spammers using the mail server to send spam

18 posts / 0 new
Last post
#1 Sun, 03/01/2015 - 07:22
szer0p

spammers using the mail server to send spam

Hello everyone

I have a big problem with the spamers they use my vps virtualmin und webmin to send spams daily sending they more than 1000 email ..

iam now blocked from hotmail and gmail .. i am on the blacklist

what should i do to stop these spamers and what should i do to prevent that again

please help me :(

Sun, 03/01/2015 - 09:36
szer0p

Oh my god .. i have deleted the postfix to reinstall it and i bekomme this messege

the webmin and virtualmin is now like the photo i have attachement

what should i do now !!

:(

Mon, 03/02/2015 - 07:28
fakemoth
fakemoth's picture

Hi. Sad man, it's really sad. The proper course of action would be:

-block all the email server ports in the firewall;

-stop the email service - postfix, but you uninstalled it instead;

-maybe do those for apache also as you might have some malware on your website;

--------------------------------------------------------------------------------------------------------------this is what you should do in the first place, even bring down the interface or removing the cable; but mainly stop the suspected services, not panicking and format everything, because you have to figure why and how it happened; you will do it eventually but... Personally I leave things running a bit, and I am trying to understand what's happening.

-now install postfix back & reconfigure your postfix, that's why it's not starting - use the online docs;

-copy your logs and all the data locally to analyze it (BTW can't you restore the VPS from a backup, and also download the whole VPS, for forensics?);

-you shouldn't have deleted postfix and the .conf because maybe it was something wrong with your configuration, IE an open relay; now we can't know that;

-analize your website scripts on the server - in the first phase, just order the files after the date created/modified and the recent ones (not by you) should pop up; maybe your website was hacked (or others hosted) and you have a simple php mailer > delete the suspected files and investigate how did those got there in the first place;

-also maybe they got a username and password and are just using a simple client to send spam via that account;

-after all of this... proceed to request delistings in the RBLs, because everyone knows know that the IP was compromised;

-the end step: you should also reinstall and reconfigure everything - do not suppose that "it's fine" change all the passwords and so on...

-you have to read a lot to mitigate this kind of stuff.

-we need more info anyway...

Don't take the name of root in vain...

Mon, 03/02/2015 - 08:37
szer0p

Hello fakemoth thanks for ur awesom replay

first of all iam from germany so i am sorry for my bad english but i hope u can understand me

  1. i installed now postfix and reconfigured it again the webmin work now well, but i cant now send messeges or recive any bevor this problem i could recive and send but hotmail gmail iam blocked i cant send to

  2. my server is not managed so i didt make a backup for it .. i dont know how exactly

  3. how could i analyze my server and search for the php mailer or virus

  4. they used only one email from my server but not my domain i have only 2 websites on my vps so they used email called support@#####.com but really i dont have this email they use afake email

i did now this to block the spam http://www.akadia.com/services/postfix_uce.html

and i think its work good till now

but when i send a messege it took alot of time and didnt do anything

i recive this messege

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.

thanks a lot for u help and i hope u can help me again to be happy :)

Mon, 03/02/2015 - 08:46
andreychek

Howdy,

I'm glad to hear you were able to get Postfix working again!

Are you still seeing spam in your email queue?

You can view the email queue in Webmin -> Servers -> Postfix -> Mail Queue.

If you see spam in your mail queue, can you view the mail headers and then paste those in here? Those mail headers will help track down how those emails are getting there.

-Eric

Mon, 03/02/2015 - 08:49
Diabolico
Diabolico's picture

szer0p tell us what scripts are you using on your VPS aside of Virtualmin/webmin, like wordpress, etc.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 03/02/2015 - 09:01
szer0p

Hello Erik and Diabolico

@Erik acutlly i deleted all the emails and now the Mail Queue ist empty.

but i attached a old screenshoot befor i delted the mails u can have a look

@Diabolico i use wordpress for 2 domains

Mon, 03/02/2015 - 09:50
fakemoth
fakemoth's picture

I bet the beers I am about to drink out at the pub tonight that a Wordpress instance got hacked. I for myself am keeping away from it, but my users... use it - the last hack on myserver did exactly the same thing, only mine tried to send 25000 emails at once.

