Ubuntu 10.04 Postfix Dovecot ISPConfig 3 – send spam from own domain to random users-Collection of common programming errors

10 years ago
admin
4 minutes

My Config: Ubuntu 10.04 Postfix 2.7.0 Dovecot 1.2.9 ISPConfig 3.0.4.2

I’ve got the problem that a unknown / invalid user e.g dexter_rollins@xxxx> sends mails to different emails.

Every 5 – 7 min it’s sending 10 emails with random senders and recipients but senders domain is managed by this server.

If I stop Apache it stops. Is there an solution how to find the error or miss configured form or is it possible to fix it with postfix?

mail.log shows this:

Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 342E47F580BA: from=, size=1826, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 3E9D77F58060: from=, size=1708, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: B482A179F8854: from=, size=1863, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 198117F58090: from=, size=1801, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix/qmgr[5489]: 580787F58091: from=, size=1810, nrcpt=1 (queue active)

Jan 25 03:12:07 xxxx postfix/qmgr[20249]: 4BF9F179F85DE: from=, size=4497, nrcpt=1 (queue active) Jan 25 03:12:07 xxxx postfix/bounce[21727]: 60926179F85DF: sender non-delivery notification: 4BF9F179F85DE Jan 25 03:12:07 xxxx postfix/qmgr[20249]: 60926179F85DF: removed Jan 25 03:12:07 xxxx postfix/pipe[21681]: 4BF9F179F85DE: to=, relay=dovecot, delay=0.02, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (user unknown) Jan 25 03:12:07 v postfix/qmgr[20249]: 4BF9F179F85DE: removed

apache2ctl -t -D DUMP_MODULES

Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) expires_module (shared) fcgid_module (shared) include_module (shared) mime_module (shared) negotiation_module (shared) php5_module (shared) reqtimeout_module (shared) rewrite_module (shared) setenvif_module (shared) ssl_module (shared) status_module (shared) suexec_module (shared) suphp_module (shared) unique_id_module (shared) Syntax OK

httpd.conf is empty

apache2.conf: apache2conf

default vhost: default vhost

/etc/apache2/mods-available/

actions.load dav.load php5.load alias.load dav_lock.load proxy_ajp.load asis.load dbd.load proxy_balancer.load auth_basic.load deflate.load proxy_connect.load auth_digest.load dir.load proxy_ftp.load authn_alias.load disk_cache.load proxy_http.load authn_anon.load dump_io.load proxy.load authn_dbd.load env.load proxy_scgi.load authn_dbm.load expires.load reqtimeout.load authn_default.load ext_filter.load rewrite.load authn_file.load fcgid.load ruby.load authnz_ldap.load file_cache.load setenvif.load authz_dbm.load filter.load speling.load authz_default.load headers.load ssl.load authz_groupfile.load ident.load status.load authz_host.load imagemap.load substitute.load authz_owner.load include.load suexec.load authz_user.load info.load suphp.load autoindex.load ldap.load unique_id.load cache.load log_forensic.load userdir.load cern_meta.load mem_cache.load

usertrack.load cgid.load mime.load version.load cgi.load mime_magic.load vhost_alias.load charset_lite.load mod-security.load dav_fs.load negotiation.load

/etc/apache2/mods-enabled

actions.load cgi.load reqtimeout.load alias.load deflate.load rewrite.load auth_basic.load dir.load setenvif.load auth_digest.load env.load ssl.load authn_file.load expires.load status.load authz_default.load fcgid.load suexec.load authz_groupfile.load include.load suphp.load authz_host.load mime.load unique_id.load authz_user.load negotiation.load autoindex.load php5.load

I’ve got this error message, too:

Return-Path: X-Original-To: [email protected] Received: from www.mydomaim.de (mail.mydomain.de [xxx.xxx.xxx.xxx]) by mx.selfip.biz (Spamtrap) with ESMTP for [email protected]; Sat, 04 Feb 2012 00:52:21 +0100 (CET) Date: Sat, 4 Feb 2012 00:52:20 +0100 To: [email protected] From: “Levitra Sales” Subject: Hi, get 64% better prices, quod hand carpalin Message-ID: X-Priority: 3 X-Mailer: ZuckMail [version 1.00] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=”UTF-8″

  1. If the behavior stops when apache is stopped, then it’s likely that your apache configuration allows for some sort of proxy-ing, which is being abused by the spammer to send mail through your machine.

    Start with this: http://wiki.apache.org/httpd/ProxyAbuse

    Also, check your httpd log files, and look for suspicious entries, specifically ones that do not reference the URLs that you actually host.

  2. Check for suspicious or altered files in your virtualhost.

    Check for active suspicious process (ps aux).

    Check httpd access.log entries with date/time immediately before the postfix accepting mail for delivery notification.