Hello, all
My server is sending spam, using FROM and TO headers that are not from my server. I suspect a customer might be infected with a virus, because the server is not an open relay.
So I’d like to block every message that are not FROM or TO local mail accounts.
How can I do that?
Thanks a lot
Howdy,
That’s not a particularly simple thing to do, especially for outbound mail.
What I’d actually suggest is determining what account is sending out spam, and fixing that.
In a lot of cases, web apps with security issues exist on a users site… bots discover that security issue, and use that to send out spam.
So you may want to review the web apps running on the users account, and make sure they’re all fully up to date.
Also, you may want to look at what email is currently sitting in the mail queue. You can do that by logging into Virtualmin, and going into Webmin -> Servers -> Postfix -> Mail Queue. If you see any spam in there, you can look at the headers to determine what userid generated the email.
-Eric
Hi Eric,
Here is an example for the mail headers I have:
Mail headers View basic headers
Received: from ACER (201-68-196-219.dsl.telesp.net.br [201.68.196.219]) by mailserver.intercode.com.br (Postfix) with ESMTP id 04E7235394BF; Tue, 28 Sep 2010 13:00:11 -0300 (BRT)
Message-ID: 021e01cb5f26$3cbdaa90$9f00a8c0@ACER
From: “Fio Sobre Tela” fiosobretela@fiosobretela.com.br
To: Undisclosed-Recipient:;
Subject: Coleção Couro e Design
Date: Tue, 28 Sep 2010 13:00:12 -0300
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_021A_01CB5F0D.169EA3A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
Disposition-Notification-To: “Fio Sobre Tela” fiosobretela@fiosobretela.com.br
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
How do I know what account was used to send the email? The FROM header can easily be forged, isn’t it?
If it was a local website flaw, I would have a local address on “Received:”, right? All my websites are PHP, using the PHP mail() function, they don’t send it directly to the user.
That example is not from an actual spam, I had already cleared the postfix queue.
I have downloaded the maillog file, to be able to examine it closely. Can it help?
Thank you
If the email were generated on your server, the “Received” header would have something like this:
Received: by YOUR_HOSTNAME.TLD (Postfix, from userid 502)
If you see that, you’d just need to look up who userid 502 is, and that’s who generated the email.
Hi Eric,
I have the following header in one of my queued messages:
Received: from EDENINHA (189-38-237-193.static-corp.ajato.com.br [189.38.237.193]) by mailserver.intercode.com.br (Postfix) with ESMTP id C1D636CA00BD; Fri, 8 Oct 2010 15:24:55 -0300 (BRT)
Message-ID: B0FCA9ABBB834608AE72B3E3F28B43ED@EDENINHA
From: “Edenilha - EDITORA RONCARATI” edenilha@editoraroncarati.com.br
To: “Editora Roncarati” edenilha@editoraroncarati.com.br
Subject: Informativo Manual Automóvel e DPVAT
Date: Fri, 8 Oct 2010 15:25:00 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000F_01CB66FC.F93D5890"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
Disposition-Notification-To: “Edenilha - EDITORA RONCARATI” edenilha@editoraroncarati.com.br
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-Antivirus: avast! (VPS 101008-0, 08/10/2010), Outbound message
X-Antivirus-Status: Clean
How do I know what local user was used for the SMTP Auth?
Thank you
Since it wasn’t a locally generated email, the userid calling Postfix isn’t listed in there.
If it was indeed someone who first authenticated to Postfix, you’d need to look in the email logs to determine who sent it… just look for message ID “C1D636CA00BD” in the mail logs.
However, it appears as if that email was sent from the Brazilian server “mailserver.intercode.com.br”.
-Eric