Problem with Postfix, Spam and Apache - my server sends SPAM

Message

spottraining · Post by **spottraining** » Mon Dec 04, 2006 7:53 am

Hi

I have problem
I discover that in my server is working some spam bot or script what sends mails trough apache out.
But I cant find - in witch domain that script is located.

From message header I see:

Code: Select all

Received: 	by localhost.one.server.com (Postfix, from userid 81) id 69C269C0D82; Mon, 4 Dec 2006 07:48:04 +0000 (UTC)
To: 	mymeil
Subject: 	one meiladress
From: 	ShedUnwantedPounds@one.weblab.ee
Content-Transfer-Encoding: 	quoted-printable
Content-Type: 	text/plain
Subject: 	Weight loss has never been this convenient and easy
Message-Id: 	<20061204074804.69C269C0D82@localhost.one.server.com>
Date: 	Mon, 4 Dec 2006 07:48:04 +0000 (UTC)

This one.server.com is my server and userid is apache.

Right now I don't have any idea - how to fix that. I make some rules to spamassasin, but its not good - script changing names.

Can someone give good advice pleace?

EDIT:

Also - Postfix sending me these meils:

Code: Select all

Postfix SMTP server: errors from unknown[66.75.160.128]
Transcript of session follows.

 Out: 220 localhost.one.server.com VHCS2 2.4 Spartacus Managed ESMTP 2.4.6.2
 In:  EHLO orngca-mx-01.mgw.rr.com
 Out: 250-localhost.server.com
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-AUTH LOGIN PLAIN
 Out: 250-AUTH=LOGIN PLAIN
 Out: 250 8BITMIME
 In:  MAIL FROM:<> SIZE=2719
 Out: 250 Ok
 In:  RCPT TO:<apache@one.server.com>
 Out: 451 <apache@one.server.com>: Temporary lookup failure
 In:  RSET
 Out: 250 Ok
 In:  QUIT
 Out: 221 Bye

erik258 · Post by **erik258** » Mon Dec 04, 2006 4:53 pm

it is not apache that is to blame - looks like postfix output to me. (i am running postfix too)

it looks like you're recieving this message, so i assume someone is sending you spam. it should turn up in your inbox or a spam filter folder maybe.

spottraining · Post by **spottraining** » Mon Dec 04, 2006 5:31 pm

Received: by localhost.one.server.com (Postfix, from userid 81) id 69C269C0D82; Mon, 4 Dec 2006

But thats is my server and user 81 is apache in my server. When I look to Webmin Postfix Mail Queue, then I see that Queued is messages from apache@one.server.com and To - there is lot of yahoo and other addresses.

EDIT:
Here is one picture, what I see in webmin - here
Also - I am getting also these mails - these mail headers look same.
how its possible, that in postfix I see lot of TO adresses, but none is in header?

