-2

The server has also httpd with PHP services running I did read the guide here: https://a1websitepro.com/find-track-filthy-spammer-block/ I did install EXIM

My client complains they never had this happen on the Windows Server 2000, 2003, 2012.

Here is a list of commands that I have run

[![enter image description here][1]][1]

enter image description here

enter image description here

Did read and try:

user3265051
  • 9
  • 2
  • If you are trying to redact the hostname, you seem to have missed one in the middle of the top image. – hft Jan 14 '21 at 03:07
  • I don't understand what the problem is. Are you being used as an open relay? (Have you [tested if you're an open relay](https://mxtoolbox.com/diagnostic.aspx)?) Are you receiving spam? Are you sending spam out directly? How do you know? Give us the story and not just some screenshots that we don't know what meaning you're drawing from them. – gowenfawr Jan 14 '21 at 03:26
  • You appear to have Exim and Sendmail both running. As you state you installed Exim, I would recommend stopping and disabling Sendmail. You may be changing Exim settings that have no effect and checking Exim logs with nothing useful in them because Sendmail is actually processing email through the system. – gowenfawr Jan 14 '21 at 03:51
  • if i stop sendmail then how i will be able to receive email as it needs virtualuser file and config? – user3265051 Jan 14 '21 at 04:08
  • gowenfawr - not an openrelay. somehow spam is going outgoing with sendmail . so without exim how cna i find the exact source of the out going messages? in windows i would just open up netstat, see task manager, look weird modified files. but linux seems t be very complex with the ways they are spamming – user3265051 Jan 14 '21 at 04:11
  • 3
    *"... yes i know Linux is better ..."* - it primarily depends on the capabilities of the server administrator and not so much on the OS today. Believing Linux is just secure without actually caring about the system and while having potentially insecure web applications running is the wrong approach. The provided information are not much useful to track down the problem. There is not even much of a problem description, i.e. it might be an open relay but also a badly designed part of the web application or some hijacked user account causing the spam. – Steffen Ullrich Jan 14 '21 at 07:53
  • I would start by investigating mails in the queue. "When a message is stored in the queue, it is split into pieces. Each of those pieces is stored as a separate file in the queue directory. That is, the header and other information about the message are stored in one file, while the body (the data) is stored in another. " Investigate one of the mails --> /var/spool/mqueue/qf* message control file and /var/spool/mqueue/companion df* message body in your text editor. Perhaps the spam is originating from one of the email ids on your mail server. – cyzczy Jan 14 '21 at 08:11
  • "The server has also httpd with PHP services running" If the service is exposed to the Internet (vulnerable to certain exploits) that might explain how someone got access to the box. – cyzczy Jan 14 '21 at 08:15
  • 1
    + nothing to worry about in the attached screen shot. The sendmail smtp and submission services are standard. Regarding "I did install EXIM" -> you just installed another MTA on the box. Unless you are planning to configure it (instead of sendmail) I would remove it. – cyzczy Jan 14 '21 at 08:24
  • 1
    Our site preference is that you _not_ redact whenever possible. The solution shows one reason why: It was very easy to solve the problem when the information was made available. – Michael Hampton Jan 15 '21 at 01:05

1 Answers1

5

(Note: I determined your FQDN from the screenshots and browsed your web site)

The problem may be that you permit email sending via a form with no captcha or control:

Email form from web site

Your server claims the mail is sent:

Server output describing mail send

I could verify that email was sent to my server, but my server rejected it because you're on Spamhaus RBL:

# grep 1xx.1xx.1xx.2x mail.log
Jan 14 14:24:11 bifrost postfix/smtpd[249717]: NOQUEUE: reject: 
    RCPT from s1xx-1xx-1xx-2x.ax.hxxx.txxxx.net[1xx.1xx.1xx.2x]:  
    554 5.7.1 Service unavailable; Client host [1xx.1xx.1xx.2x] blocked using zen.spamhaus.org;  
    https://www.spamhaus.org/query/ip/1xx.1xx.1xx.2x;  
    from=<apache@wxxxxxx.cxxxxxx.wxxxxxx.ca>  
    to=<gowenfawr@sxxxxxx.com>  
    proto=ESMTP helo=<wxxxxxx.cxxxxxx.wxxxxxx.ca>

Your next steps should be to protect all such forms on your web site with a real CAPTCHA - not just the name of the mayor, as another form on your site requires - and then see about getting de-listed from Spamhaus and any other RBL you've ended up on.

gowenfawr
  • 406
  • 2
  • 7
  • This sort of form was briefly popular almost 20 years ago but fell out of favor for exactly this reason. I think it's been at least 15 years since I've seen one in the wild. These days you put up social media share buttons instead. – Michael Hampton Jan 15 '21 at 01:02