Spam reduction procedure

hello,

This morning my server host reported that there were quiet a few spam being generated from one of my ip address, running virtualmin. http://whatismyipaddress.com/blacklist-check with ip 144.76.93.154

We have meanwhile removed atleast 3-4 reports and mitigated them. meanwhile there were lot of logs where SMTP attempt were being done to send spam, looks like postfix was able to manage them and reject. but apparently some of the spam have gone through for the ip address to be reported. i have meanwhile activated DKIM and Also have activated Email grey listing( default install and activated).

I am in most cases sure this was caused due to wordpress / php botnet attack or something. So pondering over,

Q1: i am wondering if there is a way to disable all email send functionality via phpmail? For example, most of the PHP application can easily send out email from the server .. even though virtualmin email feature has not been activated, i understand that. But i dont want to allow this to happen, if there is really a need, it should only be allowed to go via the virtualmin admin id, all other email outbounds should be rejected.

I am sure, this should be possible in postfix module of webmin.. but i need your support. Meanwhile i am going to pay some attention to fail2ban and may be create a seperate ticket for some support there.

I am sure, this will help others.. and rather has been discussed in the past. I want to ducument this for next time.

Regards, Rohit

Status: 
Active

Comments

postconf -n
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = server1.interstellarconsulting.com, localhost.interstellarconsulting.com, localhost
myhostname = server1.interstellarconsulting.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
readme_directory = no
recipient_delimiter = +
relayhost =
sender_bcc_maps = hash:/etc/postfix/bcc
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

Are you OK with blocking ALL outgoing email? If so, you could do that with a firewall rule.

No no, I wanted to disable emails via phpmail function only ..for now I have sender restriction in place..seemed to have helped

There's no sure-fire way of doing this, as a script could still make an outgoing SMTP connection directly to other mail servers.