1

A client of mine has a server hosting postfix as well as nginx with several websites, including an nginx installation with several subdomains / websites.

Since a couple of days the /var/spool/postfix directory is filled with e-mails recognized as spam emails.

The task now is to identify the cause of this exploitation. My feeling is that there is a vulnerability on one of the websites that was used for uploading a web shell or something similar in order to send e-mails via Postfix.

I am not experienced with Postfix so my question is how I can identify the source of the sender. In particular, whether it was a local account or an external user sending the e-mails, maybe the process that triggered the sending, etc. in order to create a bullet-proof link between the sent spam and a potential vulnerability in the website(s).

So far I am running Linux Malware Detect against the entire filesystem. Furthermore, I am running webshell-scan

So, my question is, is there a sequence of (best) practices in order to further analyze the root cause of the sent spam e-mails?

UPDATE:

Here are some details of one of the sent spam emails:

$ postcat -q 27E70B3B1
*** ENVELOPE RECORDS active/27E70B3B1 ***
message_size:            3001            2450              20               0            3001               0
message_arrival_time: Fri Jan 15 10:06:00 2021
create_time: Fri Jan 15 10:06:01 2021
named_attribute: log_ident=27E70B3B1
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=bounce
sender: morrisheldon@mfarms.net
named_attribute: log_client_name=unknown
named_attribute: log_client_address=91.224.92.168
named_attribute: log_client_port=52564
named_attribute: log_message_origin=unknown[91.224.92.168]
named_attribute: log_helo_name=[91.224.92.168]
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=srv-91-224-92-168.serveroffer.net
named_attribute: client_address=91.224.92.168
named_attribute: client_port=52564
named_attribute: server_address=foo.bar.baz.xxx
named_attribute: server_port=25
named_attribute: helo_name=[91.224.92.168]
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;grluhring@yahoo.com

Does it mean that the attacker was able to authenticate via user "bounce" or is the server misconfigured to simply bounce spam mails coming from another server?

Thanks!

user1192748
  • 111
  • 3
  • 1
    First off, you might want to check if the SMTP server is running as an open relay. See https://tools.appriver.com/OpenRelay.aspx for a tool for this. If not, what other services are running on the host? Is there a web server running? If so, perhaps a contact form is being abused somehow to send these spam messages. Are there records in the web servers logs that that coincide with the mail server logs for the spam messages? – mti2935 Jan 18 '21 at 13:59

1 Answers1

2

That's some general outline of approach I usually use in such cases:

  1. look at "Received:" headers of the spam messages to check where did they come from. These headers can really reveal a lot. Especially you will know whether the messages originated locally or externally. Also if the message was sent by a web script, there may be some specific headers to indicate the source. For example, if a script in PHP sends mail using mail() function, a header X-HTTP-Posting-URI: or X-PHP-Originating-Script: is usually added that tells you exactly which script has sent the message.
  2. look at Postfix logs to identify all entries that refer to a sample spam message (identify by timestamp and Message-Id)
  3. if after steps 1) and 2) it still isn't clear what is the source of spam, try to coordinate timestamps from 2) with web server log, check what URLs were accessed at that exact time when the message originated, and examine all these URLs carefully.
raj
  • 487
  • 1
  • 6