Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

spam from localhost

Status
Not open for further replies.

paduan

Technical User
Oct 26, 2010
3
MX
helo i have been having a problem with spam coming out from my server but connections from those spams are being from localhost here are one log
Oct 26 10:00:53 websrv postfix/smtpd[3790]: connect from localhost[127.0.0.1]
Oct 26 10:00:53 websrv postfix/smtpd[3790]: A872ADC1ED1: client=localhost[127.0.0.1]
Oct 26 10:00:53 websrv postfix/cleanup[8541]: A872ADC1ED1: message-id=<20101026155851.M91469@microsoft.com>
Oct 26 10:00:53 websrv postfix/qmgr[13481]: A872ADC1ED1: from=<annesedes@microsoft.com>, size=2016, nrcpt=2 (queue active)
Oct 26 10:00:53 websrv postfix/smtpd[3790]: disconnect from localhost[127.0.0.1]
Oct 26 10:00:58 websrv amavis[4013]: (04013-04) ESMTP::10024 /var/amavisd/tmp/amavis-20101026T002431-04013: <annesedes@micros
oft.com> -> <frankb2k2000@yahoo.com>,<fynelink@yahoo.com> Received: SIZE=2016 from websrv.loscabos.gob.mx ([127.0.0.1]) by lo
calhost (websrv.loscabos.gob.mx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04013-04; Tue, 26 Oct 2010 10:00:57 -060
0 (MDT)
Oct 26 10:00:58 websrv amavis[4013]: (04013-04) Checking: d9gA4FIqluuE [127.0.0.1] <annesedes@microsoft.com> -> <frankb2k2000
@yahoo.com>,<fynelink@yahoo.com>
i have client,helo,sender,recipt restricions on main.cf and added some other to master.cf but keeps the same problem i did the search found a guy with the same problems but not a solution any advice???
 
First, I would like to clarify, <frankb2k2000
@yahoo.com>,<fynelink@yahoo.com> are NOT accounts associated with your system? I ask because the transaction looks like it was mail that was received, possibly filtered/scanned (amavis shows connections to and from localhost) and then scanned again.

Based on the above logs, I would suggest running a check against being an open relay. This can indicate a problem with things such as the mynetworks setting. I think mxtoolbox.com has a checker for this, but if not, a search should provider you with a few test sites.

What are the entries before and after the log snippit (the ones associated with this entry? Where did the message originate and was it relayed out?
 
ok thanks for the answer your advice using mxtool-- this is the response for the tool
450 4.7.1 Client host rejected: cannot find your hostname, [64.20.227.133]


Not an open relay.
0 seconds - Good on Connection time
1.030 seconds - Good on Transaction time
OK - 148.235.89.19 resolves to customer-148-235-89-19.uninet-ide.com.mx
Warning - Reverse DNS does not match SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
503 5.7.0 Error: access denied for unknown[64.20.227.133] [62 ms]
MAIL FROM: <supertool@mxtoolbox.com>
503 5.7.0 Error: access denied for unknown[64.20.227.133] [78 ms]
RCPT TO: <test@example.com>
503 5.7.0 Error: access denied for unknown[64.20.227.133] [78 ms]
QUIT
221 2.0.0 Bye [62 ms]