spottraining · Post by **spottraining** » Mon Dec 04, 2006 9:09 pm

here is also part from mail.log

Code: Select all

Dec  4 06:00:01 one postfix/smtp[2321]: F2C079C0DEA: to=<helen@tpisp.net>, relay=none, delay=2, status=deferred (connect to tpisp.net[204.13.160.131]: Connection refused)
Dec  4 06:00:01 one postfix/smtp[2337]: F2C079C0DEA: to=<angie_nunally@administaff.com>, relay=administaff.com.s8a1.psmtp.com[64.18.7.10], delay=2, status=sent (250 Thanks)
Dec  4 06:00:01 one postfix/smtp[2284]: F2C079C0DEA: to=<qiirrc@allaboutopl.com>, relay=mail.allaboutopl.com[74.52.48.114], delay=2, status=deferred (host mail.allaboutopl.com[74.52.48.114] said: 451 Could not complete sender verify callout (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2356]: F2C079C0DEA: to=<swamod@gwtc.net>, relay=gwtc.net.s6a1.psmtp.com[64.18.5.10], delay=3, status=sent (250 Thanks)
Dec  4 06:00:02 one postfix/smtp[2336]: F2C079C0DEA: to=<jdelo@bellsouth.net>, relay=mx01.mail.bellsouth.net[205.152.58.33], delay=3, status=sent (250 Message received: 20061204040015.SAHZ8987.ibm15aec.bellsouth.net@localhost.one.weblab.ee)
Dec  4 06:00:02 one postfix/smtp[2336]: F2C079C0DEA: to=<juanz@bellsouth.net>, relay=mx01.mail.bellsouth.net[205.152.58.33], delay=3, status=sent (250 Message received: 20061204040015.SAHZ8987.ibm15aec.bellsouth.net@localhost.one.weblab.ee)
Dec  4 06:00:02 one postfix/smtp[2299]: F2C079C0DEA: to=<mdiscep@itsa.ucsf.edu>, relay=cuda.ucsf.edu[64.54.132.101], delay=3, status=bounced (host cuda.ucsf.edu[64.54.132.101] said: 550 <mdiscep@itsa.ucsf.edu>: Recipient address rejected: No such user (mdiscep@itsa.ucsf.edu) (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2294]: F2C079C0DEA: to=<swilliamson@odmdllp.com>, relay=mail.global.sprint.com[65.55.251.22], delay=3, status=sent (250 Ok: queued as 03F25FD8064)
Dec  4 06:00:02 one postfix/smtp[2279]: F2C079C0DEA: to=<opni@taconic.net>, relay=mx2.taconic.net[205.231.144.69], delay=3, status=bounced (host mx2.taconic.net[205.231.144.69] said: 550 <opni@taconic.net>: Recipient address rejected: sorry, no mailbox here by that name (#5.1.1 - chkusr) (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2309]: F2C079C0DEA: to=<bagley@csrsonline.com>, relay=mail.csrsonline.com[70.169.65.99], delay=3, status=bounced (host mail.csrsonline.com[70.169.65.99] said: 550 5.1.1 User unknown (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2275]: F2C079C0DEA: to=<rvg@kvn.com>, relay=mail.kvn.com[216.38.143.2], delay=3, status=bounced (host mail.kvn.com[216.38.143.2] said: 550 <rvg@kvn.com>: Recipient address rejected: User unknown in relay recipient table (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2334]: F2C079C0DEA: to=<jhayes@nvrinc.com>, relay=mail.nvrinc.com[204.96.165.90], delay=3, status=bounced (host mail.nvrinc.com[204.96.165.90] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2359]: F2C079C0DEA: to=<fjmillerjr@mindspring.com>, relay=mx12.mindspring.com[207.69.200.17], delay=3, status=bounced (host mx12.mindspring.com[207.69.200.17] said: 550 fjmillerjr@mindspring.com...User unknown (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2356]: connect to vztpa.verizon.com[192.76.82.131]: Connection refused (port 25)
Dec  4 06:00:02 one postfix/smtp[2306]: F2C079C0DEA: to=<herman@backpacker.com>, relay=rodale.com.mail5.psmtp.com[64.18.5.10], delay=3, status=sent (250 Thanks)
Dec  4 06:00:02 one postfix/smtp[2347]: F2C079C0DEA: to=<biddyallan@proxad.net>, relay=mx2.proxad.net[212.27.32.78], delay=3, status=bounced (host mx2.proxad.net[212.27.32.78] said: 550 user unknown (in reply to RCPT TO command))
Dec  4 06:00:02 one postfix/smtp[2356]: connect to vzftw.verizon.com[192.76.86.129]: Connection refused (port 25)
Dec  4 06:00:02 one postfix/smtp[2358]: F2C079C0DEA: to=<deljanshaver@earthlink.net>, relay=mx4.earthlink.net[209.86.93.229], delay=3, status=bounced (host mx4.earthlink.net[209.86.93.229] said: 550 deljanshaver@earthlink.net...User unknown (in reply to RCPT TO command))

I still have no idea

Sending my server spam or not.

