Hello all.
It seems one of my customers has got a virus, and he uses one o my virtualmin virtual servers. It is sending spams using my SMTP, and I've been blacklisted.
I don't have access to my customers network, and can't wait for fim to fix the problem, so what can I do?
some Spams headers look like this:
To: Recipients carla@yahoo.com.br From: "Carla" carla@yahoo.com.br
I don't have yahoo.com.br on my server, so how do I block emails that are not TO or FROM my virtual domain?
What else can I do? SMTP Auth is already enabled, but a virus could get the login information from the infected machine.
Please advise Thank you
Hello again.
Actually, it seems someone (not my customer) is using my SMTP server to send spam. I've checked all open relay tests that I know of and none of them reported my server as open.
How can I identify and block this user? Where should I look?
Thanks
Howdy,
Spammers frequently use security holes in older web apps -- where they can coax it to send spam emails on their behalf.
What I might recommend is going through all the web apps installed on your system, and verify that they're fully up to date.
I'd also recommend running a tool like chkrootkit and perhaps rkhunter to look for some problem files in common locations. They won't discover everything, but they can assist in finding problems.
-Eric
Hi Eric,
The problem was somehow a spammer got a valid user email and password on the system. He was sending the spams as regular user uses the email. I've warned the user and we've changed the password. The spams have stopped for now. I'm keeping an eye on it, and doing that, I wander if there are any detailed reports on the mail system. Reports like how many messages were sent/received for each user and domain.
Is there any module, or application that I can install that would give me this information?
Thanks a lot
Rogerio
Howdy,
There's a few different tools out there for parsing email logs. I don't have a significant amount of experience with many of them, but I can offer that pflogsumm.pl is a quick and easy tool that may get you the info that you're after.
It's available in the apt repository if you're using Debian or Ubuntu. Or, you can install it manually if you're using CentOS, it's available here:
http://jimsun.linxnet.com/postfix_contrib.html
Hi Eric,
I've just installed pflogsumm.pl on CentOS, using yum:
yum install postfix-pflogsumm
It gives A LOT of information! Great! I guess it wouldn't be too hard to implement it on webmin, right? That would be very nice!
I also just run chkrootkit , and everything is clean.
Thank you very much!
Rogerio