It was a weird named file in the plugins directory, uploaded through an older exploit (the website was never updated by it's owner... sigh) and was sending automatically fake emails, from the domain. What was in the file I don't know, it was encrypted; so ClamAV regular scans missed it also - that AV does that, try to use it.

PS (later edit): that looks like a rate limiting message from Google? You can't do anything about those - you are blocked for now, for sending SPAM and it is not up to you if the recipient accepts it or not, that's how email is working. First you have to:

-stop sending by any means necessary;

-see why/how are you sending and correct the problem;

-maybe reinstall if you have been seriously compromised;

-if it's only Wordpress don't worry so much, those things happen on a regular bases; you don't have to reinstall the OS or something, but a clean instance and up to date (do not forget the extensions!) will help for sure;

-only AFTER you solved the problem, try to remove yourself from the blacklists - else you will get right back in!

Don't take the name of root in vain...

Mon, 03/02/2015 - 09:48
Diabolico
Diabolico's picture

szer0p probably the main reason why is this happening is your wordpress and outdated (or nulled e.g. pirated) themes/addons. Other reson it could be easy passwords used for your VPS and wordpress. Either way i cant say this is 100% true but the chance is big. Now you have two options, first is to wait and see if spam will come back and then post what Eric was asking you. Second option is to wipe out everything and make clean OS install and not bring back anything from old sites if was not checked before from someone who knows what to do. I hope i'm wrong but in case this continue your host could terminate your account as they have full right to do in case you are the reason for spam or used for ongoing ddos (or any other) attacks. Worst case scenario, spammer(s) manage to compromise your VPS and install some sort of backdoor so whatever you do now with your scripts (including Virtualmin) it will end in the same way, your IP blacklisted and your VPS used for other nasty things.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 03/02/2015 - 10:00
szer0p

@fakemoth .. the messege was from Hotmail

and i got also amessege from google

Publisher ID: ca-pub-3928325108790342

Dear Publisher,

We have now verified that we are no longer detecting PII being passed to Google from the account(s) under your control.

Thank you for helping to resolve this matter.

Regards,

The Google Policy Team

but i dont get what they mean ?

anyway can u tell me how could i use AV to search for virus and spam on my vps files ? and i will do what u told me thanks alot for helping

@Diabolico what if u will not see anything more in the Mail Quete thas mean that spamers are not sending emails anymore ? and the problem is solved ?

i hope that they didt hacke my vps :(

i musst now know where is the hackfile on my vps and delete it

Mon, 03/02/2015 - 10:19
Diabolico
Diabolico's picture

what if u will not see anything more in the Mail Quete thas mean that spamers are not sending emails anymore ? and the problem is solved ?
i musst now know where is the hackfile on my vps and delete it

If you dont check your VPS you dont know if the problem is solved. Hacker do not need to "use" your VPS right away as he could wait and only later come back and use it for anything he needs.
Usualy how it works:

    - you used compromised theme or addon: in this case hacker will get a notification on his server and then proceed when he wants or when he think is good opportunity
    - outdated wordpress, theme or addon: automatic scripts scan your site and search for vulnerabilities, once they find it then they notify the hacker
    - you used weak passwords: classic bruteforce attacks, once the script found your password it will notify the hacker

Now how "deep" the hacker manage to go we dont know that and probably only one who could tell you this info is sysadmin who could check entire VPS. Even if you delete your themes, addons or even wordpress you cant be sure if server was left intact. Maybe someone have better idea what to do but if we speak how to be sure your VPS is still clean i think no one here can help you with suggestion "what to do" posted on forum.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 03/02/2015 - 17:21
szer0p