spottraining · Post by **spottraining** » Tue Dec 05, 2006 1:42 pm

up

I still need help

Now is my server listed on spamcop - http://www.spamcop.net/w3m?action=blche ... 47.220.124

Here is also my Postfix main.cf

Code: Select all


#
# Postfix MTA Manager Main Configuration File;
#
# Please do NOT edit this file manually;
#

#
# Postfix directory settings; These are critical for normal Postfix MTA functionallity;
#

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

#
# Some common configuration parameters;
#

mynetworks_style = host

mydomain = one.weblab.ee
myorigin = $mydomain

smtpd_banner = $myhostname VHCS2 2.4 Spartacus Managed ESMTP 2.4.6.2
setgid_group = postdrop

#
# Receiving messages parameters;
#

mydestination = $myhostname, $mydomain
append_dot_mydomain = no
append_at_myorigin = yes
local_transport = local
virtual_transport = virtual
transport_maps = hash:/etc/postfix/vhcs2/transport

#
# Delivering local messages parameters;
#

mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION"

biff = no

alias_database = hash:/etc/mail/aliases

local_destination_recipient_limit = 1
local_recipient_maps = unix:passwd.byname $alias_database
#
# Delivering virtual messages parameters;
#

virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_limit = 0

virtual_mailbox_domains = hash:/etc/postfix/vhcs2/domains
virtual_mailbox_maps = hash:/etc/postfix/vhcs2/mailboxes

virtual_alias_maps = hash:/etc/postfix/vhcs2/aliases

virtual_minimum_uid = 1000
virtual_uid_maps = static:1000
virtual_gid_maps = static:12

#
# SASL paramters;
#

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = vhcs.net

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
   reject_unverified_sender,
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_unauth_destination,
 check_policy_service inet:127.0.0.1:10030

Here is my Postfix master.cf

Code: Select all


#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
#
# ==========================================================================
#Järgmise rea lisasin ASSP jaoks. Lisasin ette ainult localhost
smtp      inet  n       -       -       -       -       smtpd
#submission inet n      -       -       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n      -       -       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       -       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#
# vhcs delivery agent.
#

vhcs2-arpl unix  -      n       n       -       -       pipe flags=O user=vmail argv=/var/www/vhcs2/engine/messa$

And here is my SpamAssasin local.cf

Code: Select all


# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****


#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1


#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.


#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0

#   Use Bayesian classifier (default: 1)
#
# use_bayes 1


#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1


#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status

blacklist_from *@winetime.co.kr
blacklist_from *@roseglen.demon.co.uk
blacklist_from *@juresa.com.br
blacklist_from *@bigmikes.org
blacklist_from *@zgplus.com
blacklist_from *@quatryxtatu.com
blacklist_from only@pingviin.org
blacklist_from weeks@one.weblab.ee
blacklist_from and@pingviin.org
blacklist_from t@one.weblab.ee
blacklist_from nitrite@pingviin.org
blacklist_from redos@one.weblab.ee
blacklist_from tucked@pingviin.org
score http://www.drecomla.com 1
header wight Subject =~ /You CAN lose weight safely and easily/
score wight 1
describe wight wight
blacklist_from *@AT-KC.COM
body tea /Scientific Breakthrough/
score tea 1
describe tea tea
blacklist_from *@centurytel.net
blacklist_from *@mxin3.lsn.net
blacklist_from jukwalter@t-online.de
blacklist_from *@grupodema.com.ar
blacklist_from TenPoundsInOneWeek@one.weblab.ee

spottraining · Post by **spottraining** » Tue Dec 05, 2006 5:40 pm

After long time googling I find, that in my Apache whas enabled proxi modules. Also I installed now mod_security.

Now - I can only wait and look - starting this spam flow again or not.

EDIT: right now is all OK. I get removed from spamcop also.
Thanks to mod_security I have found also, that the main problem was kontakt_post.php file in phpBB Plus. That its one phpBB kontakt mod. http://www.phpbb2.de/ftopic38201.html - so I am not alone.