0

Let me first start out by saying I am no mail guru. If you need more info to help me just let me know.

This week the mail server has been having all sorts of strange issues. It has been duplicating emails last week it wouldn't even let me connect to imap with thunderbird until postfix was restarted. I never did determine why this was. At any rate a few nights ago I was searching around in the mail log trying to search for an answer as to why this might be causing these issues. With no real leads I simply began looking for anomalies. Doing this I stumbled upon thousands of email messages that are being routed through the mail system. So far as I can tell my main.cf file is correct and postfix should not be acting as an open relay. I do not understand how mail is being sent through the system. Does anyone know how this is possible?

The spam messages seem to be coming from hundreds of different domains that from all over the world. Most of them seem point to CentOS servers running apache, mail, and ssh. The only thing that's set up on them is the apache test page that comes with CentOS. The mails that are being sent through our system are mostly being sent to cornerstone-valuation.com (little website with a submit email form that does not have a captcha) although there are some being sent from [CUSTOMER EMAIL] to a disposable email service(10minutemail.com) and the rest from [REDACTED]@cfm-valuation.com. This leads me to think these machines are actually part of a botnet and that our machine is as well.

From there things get even more wild. The IP’s that is sending spam though our system to [REDACTED]@cornerstone-valuation.com and drdrb.net are also sending spam many of our customers using our system. Maybe all of them I’m not sure. This means the people doing this have access to all of our customer email accounts which are located in /var/vmail/vmail1 (which can’t even be viewed unless root) and have distributed this information all across the internet. Does anyone here know how the spammer got this information?

Here are examples of log files and a huge list of domains that probably point at a bonnet of CentOS servers. Just follow the link below.

http://pastebin.com/raw.php?i=cJzjTZ46

Edit: Another issue is that A lot of the messages that are being kicked back at the server, are not originating from the server in the first place. They are coming from outside servers that are using [OUR MAIL DOMAIN] in the EHLO statements.

HAL9000
  • 139
  • 1
  • 3
  • 8
  • Thanks for the advice but really I was posting this here in the hopes that someone may have had this happen to them before and might have known more specifically what I should do. Unfortunately take the advice given there just isn't an option even though I wish it was. – HAL9000 Aug 11 '14 at 17:39

1 Answers1

3

Holy Cow... No offence meant but the ONLY suitable solution for this is finding an IT-service-provider to help you out there because as you said, you are no mail expert and your server really seems to be compromised.

As a start you should disable the root password from SSH (root shouldn't be allowed to log in via SSH by password).

I don't know the exact setup and update status of your server but maybe you had a security hole in the past (maybe Heartbleed?) that led to this.

Seriously, don't ask here and try to fix it yourself unless you really know what you're doing. Find someone to help you out as this can cause a lot of financial and reputation damage for your company.

Configuration of your main.cf for a start would be nice though.

P.S.: Excuse me for posting this as an answer, I don't have 50 reputation to comment yet.

Broco
  • 1,919
  • 12
  • 21