Hey Friends i have recived 17 messeges and all of this from root and all about banned ip !for expamle

Mail headers View all headers From
To root Date Mon, 02 Mar 2015 20:03:01 +0100 Subject IP addresses banned on Mon Mar 2 20:03:01 CET 2015 Message text Banned the following ip addresses on Mon Mar 2 20:03:01 CET 2015

267 with 267 connections

Mail headers View basic headers Date Mon, 02 Mar 2015 17:26:01 +0100 To root Subject IP addresses banned on Mon Mar 2 17:26:01 CET 2015 User-Agent Heirloom mailx 12.4 7/29/08 MIME-Version 1.0 Content-Type text/plain; charset=us-ascii Content-Transfer-Encoding 7bit Message text Banned the following ip addresses on Mon Mar 2 17:26:01 CET 2015

163 with 163 connections

Mail headers View basic headers Date Mon, 02 Mar 2015 21:40:01 +0100 To root Subject IP addresses banned on Mon Mar 2 21:40:01 CET 2015 User-Agent Heirloom mailx 12.4 7/29/08 MIME-Version 1.0 Content-Type text/plain; charset=us-ascii Content-Transfer-Encoding 7bit Message text Banned the following ip addresses on Mon Mar 2 21:40:01 CET 2015

296 with 296 connections

_______________-

what does mean ?! can anyone tell me please !! i think that is the spamer again but while i blocked the spam and make what in this example is http://www.akadia.com/services/postfix_uce.html

Mon, 03/02/2015 - 17:29
andreychek

Howdy,

Hmm, at first glance those don't appear to be spam messages, though I'm not sure what would be generating those -- I don't believe any services installed by default would do that.

Are there any services that were installed onto your system that would ban an IP address? If it's not a service, it could also be a WordPress plugin.

-Eric

Wed, 03/04/2015 - 02:39
fakemoth
fakemoth's picture

Diabolico is right, I said it also - if you are not sure, it is better to re-install everything from scratch, after you figured what the problem was; now, there are more to Linux than a website, and recently there were of wave of serious vulnerabilities (mainly found by Google, after realizing they weren't doing shit for Open Source, just making huge piles of money, after the Heartbleed event, and nowadays they are auditing everything really).

But at least in my case, I don't (and most of the admins) clean install the OS because of a website hack; because if the server is configured correctly, the hacker can't get further than the root of the public_html or if they got an admin password, beyond the root of the domain. It would be a disaster for everyone in web hosting, if you would have to re-install each time the OS due to a website hack, 'cause those happen on a regular bases - that's why we don't use windows :)

Simply put, you can't root (if you configured things ok, and you are up to date with EVERYTHING) a server via a php script, only if you run the web server as username root, you don't use suexec and fcgid, you have modified the permissions to the infamous 777 (the perms really keep a web server going), there are some serious vulnerabilities that you didn't patch, ports opened, so on, for example... It would take a lot of mistakes to make it happen. Most of the hacks go also through social engineering tricking you into giving/entering/sending your passwords.

But (no offense here mate) if you are asking these questions, we can't know for sure, and rather be on the safe side of things - so wait to see what is happening, for now keep the services up and watch them closely, and in the meantime start a new VPS.

Don't take the name of root in vain...

