My mail server is sending a lot of spam using my domain

Question

A lot of spam is being sent through my mail server. the spams are using alias that don't belong to the registered users. the mailq command output show message like these:

487A1600698C2 1901 Fri Jan 27 09:35:15 desarae_leclerc@mydomain.com (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from www.xxx.yyy.zzz temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) h.anseur@yahoo.fr

491A4600698AE 1265 Fri Jan 27 09:36:43 www-data@mail.mydomain.com (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.36] while sending RCPT TO) ejbmarine_chik20@yahoo.com

4888D600698B9 1280 Fri Jan 27 09:34:58 www-data@mail.mydomain.com (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.36] while sending RCPT TO) tiff549@yahoo.com

As you can see, even the user www-data is sending spam. I run the command postsuper -d ALL to delete all queue emails but this also include the valid ones.

I use /etc/postfix/sender_access to blacklist all alias or unauthorized senders, actually the file has over 8000 entries

This is the output of postconf -n command

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = no
inet_interfaces = all
mailbox_size_limit = 0
mydestination = mail, localhost.localdomain, localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 172.16.16.0/24
readme_directory = no
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mydomain.com Microsoft Exchange Server 2003
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org,
smtpd_data_restrictions = reject_multi_recipient_bounce,reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/sender_access, permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = hash:/etc/postfix/sender_access,check_sender_access hash:/etc/postfix/sender_access,permit_mynetworks, reject_sender_login_mismatch,reject_unknown_sender_domain,reject_non_fqdn_sender,permit_sasl_authenticated
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = ldap:/etc/postfix/ldap-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /
virtual_mailbox_domains = mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:5000

I need help to stop these spams, please

a sample of /var/log/mail.log

Jan 29 16:33:22 mail postfix/pickup[1960]: 312676037EE39: uid=33 from=<www-data>
Jan 29 16:33:22 mail postfix/cleanup[64497]: 312676037EE39: message-id=<20170129203322.312676037EE39@mail.mydomain.com>
Jan 29 16:33:22 mail postfix/qmgr[60188]: 312676037EE39: from=<www-data@mail.mydomain.com>, size=783, nrcpt=1 (queue active)
Jan 29 16:33:22 mail dovecot: imap-login: Login: user=<validuser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2213, secured, session=<MjoQnEFH3AB/AAAB>
Jan 29 16:33:22 mail dovecot: imap(validuser): Disconnected: Logged out in=93 out=837
Jan 29 16:33:22 mail postfix/pickup[1960]: 4DBEB6037EE3A: uid=33 from=<www-data>
Jan 29 16:33:22 mail postfix/cleanup[61997]: 4DBEB6037EE3A: message-id=<20170129203322.4DBEB6037EE3A@mail.mydomain.com>
Jan 29 16:33:22 mail postfix/qmgr[60188]: 4DBEB6037EE3A: from=<www-data@mail.mydomain.com>, size=844, nrcpt=1 (queue active)

I'm using debian 7, installed maldet I run the command maldet -m /usr/local/ and it returns:

Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(13019): {mon} existing inotify process detected (try -k): 53745

But I don't know how use this information for detect a malicious script

Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) — kasperd, Jan 29 '17 at 01:46
Look up the message IDs in your mail logs to find out more information, such as where the messages came from. — Michael Hampton, Jan 29 '17 at 20:07
Right, those messages originated with your web application, so it looks like it's been compromised. — Michael Hampton, Jan 29 '17 at 21:08

score 4 · Answer 1 · answered Jan 29 '17 at 19:42

Well, if www-data is sending SPAM this means that your web server has been compromised.

You should immediately stop your web server and check it for unwanted scripts and backdoors used to send SPAM.

You could use maldet (https://www.rfxn.com/projects/linux-malware-detect/) to find suspicious files.

Or use this approach: https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/

If you want to be real save, check your database too or make a fresh installation.

Emilio Galarraga · Answer 2 · 2017-11-01T02:51:11.310

I found the solution

The first big step towards a definitive solution occurred when the apache2 service was stopped, the sending of the spam mails also stopped, that is to say that the mails were being sent from a script of php.

The following step was to add the following lines to php.ini

mail.add_x_header = On
mail.log = /var/log/phpmail.log

This page help me: https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/

Assign the var/log/phpmail.log file to the user and group www-data

chgrp -R www-data /var/log/phpmail.log
chown -R www-data /var/log/phpmail.log

When restarting the apache2 service the spams returned, but this time they were registered in the file /var/log/phpmail.log

Stop the apache2 service and look in /var/log/phpmail.log for the spam-causing scripts, they were php files that were marked as php.suspected in a wordpress folder on the apache server (/var/www/). Delete all those files and since I was not using that wordpress folder, I gave it the 440 permission to remain as read only.

Restart the service apache2 and the spam disappeared definitively.

This is not an answer. Please edit your question to include this information. — Tim, Jan 29 '17 at 20:53
Looks like an answer to me and has some additional debugging steps. — eckes, Nov 01 '17 at 03:02

My mail server is sending a lot of spam using my domain

2 Answers2