now the problem it is that the mails that came in on loopback are from "unknown user"@notmydomain.com to lot of recipients not related to my sistem like lot for y###@hotmail.com y####@yahoo.com z###@hotmail.com z####@yahoo.com
so the maillog as you ask
Oct 26 10:00:01 websrv newsyslog[15593]: logfile turned over
Oct 26 10:00:35 websrv postfix/smtpd[7772]: connect from blu0-omc2-s36.blu0.hotmail.com[65.55.111.111]
Oct 26 10:00:36 websrv postfix/smtpd[7772]: 79EDDDC1ED1: client=blu0-omc2-s36.blu0.hotmail.com[65.55.111.111]
Oct 26 10:00:36 websrv postfix/cleanup[8541]: 79EDDDC1ED1: message-id=<BLU156-w447B344479C84917656718D6420@phx.gbl>
Oct 26 10:00:36 websrv postfix/qmgr[13481]: 79EDDDC1ED1: from=<vmmarron69@hotmail.com>, size=3305, nrcpt=1 (queue active)
Oct 26 10:00:36 websrv postfix/smtpd[7772]: disconnect from blu0-omc2-s36.blu0.hotmail.com[65.55.111.111]
Oct 26 10:00:41 websrv amavis[17377]: (17377-04) ESMTP::10024 /var/amavisd/tmp/amavis-20101026T002051-17377: <vmmarron69@hotm
ail.com> -> <known_user@mydomain.net> Received: SIZE=3305 from myserver.mydomain.net ([127.0.0.1]) by localhost (myserver.mydomain.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17377-04 for <known_user@mydomain.net>; Tue, 26 Oct
2010 10:00:40 -0600 (MDT)
Oct 26 10:00:41 websrv amavis[17377]: (17377-04) Checking: h+3-UZ-7nLyW [65.55.111.111] <vmmarron69@hotmail.com> -> <known_user@mydomain.net>
Oct 26 10:00:42 websrv amavis[17377]: (17377-04) p003 1 Content-Type: multipart/alternative
Oct 26 10:00:42 websrv amavis[17377]: (17377-04) p001 1/1 Content-Type: text/plain, size: 695 B, name:
Oct 26 10:00:42 websrv amavis[17377]: (17377-04) p002 1/2 Content-Type: text/html, size: 1038 B, name:
Oct 26 10:00:49 websrv postfix/smtpd[27349]: connect from localhost.mydomain.net[127.0.0.1]
Oct 26 10:00:49 websrv postfix/smtpd[27349]: 733F7DC1EDB: client=localhost.mydomain.net[127.0.0.1]
Oct 26 10:00:49 websrv postfix/cleanup[8541]: 733F7DC1EDB: message-id=<BLU156-w447B344479C84917656718D6420@phx.gbl>
Oct 26 10:00:49 websrv postfix/qmgr[13481]: 733F7DC1EDB: from=<vmmarron69@hotmail.com>, size=3741, nrcpt=1 (queue active)
Oct 26 10:00:49 websrv postfix/smtpd[27349]: disconnect from localhost.mydomain.net[127.0.0.1]
Oct 26 10:00:49 websrv amavis[17377]: (17377-04) FWD via SMTP: <vmmarron69@hotmail.com> -> <known_user@mydomain.net>, 250
2.6.0 Ok, id=17377-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 733F7DC1EDB
Oct 26 10:00:49 websrv amavis[17377]: (17377-04) Passed CLEAN, [65.55.111.111] [65.55.111.73] <vmmarron69@hotmail.com> -> <known_user@mydomain.net>, Message-ID: <BLU156-w447B344479C84917656718D6420@phx.gbl>, mail_id: h+3-UZ-7nLyW, Hits: 1.048, 11
338 ms
Oct 26 10:00:49 websrv postfix/local[2223]: 733F7DC1EDB: to=<known_user@mydomain.net>, relay=local, delay=0.49, delays=0.
2/0.09/0/0.19, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 26 10:00:49 websrv postfix/qmgr[13481]: 733F7DC1EDB: removed