Wed, 03/04/2015 - 10:34
Diabolico
Diabolico's picture

szer0p in case everything go wrong or you decide to start again for any reason keep in mind few things:

    1. Drop password to log with your SSH/root and instead use the key. There is no reason why you should use password, its less secure and open to bruteforce attacks. When making the keys use strong passphrase using "AZ - az - 09" symbols. If you dont want to think for your password(s) there are many good programs what can do this for you, like PWGen (check sourceforge.net)
    2. Change your default SSH port
    3. Change Webmin and Usermin default port
    4. With iptables open only ports what you need and close everything else
    5. Use strong paswords, i would suggest 12+ in length (i use 20). To be sure you will not lockout yourself, open a "secret" gmail account and send to yourself all login details while keeping them on your PC. In case you delete your file with passwords you will be able to recover everything from your mail.
    6. If you are hosting only your sites and so no one else need to upload anything, turn off FTP for virtual servers and instead use SFTP with keys (remember no psw for root login). WinSCP is great program for this. Watch out for FileZilla as in the past i saw this software coming with tons of bloatware even from original site, depending what link did you select to download. Btw SFTP is much faster and secure than FTP.
    7. Keep wordpress updated and use only addons you really (but really) need not because they look good.
    8. Delete all addons and themes you are not using, even the one that originally come with WP.
    9. Never, but never use any nulled/hacked/payed-but-free theme or addon. Chance for that script to come with some sort of backdoor or virus is almost 100%.
    10. Use any type of captcha for your WP, login, comments, contact.
    11. Backup, backup and backup. I cant tell you how much is this important. If for any reason you dont want to pay for extra backup service at least buy 500GB HDD and make weekly (full) backup on your PC. Frankly even if you pay for extra backup, your hosting company or some other, always have one copy with you. Dont trust anyone to keep safe your data not even yourself.

And this is really only small amount of things you could do to keep yourself safe. But it should be enough to keep out most of the scripts and hackers as they will move to easier target.
Just take this example, fresh IP, not used for a long time, never in production on my server... it took less than 7 days to see bruteforce attacks. This suggestions will not make your server or websites 100% safe but at least will give you some protection. I could suggest to install fail2ban, apf, csf and many others but i'm not sure if this would be too much for you (please no offense meant) and you could easily ban yourself.
Or scrap all this, keep only suggestions about wordpress, and go for managed VPS.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 03/04/2015 - 11:08
szer0p

Thaaanks guys for helping me and for ur advices

actually till now i dont see any spam but i have 55 msg of the same above with blocked ip !

i dont really know what is it ! but anyway i think it s not a Problem as i have this vps i changed the root username and the port and i made a strong Password .. i mad alot of secure instrutcion on my vps so i didnt Think that would be hacked or something els

i Keep wordpress up to date and i use only addons that i trust.

but really i cant reinstall the whole vps i have spent alot of time on it and really i dont have a time now iam medicine Student so IT is a hobite for me but iam not so proffsional on it

i will wait now till i see a new spam in the Mail Queue but i dont see any spam more

.. about managed VPS it"s hard while it costet much more i pay monthly 8 Euro for 4 GB Ram and 2 Core CPU with this Price i cant have any managed vps

anyway i have recived an email from Hotmail u can read it

Hello,

My name is Syeda and I work with the Outlook.com Deliverability Support Team.

We have reviewed your IP(s) (************) and determined that messages are being filtered (i.e. sent to the Junk folder) based on the recommendations of the SmartScreen® Filter.

Email filtering is based on many factors, but primarily it's due to mail content and recipient interaction with that mail. Because of the proprietary nature of SmartScreen® and because SmartScreen® Filter technology is always adapting and learning more about what is and isn't unwanted mail, it is not possible for us to offer specific advice about improving your mail content. However, in general SmartScreen® Filter evaluates specific words or characteristics from each e-mail message and weights them, based on their likelihood to indicate that a message is unwanted or legitimate mail.

Unfortunately, after reviewing the information you provided and in compliance with our mail policies, we are unable to offer immediate mitigation for your deliverability issue. However, we have some specific recommendations for you to consider that can help you to improve deliverability over time.

Here are some specific recommendations for you to consider:

Brand your mail Ensure mails are cleanly formatted and clearly identifiable as originating from your service.

Follow content and formatting best practices There are numerous Internet resources which offer advice and best practices, we recommend you refer to these resources for assistance creating well formatted and more deliverable email.

