btw is there a way that from remote follow the traffic on the server
Are we sure of that the original post does not make that clear
As I said not clear but I would guess the OP is sorted now so no worries
1 Like
At this point it is forensics so Iâm just trying to help narrow the search parameters. Itâs always nice to know what happened. For all we know this was simply an incoming âblow backâ storm and not really anything on the server.
This is a link to one of the spam mails.
https://ipxo.abusehq.net/share/r9lSiVszmfmsGqIIW6bgIFqjXODjBwN54e_MSAxnXfwqrHsuwOmGADvHpaxhOYsF
So, this seems to be incoming? Who were they too? Sometimes blow back shows up as random recipients that are generated by the spam script. When a server refuses one, it gets bounced to your server if you host the domain. This doesnât mean it originated at your server. They just used you to catch the crap.
You might have a full mail queue.
Thatâs not quite right. If outgoing port 25 really is blocked, the usual path Postfix and Sendmail would send mail are blocked. The internets SMTP servers run on port 25.
Someone could use a relay to send mail on other ports, but at that point the problem is for someone else to solve (e.g. Amazon, or Mailgun, or Sendgrid, or whoever). There are APIs for sending mail without using any traditional protocol, too, but realistically if youâve blocked outgoing 25 youâve preventing local users from spamming. Which is why ISPs and some hosting providers block 25 by default.
But, blocking outgoing port 25 is not obvious. Most firewall configuration tools make it very easy to block incoming and much more convoluted to block outgoing. In firewalld, youâd need to do something relatively complicated.
Though maybe you could just do something like:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport 25 -j DROP
In iptables, the rule would be similar. The OUTPUT chain is the relevant detail. I donât know how to block outgoing ports in ufw.
wireshark can show all packets. The tshark command line tool can be used without a GUI, and you can capture a packet log. And, you can find out what process is sending spam. If youâve disabled Postfix and donât have local users running a script sending spam, then it would presumably be a web app.
Outgoing spam will be on port 25, so youâd just need to watch that port. If you really blocked outgoing port 25 you wonât see anything in a packet dump.
To Block ougoing ports in UFW you use DENY OUT
Thanks for the clarification about port 25
I close this thread now
2 Likes
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.