Resolved Spammer sending from root@domain - can't figure out how

[flaxton]

I mean I see in the mail log connections from varying IPs, always different.

I think what they're doing is sending a "bounce" message and using it to spam others.

Maybe "bounce" messages are allowed through no matter what (no authentication?), because I've had trouble stopping it. I tried postfix smtpd_sender_restrictions, listing "root@domain" (domain hidden for this post) using a hash table. That didn't stop it.

Next I put root@domain into a blocklist in MagicSpam Pro.

That seems to have stopped it for the moment. But they could just pick another domain for the bounce message.

Any idea how this is happening?

 

[MarkM]

First take a look at the number of SMTP connections;

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

If it's a compromised account, it should be obvious. Nothing obvious? It's going to be a script. You'll want to create a wrapper that will add additional information to the email header to assist with tracking it down. It's detailed here;

Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

 

[flaxton]

hey, that's nice! Thanks! Unfortunately, it only shows legit users - confirmed with their known IP addresses. I had also searched through all site access_log files for POST commands and didn't see anything suspect.

I will try the wrapper method. Very cool ;-)

Fred

 

[flaxton]

Ouch, I've really done it now. I somehow accidentally deleted sendmail.postfix

Trying to recover it. Ouch ouch ouch.

 

[MarkM]

We've all been there A simple reinstall of Postfix SHOULD clear that up....

 

[flaxton]

I tried switching to qmail and back, but it did not recreate sendmail.postfix

 

[flaxton]

I'm installing CentOS 7.3 in a VM, hoping to extract it from there

 

[MarkM]

[root@plesk sbin]# ls -l | grep sendmail.postfix
lrwxrwxrwx. 1 root root 46 Feb 19 17:22 sendmail.postfix -> /usr/lib64/plesk-9.0/sendmail/sendmail.postfix

https://markmuyskens.com/sendmail.postfix

 

[flaxton]

OK uninstalled with yum, reinstalled postfix with yum. Plesk complained that I couldn't start dovecot because postfix wasn't installed. So I ran the plesk MTA installer again

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix

I'm back up and running.

And Mark, thanks for making that file available. I ended up not needing it.

Calling it a night, I've done enough damage for one day lol!

 

[MarkM]

We've all screwed up working late at some point and had to pull an all-nighter fixing it lol. Glad it's working!