1

I have a platform consisting of many web servers doing shared web hosting. These servers run Linux and host tonnes of Wordpress, osCommerce, Joomla and other open source website platforms.

Every now and then (read: several times every day) one of these sites get owned, malicious code is injected and the spamming begins.

I have already taken various measures to prevent this, but it seems like these attacks are escalating more and more.

Therefore, my question is to other sysadmins caring for large scale shared hosting platforms: How do you filter (and report?) outgoing e-mail from your web servers? The e-mail that is sent when users in e.g. PHP uses the mail() function or the localhost SMTP server.

Jeff
  • 21
  • 4
  • One thing you can do is to stop some of the exploits being uploaded in the first place. Use a tool like [maldet](http://www.rfxn.com/projects/linux-malware-detect/) to scan all file uploads. – Michael Hampton Aug 28 '13 at 07:04

2 Answers2

2

You can set up SMTP servers of your own, block SMTP (and submission) traffic outbound from the web servers to anywhere but that SMTP server, and compel your clients to configure that as their outbound MTA. Then, run a spam filter on that SMTP server (spamassassin under postfix might work, though I would disable the RBL filters as they would be useless), and have it drop anything which appears to be spam.

This has a number of severe drawbacks, such as that you might unintentionally silently drop some of your clients' legitimate mail, and that some spam will probably still get through.

Assuming the servers that are spamming are actually supposed to be sending mail at all, the only way you are going to prevent this is by securing the hosts so that they don't get owned. This may prove extremely difficult depending on the exploitability of the versions of the software you're running at each point, and how readily you can patch.

Chances are that if you are getting owned that often, you're being owned by an automated process employing a public exploit. In this case, patching will likely greatly reduce the incidence of this issue.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • +1 for ***PATCHING*** -- stop trying to bail the boat for a few seconds and plug the giant hole in the hull. – voretaq7 Aug 28 '13 at 15:41
  • My clients have 2 options; use localhost or use the address of a SMTP server. When they use localhost, connections are relayed to a centralized cluster of SMTP servers - that do in fact throttle at 200 msgs/hour per sender. Customers cannot change the sender (envelope... not the "From" header). Patching often would be wonderful! But with 60k+ sites that are operated by customers themselves this doesn't seem to be something I can care for - therefore I want to keep my butt clean by controlling what spammed out, and then suspend customers when they get owned. – Jeff Aug 31 '13 at 19:16
  • Well, this is how you do it: throttling and filtering, while trying to get people to patch, and handling abuse complaints as they arise. There simply isn't a way to assure 100% that no spam will ever get out, though. – Falcon Momot Sep 01 '13 at 06:47
2

Under the perfect circumstances (different sites running under different user accounts), you might be able to use Postfix Policyd. It allows you to throttle and limit e-mail in per-user basis.

If you use mod_php and the sites are all running as the same Apache user, then you'll have to take a different approach.

One way would be to activate the PHP X-Originating-Script mail header by putting mail.add_x_header=1 to your php.ini. Then put something like qpsmtpd to handle the outgoing e-mails and write a small plugin which takes a look at X-Originating-Script header and stores the sending script path (or just the username portion of it) to a database, increasing the sent mail counter value each time. If the value is greater than the limit you want to have, like "more than 100 e-mails per hour", then make the script to return "Sorry, your outgoing mail quota was temporarily exceeded".

Creating those scripts is not that hard, take a look at the qpsmtpd examples. I once did this with Perl, total length of the script was around 100-200 lines.

And, needless to say, spam filtering is also needed, but I presume you already have SpamAssassin or similar in place.

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78
  • While you are worrying about the X-Originating-Script header, do yourself a favour and write a rule to discard any mails from `zeromailer.php`. It's prolific lately. – Falcon Momot Aug 28 '13 at 18:57