| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu 20.04 |
| Webmin version | latest |
We have been notified by our vps host that our server is sending spam. The server is not used for any email But I have forgot to close down postfix and Dovecot. I have alo now blocked port 25 in and out. Will this stop the problem or do we need to do something more
Anders Yuan
If the spam is internal you will need to do more investigation. If you have a website that includes an email app that submits with sendmail? I would remove that as well, may even be the culprit?
Blocking port 25 is only good for blocking incoming mail. Sendmail, Postfix and other protocols can still send Outgoing mail.
Postfix has been shut down by the OP, so that leaves whatever else that has not been stopped that said I would guess one vs is running wordpress and has a load of unsecure plugins running
Postfix I shut down and also stopped from start if server is rebooted. There is no WP on the server, have never liked it. There is 2 webshops with Thirtybees software(Prestashop clone). Nothing else Nothing that need port 25. Btw why is it not effective to block out for port 25
Does thirtybees have a function to send mail ? Maybe disable that and see if the spam stops
Servers LISTEN on port 25. They do not SEND on port 25. For security reasons, apps pick a random port on the user side.
There is no apps on the server for mail. But anyway it is the traffic on port 25 that has reached its lmit so its for sure used for the spam. But now when Postfix is off it should be stopped or?
from Host
We have noticed a significant increase of outgoing connections from your server with IP 1.1.1.1 . The level of SMTP traffic on port 25/tcp is unusually high and at this pace you will hit the limit soon and all connections on this port will be blocked until the next day.
We do this to protect the reputation of our network and to make sure that your Ip’s, and all our customers, will not be blacklisted.
The most common explanation of such a spike in outgoing connections is that your server was hacked.
The defaults for postfix would be pretty hard to exploit for sending spam. A rogue web script is more likely. Do your sites have contact forms? Those are often exploited to send spam.
You don’t need Postfix to send mail. See this simple example. No Postfix required. 
That is what I said earlier and is the most likely cause
I would start digging into the php logs for any unusual activity. These scripts don’t need Postfix to send out email.
If you have a script on your shopping cart that sends out email when customers sign up or place an order, it may have been compromised.
Firewalls do not block traffic until it has crossed a zone usually, that is why outgoing email on port 25 is not blocked locally on your server.
Can you ask your VPS provider to block port 25 on their upstream firewall?
Also PHP might does not need a SMTP server to send email.
OK. This does seem like it was Postfix involved. It doesn’t mean you were exploited or sending spam. It could have been a really aggressive attempt. Your mail logs should have plenty of info on what was going on then.
It doesn’t have to be postfix, as a proof of concepet, I wrote some php code that can manipulate port 25 directly (other programming languages are available)
I have now asked the provider to block 25 on their side.
Hmm… Postfix should have had port 25 claimed. Since it would have been inbound traffic I don’t see how that would be possible.
Postfix was shut down so port 25 will be open
You should still go through the logs and determine what happened.
It was open during this attack. It wasn’t shut down till notified.
Are we sure of that the original post does not make that clear