Highlight Opt In

Clearly mark your emails so that Windows Live Outlook.com customers are able to identify that they requested or subscribed to emails from your service.

Ensure your email lists are up to date Remove those who do not want to receive the emails and consider making the unsubscribe process more visible to ensure you are only delivering mail to interested recipients.

Join the Junk Mail Reporting Program (JMRP) We believe that your recipients are the best indicator that the email you are sending is wanted. The JMRP program allows you to see which of your emails Outlook.com users have marked as junk or unwanted mail. Reviewing the results in JMRP will provide to the most direct information on what characteristics of your email, customers, and ultimately SmartScreen®, consider to be unwanted. This helpful feedback mechanism allows you to ensure that mails being sent from your IP are not resulting in negative feedback that could impact your sending reputation. Being vigilant about users who mark your e-mail as unwanted or the types of messages that are being marked as unwanted can help you keep mailing lists updated with only interested users and modify future campaigns. In addition, monitoring user complaints can help you identify unintended mail traffic or detect a potentially compromised account sending unwanted mail to your customers. Enroll at https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0.

Join the Smart Network Data Services program (SNDS)

The SNDS program provides data about traffic seen originating from your registered IP, such as mail volume and complaint rates. The data is built from the log files of the inbound mail machines and other servers at Outlook.com and Microsoft and represents factual information about the traffic from your mail servers to Outlook.com users. For more information about this free program refer to https://postmaster.live.com/snds/FAQ.aspx. To register, please go to http://postmaster.msn.com/snds/. (Tip: As part of the enrollment process, you are asked to sign the JMRP program agreement and then send a response to Support indicating that it has been signed. It's not uncommon for that step in the enrollment process to be missed.)

We encourage you to take an active role in managing your email practices and infrastructure. The SmartScreen® filter is not static and it is possible to improve deliverability over time. Implementing and maintaining email best practices such as those described above can help.

i have the last quetion what if i buy a new ip and used it als defulte and delteted the old ip .. so can i use it with no Problems ? and i can send emails to Hotmail and Gmail without Problems ? and i will try to do everythings that u told me to do

MANY THANKS GUYS I APPRECIATE God belss you

Wed, 03/04/2015 - 18:13
Diabolico
Diabolico's picture

Unfortunately, after reviewing the information you provided and in compliance with our mail policies, we are unable to offer immediate mitigation for your deliverability issue. Yeah looks like you are on black list and they will not remove you from there, at least not so soon. I'm only afraid your host could charge you for blacklisted IP or even terminate your account if they start receiving complains. Here are some specific recommendations for you to consider: Brand your mail Ensure mails are cleanly formatted and clearly identifiable as originating from your service. Forgot to mention in my previous post, add SPF, DKIM and rDNS for your domain(s)/IP. Ensure your email lists are up to date Remove those who do not want to receive the emails and consider making the unsubscribe process more visible to ensure you are only delivering mail to interested recipients. If you have any mailing list best would be to have double opt in system and have option on every single mail to opt-out. If all this is too much for you then maybe is better to go back to some good shared hosting and take a small VPS to learn. Never put production sites on VPS if you dont know what are you doing. P.S. VPS with 4GB and 2 cores for 8 EUR (around 9 USD) is just too cheap and i'm afraid in the end you will lose everything (hope i'm wrong). Good place to check for some good hosting and his reputation is webhostingtalk.com. Majority of review sites what you find on google are payed affiliates and do not represent real information. Good luck.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 03/07/2015 - 15:52
szer0p

that was status from Mail Queue

maildir delivery failed: create maildir file /var/mail/vhosts/*******.com/postmaster/tmp/1425758582.P11932.server.******.com: Permission denied

delivery failed to mailbox /var/mail/vhosts/*****.com/all: unable to create lock file /var/mail/vhosts/********.com/all.lock: Permission denied

can anybody tell me how could i solve this problem