How to prevent sending spam mail from my domains?

  • nihal
  • 01/10/08
  • Offline
Posted: Fri, 2009-03-27 00:46

Hello,

There is a spam problem on my server. Because of this some RBL list my IP on the blacklist.

When i notice that i can not send mail to hotmail accounts, and read the error message, i realize that is aspam problem.

When i check my postfix mail queue, i saw some mail address that is not open my server, but the domain hosted on my server (for example mydomain.com hosted my server, but there is no example@mydomain.com mail account in my mail accounts. But example@mydomain.com send a lot of mail to a lot of different mail accounts.) sends a lot of spam mails. But in real there is no real mail account like this. Because of a lot these mail, my server is listed in blacklist now.

To solve this, how can i configure my postfix?

i add smtpd_client_restrictions: check_sender_access hash: /etc/postfix/virtual.db line to my postfix configuration file. But this gave an SMTP configuration error.

[file name=postfix_configuration.txt size=28101]http://www.virtualmin.com/components/com_fireboard/uploaded/files/postfix_configuration.txt[/file]


Re:How to prevent sending spam mail from my domains?

  • Joe
  • 10/23/08
  • Offline
  • Fri, 2009-03-27 07:15

You mean your local users are sending spam? You should be talking to those users...not us. ;-)

A default configuration, as installed by install.sh, will only allow relaying in the following circumstances:

The sending client authenticates using SASL. They have a valid user name and password on your system.

Or, the sending client is "local". Either running on the machine itself, or on an IP that you've specified in your mynetworks setting.

Note that in either case, the From: address is irrelevant. Any email can send with any From: address they want...and there are all sorts of reasons this is a legitimate thing (mailing lists with special From magic, users using multiple email addresses for various tasks, etc.).

It sounds like you're wanting to go about this from entirely the wrong end. You need to solve your spam problem...not prevent people from sending out email with an address not on your approved list. Spammers don't care what address is in the From: field. Find out how someone is spamming through your box, and fix that.

You've probably had an exploited user account. Someone broke in either via a brute force password attack (due to weak passwords), or due to an exploit in a web application. Once they were in, they setup a bot to send spam 24 hours a day. Since they're local, they have nothing preventing them from sending out as much spam as your bandwidth allows. The RBL would be absolutely right to list you, if you've got an exploited system sending out spam.

If you do insist on using a map, rather than solving the real problem, you need to leave off the ".db" part of the file name. The db is generated by Postfix from the plain text file.

Also, the smtpd_client_restrictions doesn't have a "check_sender_access" directive. I assume you really wanted "smtpd_sender_restrictions", which does have check_sender_access. Reading the manpage makes me think you might need a separate file; virtual seems to be a slightly different format from access (access only has one field, while virtual has two). But maybe it'll ignore the second field when used in this context. That seems pretty likely, actually...

But, again, that's not going to solve your problem. You have either have a gross misconfiguration of mynetworks (which needs to be fixed), or you have an exploited user account (which really needs to be fixed). Putting your fingers in your ears and saying, "LALALALALALA, I can't hear you!" is roughly the solution you've proposed...and I don't think that's the right tactic. ;-)


Re:How to prevent sending spam mail from my domains?

  • nihal
  • 01/10/08
  • Offline
  • Wed, 2009-04-29 23:35

But, again, that's not going to solve your problem. You have either have a gross misconfiguration of mynetworks (which needs to be fixed), or you have an exploited user account (which really needs to be fixed).

Yes you are right, i must solve this exploited user. But what dou you mean this user, mail account or webmin account?

But this problem not only one mail users, lots of users have this problem. Most of mail accounts using to send spam mail themselves and to the internet.

How can start to search to find the problem source? More than 300 webmib account and more than 1000 mail account exists on the server.

Can you give an advice.

Thank you.


Re:How to prevent sending spam mail from my domains?

  • Joe
  • 10/23/08
  • Offline
  • Thu, 2009-04-30 01:42

Watch the maillog for when it's happening (if it's a serious spammer, rather than just a user being an asshole and sending out a bunch of unsolicited mail, it's likely happening all the time). Then use ps to see which accounts have active processes. Then figure out which one is the culprit.

But what dou you mean this user, mail account or webmin account?

It's probably a user with shell access...but it could also just be an exploited PHP or CGI script. If you have any applications that are old, and haven't been updated in a while...that'd be a very likely source of trouble.


Re:How to prevent sending spam mail from my domains?

  • nihal
  • 01/10/08
  • Offline
  • Thu, 2009-04-30 02:21

Ok. When i run ps -aux | grep "postfix" command more than 200 postfix process listed. But how can i understand this normal or abnormal?

Also if there is a PHP or CGI exploit how can search it? with find command or what? In public_html directory or in all the server?


Re:How to prevent sending spam mail from my domains?

  • andreychek
  • 01/04/09
  • Online Now
  • Thu, 2009-04-30 05:47

Seeing lots of Postfix processes is a symptom of the problem, rather than the problem itself.

Tracking down the source of the problem can be tough. One could write a book on the subject, and that still may not be thorough enough :-)

However, you can start by looking through the "ps auxw" output, as well as "top", and looking for any non-standard processes that are using a crazy amount of resources.

But in general, you'll want to go through all the web apps on the system, and make certain that they're all up to date. It could be any of them :-) -Eric


Re:How to prevent sending spam mail from my domains?

  • andreychek
  • 01/04/09
  • Online Now
  • Fri, 2009-03-27 07:17

Well, yes, it is possible someone is relaying through Postfix, though at a glance your configuration looks good.

My guess is that someone is using a hole in a web app to send spam, which I've seen happen to a lot of folks lately. Someone breaks in through an older version of Wordpress, or RoundCube, or whatever, then uploads a script that sends spam.

My suggestion would be to check what processes are running on your machine, and to make sure none of them are troublemakers!

And if there are some, make note of who they're running as, you'll need that info to help you track down what account they're breaking in through. -Eric


Re:How to prevent sending spam mail from my domains?

  • andreychek
  • 01/04/09
  • Online Now
  • Fri, 2009-03-27 07:18

Drat, Joe beat me to it :-) -Eric