Server sending Spam; how to trackdown?

P

Pezmc

Verified User
Joined
Mar 1, 2011
Messages
17
Hi all,

I've been using direct admin on CentOs for 1/2 years now and have hit a sudden problem.

Yesterday I started seeing waves of failed to deliver return to sender messages arrive in my email account. Upon investigations 1000's of emails appear to be being sent from email accounts on my server.

My server hosts "mydomain.com" and the emails appear to be being sent from [email protected], [email protected] etc...

I've currently just disabled EXIM to prevent these being sent out; and have cleared out the message queue.

How do I go around diagnosing where these messages are coming from? Currently when I start Exim I see no more messages arriving. I don't see any suspicious users/connections and have changed some of the main mail account passwords (though I don't understand how these can be sent from this domain in the first place).

I'm seeing a relay alert from LFD, is it possible they are being relayed from somewhere else? How do I prevent this?

Thanks for your help,

I'm slightly lost!

--

Example mail headers:

Code: 
1Tfd6C-0008NC-1v-H
mail 8 12
<[email protected]>
1354568324 0
-helo_name User-PC
-host_address 187.23.169.202.56584
-interface_address 78.129.132.155.25
-received_protocol esmtp
-body_linecount 32
-max_received_linelength 119
-host_lookup_failed
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
10
[email protected]
 
Last edited:
Look through the email logs and see which account it is coming from.
 
I see this message from DA

Code: 
There have been 4032 outgoing emails yesterday from the admin User account.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

This warning was generated because the 1000 email threshold was passed.

For the mail log, is that just viewing /var/log/exim/mainlog? How do I confirm the account they are coming from?
 
You should change your password as soon as possible then. Someone must of figured out the password to send mail through your server.

You can find all the admin lines like this:

Code: 
exigrep admin /var/log/exim/mainlog
 
Last edited:
Hi chatwizrd; thanks for your help so far :)

Which user account needs the password changed? "Admin"?
 
Yes if it is the infected account. The "admin" user needs to have a new password, so they cannot send mail from it.
 
I've changed that account;

Digging through the logs I see these messages:

Code: 
2012-12-02 07:05:35 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2012-12-02 07:12:02 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2012-12-02 07:12:02 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2012-12-02 07:12:02 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 07:12:02 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 07:12:03 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2012-12-02 07:12:03 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2012-12-02 07:12:03 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>
2012-12-02 07:12:03 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>
2012-12-02 07:12:07 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>



2012-12-02 23:46:06 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 23:46:06 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 23:46:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 23:46:07 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>
2012-12-02 23:46:07 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 23:46:08 H=(zedu-PC) [187.23.171.113] incomplete transaction (RSET) from <[email protected]>
2012-12-02 23:46:08 H=(zedu-PC) [187.23.171.113] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required
2012-12-02 23:46:08 H=(zedu-PC) [187.23.171.113] incomplete transaction (QUIT) from <[email protected]>

I can't find the original messages leaving the server; only failed transactions and rejection emails coming back from other web servers.

Is it possible that the admin account never sent these emails & the notice I included above was the 1000's of rejections coming in?
 
Last edited:
Anything is possible but it's unlikely Yahoo is sending you rejects unless your server sent the outgoing email. And they should be sending the refusal notices to the sender from your server. Let's presume they are.

But you say the email coming in shows mail refused from a nonexistent address at one of your domains. So we can presume the original email went out from your server with that nonexistent address as the sender. This means at least one account on your server is sending spam, most likely from the account hosting the domain name used as the sender address in the original spam.

Here's what I'd do: I'd set a default daily email limit from your server (I use 200 emails daily unless my clients need more; then I give them what they need). You can set a default daily email limit if you don't already have it, by putting the number into /etc/virtual/limit and it will immediately take effect for all users who don't already have their own limit file.

Then watch your email for notifications of users overlimit.

Note that when a user is overlimit his outgoing email will be returned with an error that the email is unrouteable. So you should probably notify your users and ask them how many outgoing emails they need. If anyone replies with a number you think unreasonable, check their account carefully.

Of course if your server isn't any longer sending emails out, it's probable the emails were sent from the admin account.

Note also that by default DirectAdmin doesn't restrict users from authenticating outgoing email and using any from address they want to use. There have been threads on these forums explaining how to change that behavior, but by default, it's allowed.

Jeff
 
You must log in or register to reply here.
Back
Top