This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

How to track down spam mails?

3 posts / 0 new

Topic locked

Last post

#1 Mon, 11/04/2013 - 09:18

just_me

How to track down spam mails?

Postfix sends spam mail, and i cannot track down, where they come from. There was an infected CMS installation, which i repaired; the infection came with an existing Joomla a client brought from another hoster; so i fixed that, but i keep getting abuse mails, mainly from aol.com.

So , how can i track down, who sends this emails?

My postfix config:

non-default parameters
alias_maps     hash:/etc/aliases
append_dot_mydomain  no
biff    no
broken_sasl_auth_clients    yes
default_destination_concurrency_limit  5
default_destination_recipient_limit  5
home_mailbox     Maildir/
mailbox_command   /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit     0
mynetworks   127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory  no
recipient_delimiter     +
smtp_tls_session_cache_database  btree:${data_directory}/smtp_scache
smtpd_banner   $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions    permit_mynetworks permit_inet_interfaces reject_unknown_reverse_client_hostname
smtpd_recipient_limit  5
smtpd_recipient_restrictions     permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable   yes
smtpd_sasl_authenticated_header    yes
smtpd_sender_restrictions  hash:/etc/postfix/access
smtpd_tls_cert_file   /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file    /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database    btree:${data_directory}/smtpd_scache
smtpd_use_tls     yes
virtual_alias_maps     hash:/etc/postfix/virtual

main.cf

parameters defined as per defaults
alias_database     hash:/etc/aliases
config_directory     /etc/postfix
inet_interfaces   all
mydestination  $myhostname, localhost.$mydomain, localhost
smtpd_sasl_security_options    noanonymous

Best

#2 Mon, 11/04/2013 - 10:10

andreychek

Howdy,

Your system doesn't appear to be an open relay.

Chances are that if remote systems are seeing spam originating from your server, that it's either from a compromised web app, or an email user's password was compromised.

Have you received any information about the spam emails that people received, including any headers?

Also, what output do you receive if you run this command:

mailq | tail -1

#3 Mon, 11/04/2013 - 13:00

Sesso

You can also look in /var/log/maillog to see what mail is getting processed through your server and where its from.

Also check in your stats folders of where your server app was compromised. You might still have some shells on your server. Check to see if your mail queue is backed up with a few thousand emails also.

Topic locked