Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Mailserver being used as SPAM zombie server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
oslinux
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2006
Posts: 97

PostPosted: Tue May 03, 2011 5:55 pm    Post subject: [SOLVED] Mailserver being used as SPAM zombie server Reply with quote

Hi all,
One of my servers in OVH was having problems with HDD space, when i checked i found that the problem was mail.log growing fastly.
It seems that someone is using postfix to send mails around the world and that the world is blacklisting my server :cry: .

Postfix SMTP should be protected with dovecot sasl so i don't know how they're sending this volume of mails. There are a small number of users of the mailserver and each one is trusted.

When i noticed this traffic i blocked outbound traffic with IPTABLES, but i need to found the source of the problems or i won't be able to use the SMTP server no more (I'm planning to change the mailserver IP address to solve the blacklists problem).

this is an extract from mail.log, following a spam e-mail:
http://pastebin.com/7q4uQMf9

this is postfix main.cf
http://pastebin.com/7s5zCfp8

Thank you for any hint!

Luca


Last edited by oslinux on Tue May 03, 2011 10:53 pm; edited 1 time in total
Back to top
View user's profile Send private message
ianw1974
Guru
Guru


Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland

PostPosted: Tue May 03, 2011 7:11 pm    Post subject: Reply with quote

Changing the IP address isn't going to solve your problem in the long run. You can have your existing IP removed from the blacklist but you need to address your problem. Sounds to me that you are an open relay, which surprises me because postfix by default doesn't have this problem. I expect your server isn't configured as it should be.

I'm using mydestination and mynetworks which you don't have, and these are some of the two options that stop your server from being used as an open relay. mydestination should list all the domains you receive email for. You need to look at other config options too, there's plenty out there on how to configure postfix as a virtual server, the gentoo docs had this at one point if I remember correctly.

First, fix the postfix config, then look at removing your IP from the blacklists, or change your IP if you feel this is easier. But if you don't fix the problem, you'll only get blacklisted again. There are ways to test to see if the server is an open relay, so once you've fixed the config you can test to make sure it's OK.
_________________
Ian Walker

Light travels faster than sound. This is why some people appear bright until you hear them speak.........

Linux Systems Limited | Masternode Monitoring
Back to top
View user's profile Send private message
mmealman
Guru
Guru


Joined: 02 Nov 2002
Posts: 348
Location: Florida

PostPosted: Tue May 03, 2011 8:02 pm    Post subject: Reply with quote

You need to pin down your problem. First check to see if you're an open relay. From a machine that should not have relay access, do something like the below:
Code:

telnet mysmtpserver.com 25

Escape character is '^]'.
220 TEST.localdomain ESMTP Postfix
MAIL FROM: <mark@xxxx.org>
250 2.1.0 Ok
RCPT TO: <mark@yyyy.com>
554 5.7.1 <mark@yyyy.com>: Relay access denied
quit
221 2.0.0 Bye
Back to top
View user's profile Send private message
oslinux
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2006
Posts: 97

PostPosted: Tue May 03, 2011 9:36 pm    Post subject: Reply with quote

I'm not going to request an IP change before resolving this problem :wink:
Code:
telnet mail.mydomain.com 25
Trying {server_ip}...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 {server_ip} ESMTP Postfix
MAIL FROM: <mark@xxx.org>
250 2.1.0 Ok
RCPT TO: <mark@yyyy.com>
554 5.7.1 <mark@yyyy.com>: Relay access denied
quit
221 2.0.0 Bye
Connection closed by foreign host.


this is from my home computer, the same happens with another server in the serverfarm. Only host should be allowed, or authenticated clients, and this seems to be working :cry:

EDIT:

i'm using
Code:
mynetworks_style = host

that replaces mynetworks by only allowing connections from localhost.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7711
Location: Saint Amant, Acadiana

PostPosted: Tue May 03, 2011 10:08 pm    Post subject: Reply with quote

Google for mail relay test, there are online services you can use.

OTOH, if your box is hacked then reinstall from scratch is in order.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
oslinux
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2006
Posts: 97

PostPosted: Tue May 03, 2011 10:31 pm    Post subject: Reply with quote

Reinstall :S
It's not hacked, ssh access is only allowed from an RSA protected OpenVPN and with SSH RSA Authentication, it allows access only to a single user who is member of wheels group, every single action from this account is logged and sent to my e-mail (I'm a bit paranoid :D )

Also, IPTABLES blocks all incoming packets except HTTP, SMTP, IMAP, SSH and icmp protocol requests.

I tried some mail relay tests, it's all fine.

Then i had an idea and checked apache log... i've found the culprit: it's roundcube!

Someone (41.218.238.141) is using a bug in roundcube to send lots of messages everywhere!!

I'm checking the current installed version of roundcube, then i guess i should contact someone (Roundcube devs?) to report this (exploit?).

Luca
Back to top
View user's profile Send private message
oslinux
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2006
Posts: 97

PostPosted: Tue May 03, 2011 10:53 pm    Post subject: Reply with quote

I was using an old version of roundcube (0.3.1), upgraded to 0.5.1 i'm unlocking iptables and changing my ip.

Thanks,

Luca
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum