-2

We have a Debian Squeeze server running a fairly standard LAMP stack (back in the days it was set up using the Perfect Server guide at Howtoforge, so we're using ISPConfig as our backend admin panel) which has been locked down pretty well with regards to MTA's (nothing installed, no postfix, no EXIM etc.) and with the php mail() function thoroughly disabled, port 25 firewalled.

We routinely get SPAM warnings from e.g. MegaRBL however identifying our server IP as the source

Usually we track down a hacked Wordpress site, where we see a bunch of encrypted/obfuscated scripts and other junk, which we then nuke and hope for the best.

This approach is not satisfying to me as I am going mad with trying to figure out HOW they manage to send out SPAM from this server. I am guessing (and this might be totally wrong) that the scripts they manage to drop into the hacked Wordpress sites are Mail Transport Agents themselves. I obviously cannot gain much insight into what they are doing exactly as these scripts are encrypted / obfuscated.

All my google searches and research always points to Postfix or the mail() function and various guides on how to track this down and mitigate spam from these sources - but I am certain that all that stuff has been nuked from our server.

So my question here is threefold:

  1. Is it possible that these obfuscated scripts we find are in fact sending out mail without the aid of any binaries installed on my server? (e.g. Postfix, sendmail, whatever)
  2. Is there any way of logging / detecting this type of traffic being emitted from our server?
  3. Am I missing something? Postfix has been removed, I've doublechecked that the PHP mail() function is disabled, I've scoured the binaries looking for anything that might be mail related and nuked it, but I'm worried I might just be retarded and missing something obvious ...
Arni J
  • 65
  • 6
  • Hello Ami J, in answer to question 1, if your script can speak smtp, you can send a mail. In answer to question 2, I would suggest recording the data & examining it for mail traffic. The first move is to ascertain whether or not your server is the true culprit. Are you familiar with tcpdump? – Eamonn Travers Sep 17 '15 at 12:01
  • @EamonnTravers - Then how come blacklisting sites out there block our IP specifically as the source? Does that just mean that the source scripts reside on our server, but they might be using open relays elsewhere to do the actual sending? That would make sense I suppose ... I've used tcpdump before but I'll have to google that further ... – Arni J Sep 17 '15 at 12:42
  • 2
    `Usually we track down a hacked Wordpress site, where we see a bunch of encrypted/obfuscated scripts and other junk, which we then nuke and hope for the best.` **This** is your problem. This shouldn't even happen once, let alone regularly. Don't care about spam as long as you don't have full control over your system. – Sven Sep 17 '15 at 12:50
  • Hello again Ami J. Your situation have no easy answer. I would encourage you to examine the traffic coming off the server, before doing anything else. tcpdump -i eth0 -n -w /root/capture.pcap will record all network traffic on eth0. Let it run & filter the file using wireshark. You're looking for a smtp (outbound traffic to port 25 tcp.dstport == 25). You have no MTA installed, there should be no smtp traffic. – Eamonn Travers Sep 17 '15 at 13:08

2 Answers2

0

There's a few things we do for this.

Option 1 if you do not want any emails outbound, check that your OUTBOUND firewall is set to block TCP/25, assuming you do not want to send email.

iptables -A OUTPUT -p tcp --dport 25 -j DENY
iptables-save

Option 2, install postfix, and add BCC to get copies of sent emails

postconf -e always_bcc=abusemonitor@example.com
service postfix restart

Option 3, redirect all outbound traffic to a catch-all, there are a few options so search around, One I prefer is using mailcatcher.me, there's a few others floating around, Email catch all (domain and subdomains) Postfix

Mailcatcher.me you would need to redirect outbound mail to it, as well as a system that can run ruby.

postconf -e relayhost=mailcatcherIP:1025
service postfix restart

Option 4, Firewall Redirect, get with your Network Admin and setup a NAT rule to redirect outbound 25 from the internal IP of the web system to point to another system or filter such as an outbound filter like https://www.spamexperts.com/services/outgoing-filtering

Lastly as extra info, postfix is an MTA, however you don't need an MTA to send email, just the ability to open a connection on TCP/25.
If you can telnet to an MX record on port 25, you can potentially send email (without postfix/sendmail/etc)

If you have some clients with wordpress that should be allowed to send email, suggest they use the Sendgrid or Mailchimp plugins, they can use API Tools over HTTPS or the client SMTPS port (submission 587)

Community
  • 1
Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
-2

Look in var/log at: maillog

Make your own php Mail script and see if it works. Mostly anything that's going on mail wise will show in the mail log

Gordon Snappleweed
  • 75
  • 1
  • 9
  • That's pretty much exactly the point of my question here: Mail log shows nothing as there are no MTA's active on the server. Doing a simple mail() PHP test script returns /usr/sbin/sendmail not found - as I've nuked it. – Arni J Sep 17 '15 at 12:40
  • Then those reports must be old.. There's no other way. If the MTA is gone, so is mail capability. IP could be spoofed on spam site as well from the header in spam messages ltheyre sending out – Gordon Snappleweed Sep 17 '15 at 12:43
  • It could also be a virus ridden computer on your network? – Gordon Snappleweed Sep 17 '15 at 12:44
  • This is completely incorrect. One doesn't need an MTA to send mail. Any programming language can do this. – EEAA Sep 17 '15 at 12:57
  • Well, I didn't including a programming language. But if it's a Wordpress site it's most likely a php mail – Gordon Snappleweed Sep 17 '15 at 13:52