above the logs before the spam connection below the log with the spam

Oct 26 10:00:50 websrv amavis[17377]: (17377-04) TIMING [total 11576 ms] - SMTP EHLO: 2507 (22%)22, SMTP pre-MAIL: 14 (0%)22,
SMTP pre-DATA-flush: 421 (4%)25, SMTP DATA: 224 (2%)27, body_hash: 141 (1%)29, gen_mail_id: 57 (0%)29, mime_decode: 1086 (9%
)38, get-file-type2: 177 (2%)40, parts_decode: 18 (0%)40, spam-wb-list: 159 (1%)41, SA msg read: 55 (0%)42, SA parse: 313 (3%
)45, SA check: 5613 (48%)93, update_cache: 64 (1%)94, fwd-connect: 134 (1%)95, fwd-mail-from: 8 (0%)95, fwd-rcpt-to: 3 (0%)95
, write-header: 5 (0%)95, fwd-data: 6 (0%)95, fwd-data-end: 188 (2%)97, fwd-rundown: 24 (0%)97, main_log_entry: 124 (1%)98, u
pdate_snmp: 120 (1%)99, unlink-2-files: 54 (0%)99, rundown: 60 (1%)100
Oct 26 10:00:50 websrv postfix/smtp[5702]: 79EDDDC1ED1: to=<known_user@mydomain.net>, relay=127.0.0.1[127.0.0.1]:10024, d
elay=14, delays=0.45/0/4.2/9.1, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=17377-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 733F7DC1EDB)
Oct 26 10:00:50 websrv postfix/qmgr[13481]: 79EDDDC1ED1: removed
Oct 26 10:00:53 websrv postfix/smtpd[3790]: connect from localhost[127.0.0.1]
Oct 26 10:00:53 websrv postfix/smtpd[3790]: A872ADC1ED1: client=localhost[127.0.0.1]
Oct 26 10:00:53 websrv postfix/cleanup[8541]: A872ADC1ED1: message-id=<20101026155851.M91469@microsoft.com>
Oct 26 10:00:53 websrv postfix/qmgr[13481]: A872ADC1ED1: from=<annesedes@microsoft.com>, size=2016, nrcpt=2 (queue active)
Oct 26 10:00:53 websrv postfix/smtpd[3790]: disconnect from localhost[127.0.0.1]
Oct 26 10:00:58 websrv amavis[4013]: (04013-04) ESMTP::10024 /var/amavisd/tmp/amavis-20101026T002431-04013: <annesedes@micros
oft.com> -> <frankb2k2000@yahoo.com>,<fynelink@yahoo.com> Received: SIZE=2016 from myserver.mydomain.net ([127.0.0.1]) by lo
calhost (myserver.mydomain.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04013-04; Tue, 26 Oct 2010 10:00:57 -060
0 (MDT)
Oct 26 10:00:58 websrv amavis[4013]: (04013-04) Checking: d9gA4FIqluuE [127.0.0.1] <annesedes@microsoft.com> -> <frankb2k2000
@yahoo.com>,<fynelink@yahoo.com>
Oct 26 10:00:59 websrv amavis[4013]: (04013-04) p001 1 Content-Type: text/plain, size: 1424 B, name:
Oct 26 10:01:03 websrv postfix/smtpd[27349]: connect from localhost.mydomain.net[127.0.0.1]
Oct 26 10:01:03 websrv postfix/smtpd[27349]: 37D4DDC1EDB: client=localhost.mydomain.net[127.0.0.1]
Oct 26 10:01:03 websrv postfix/cleanup[8541]: 37D4DDC1EDB: message-id=<20101026155851.M91469@microsoft.com>
Oct 26 10:01:03 websrv postfix/qmgr[13481]: 37D4DDC1EDB: from=<annesedes@microsoft.com>, size=2382, nrcpt=2 (queue active)
Oct 26 10:01:03 websrv postfix/smtpd[27349]: disconnect from localhost.mydomain.net[127.0.0.1]
Oct 26 10:01:03 websrv amavis[4013]: (04013-04) FWD via SMTP: <annesedes@microsoft.com> -> <frankb2k2000@yahoo.com>, <fynelin
k@yahoo.com>, 250 2.6.0 Ok, id=04013-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 37D4DDC1EDB
Oct 26 10:01:03 websrv amavis[4013]: (04013-04) Passed CLEAN, LOCAL [127.0.0.1] [127.0.0.1] <annesedes@microsoft.com> -> <fra
nkb2k2000@yahoo.com>,<fynelink@yahoo.com>, Message-ID: <20101026155851.M91469@microsoft.com>, mail_id: d9gA4FIqluuE, Hits: -1
.651, 7925 ms
Oct 26 10:01:03 websrv amavis[4013]: (04013-04) TIMING [total 7956 ms] - SMTP EHLO: 2029 (25%)25, SMTP pre-MAIL: 21 (0%)26, S
MTP pre-DATA-flush: 406 (5%)31, SMTP DATA: 224 (3%)34, body_hash: 189 (2%)36, gen_mail_id: 78 (1%)37, mime_decode: 1101 (14%)
51, get-file-type1: 111 (1%)52, parts_decode: 4 (0%)52, spam-wb-list: 78 (1%)53, SA msg read: 49 (1%)54, SA parse: 230 (3%)57
, SA check: 2874 (36%)93, update_cache: 67 (1%)94, fwd-connect: 154 (2%)96, fwd-mail-from: 11 (0%)96, fwd-rcpt-to: 25 (0%)96,
write-header: 4 (0%)96, fwd-data: 1 (0%)96, fwd-data-end: 199 (2%)99, fwd-rundown: 2 (0%)99, main_log_entry: 71 (1%)100, upd
ate_snmp: 18 (0%)100, unlink-1-files: 9 (0%)100, rundown: 1 (0%)100
Oct 26 10:01:03 websrv postfix/smtp[5702]: A872ADC1ED1: to=<frankb2k2000@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=
9.9, delays=0.24/0/3.7/5.9, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=04013-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: que
ued as 37D4DDC1EDB)
Oct 26 10:01:03 websrv postfix/smtp[5702]: A872ADC1ED1: to=<fynelink@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=9.9,
delays=0.24/0/3.7/5.9, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=04013-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued
as 37D4DDC1EDB)
Oct 26 10:01:03 websrv postfix/qmgr[13481]: A872ADC1ED1: removed
 
