 ?        00:00:00 qmgr -l -t fifo -u
postfix  10631 19080  0 11:51 ?        00:00:00 tlsmgr -l -t unix -u -c
root     19080     1  0 Feb20 ?        00:00:16 /usr/lib/postfix/sbin/master

 

[MarkM]

Ok so the Postfix master process is the one that launches the other daemons. :/ It's running as root.

 

[MarkM]

Actually, now that I think about it; that makes sense as port 25 is considered a privileged port and would require root user. You could possibly hack up Postfix to run under a different user, on a port higher then 1024. That would require some iptables action to forward the port.... actually sounds like a mess now that I think about it.

 

[Maximilian Füsslin]

Ok so the Postfix master process is the one that launches the other daemons. :/ It's running as root.

Yes but this is common practice as postfix needs to listen on system related ports which requires root. I thought that the master process is spawning sub processes if f.e. an email is sent which are running by postfix user.
F.y.i. the postfix config was never touched (I just used plesk to configure / installed the postfix mailserver). Therefore I think the way it is configured should be correct (as it would mean that plesk does not configure postfix correctly).

So... If I understand you correctly I need to set the iptables rule for user "root" not user "postfix"?

 

[MarkM]

Yup, sorry about my rambling. I think you need root in iptables and not postfix.