Ok, first I would like to comment on the "Warning - Reverse DNS does not match SMTP Banner" which is somewhat germane to your problem. Mail servers rely on blatantly verifiable credentials for identification. This takes the form of reverse DNS pointers (where the hostname returned matches the HELO information), MX records, SPF records, etc. Due to the volumes of SPAM, many recipient domains will reject mail from hosts without these credentials. Ultimately, if you want to run your own mail server, you should look into setting up the proper DNS functions to support it, for your benefit. This is also why it is important for you to resolve the problem you are now having as expediently as possible; it is justification for why non commercial mail servers are black listed.

Second, with regards to your problem specifically. It looks like you may have an application running on your system that is causing the problem, in other words, your system may have been compromised. This you will need to investigate expediently and carefully.

First and foremost, I recommend that you do not turn off the system. It would be better to disconnect it from the network or put up IP tables to allow only SSH from a clean host.

Your efforts so far appear to have ruled out a cracked password on your mail server or open relay. As you pointed out, and your logs support, the connections are coming from localhost. This could come from any number of things and you need to find out where. What other (server) type applications are you running, e.g. Apache (with PHP), Joomla, etc and what version. Is your distro up to date and have you applied patches?

I assume you are running Linux as you are using Postfix and Amavis and you will want to look very carefully at the output of lsof -Pwn and ps -axf You will need to watch for possible root level compromise and see what applications have root access (setuid set). Use of netstat -pane may be very helpful. Look for open connections from localhost, especially if you can catch this around the time of the mailing. It will show you the application or PID establishing the connection. From there you should be able to dig down. The CERT checklist is a pretty good resource for things to do, but it is not beginner oriented.

If you need further help with this endeavor, there is a forensics forum here at Tek-Tips, and the virus forum is frequented by some security experts. Also, linuxquestions.org has a very good security forum BUT they will want facts, not supposition and will require output of the commands mentioned above.
 
ok thanks a lot for your comments ill check out about the dns problems that you mention, but you hit the problem i have just find that i have one ( if not more) webmail account cracked, this account has a lot of MAiler DAemon Messages regarding to the spam sended, im now taking a look to other webmail accounts compromised, so the good part of this its that it seems the server is ok, i run openbsd last patch for the release same for the postfix and all the other daemons any way i will double check the server again.
thanks again for your comments if i have another questions ill post it and sorry for my writing.
 
I am glad that you have found the problem. Just be very thorough in your investigation. Ultimately, you may decide to wipe and reload the server if you think the compromise is deep enough, but it would be prudent to study and understand what went wrong before you do.

Good Hunting!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top