One of the email accounts on my started sending loads of spam today out of the blue. I tried looking for a rogue script that could be sending spam but didn’t find any so I disabled the entire server. I also changed the password of that email account but the spam has had no effect. I’m not able to understand how are they able to send spam through that account. Can you help me troubleshoot the situation?
Here is a sample log
May 24 21:40:37 primary postfix/smtpd[809981]: 2663180225: client=unknown[178.156.62.161], sasl_method=PLAIN, sasl_username=info@domain.com
May 24 21:40:38 primary postfix/cleanup[809407]: 2663180225: message-id=<14282066433573.0531F65WRM@domain.com>
May 24 21:40:38 primary postfix/qmgr[1741]: 2663180225: from=<info@domain.com>, size=3490, nrcpt=1 (queue active)
May 24 21:40:43 primary postfix/smtp[805666]: 2663180225: to=<somepoorguy@mailforkids.net>, relay=imap.mailforkids.net[163.172.38.160]:25, delay=7, delays=2.1/0/1.9/2.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8BDAD1AC21A0)
May 24 21:40:43 primary postfix/qmgr[1741]: 2663180225: removed
Does the first line mean that they used smtp to simply connect to the account with email and password? If so how’s that possible after password change and virtualmin disabled?
Ok, disabling the server will not disable a script. You must restart PHP-FPM (and Apache / Nginx for good measure) to kill any scripts running under the user of the virtual server that you have disabled in Virtualmin.
Why do you have to guess where the spam is being generated from? The headers in the mail queue and the logs should tell you exactly where and how.
Okay so I restarted postfix for good measure and then I started seeing login auth fails in the postfix logs and emails have stopped going out. Looks to me like they somehow obtained the password of the account. Here is 1 sample email:
*** ENVELOPE RECORDS deferred/0/01D1781D3D ***
message_size: 3355 768 1 0 3355 0
message_arrival_time: Tue May 24 19:53:25 2022
create_time: Tue May 24 19:53:27 2022
named_attribute: log_ident=01D1781D3D
named_attribute: rewrite_context=remote
named_attribute: sasl_method=PLAIN
named_attribute: sasl_username=info@domain.com
sender: info@domain.com
named_attribute: log_client_name=unknown
named_attribute: log_client_address=154.127.42.35
named_attribute: log_client_port=46047
named_attribute: log_message_origin=unknown[154.127.42.35]
named_attribute: log_helo_name=[127.0.0.1]
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=154.127.42.35
named_attribute: client_port=46047
named_attribute: server_address=MY.IP
named_attribute: server_port=25
named_attribute: helo_name=[127.0.0.1]
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;drodriguez@basspet.com
original_recipient: drodriguez@basspet.com
recipient: drodriguez@basspet.com
*** MESSAGE CONTENTS deferred/0/01D1781D3D ***
Received: from [127.0.0.1] (unknown [154.127.42.35])
by primary.myfqdn.com (Postfix) with ESMTPSA id 01D1781D3D
for <drodriguez@basspet.com>; Tue, 24 May 2022 19:53:25 +0530 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=domain.com;
s=202200; t=1653402209;
bh=+V4rhjB6IOFIbXS0DhU3TDFkCjsoDn68mn/QYB/LC9g=;
h=Date:To:From:Subject:From;
b=B4stXHdCzoBHjFflNQnxdGmSOUJxAl/Wg1uxIK5gN02BImcu+3ZYRX2t/hqOIgwmk
9BqPzV70FHRCg3xdGWby5iZSQDJrMb8O12iVQjuUKFnzas0gxmG1Mxrf8ol4p84fV3
0c2lIhaBfTKB8jHMwzEeW+pIM57A+tQ8JBooj6c/gH/1P86/FIQG1E5ozDjtl1FAVY
/SEsqykgz1XYNdLOmYAz6gAZIBlVd5Ei2thH6dyBupY/QuxkOoo/FH3mH3tK3+rLd1
QgmnT0MT4WJETg6p1+DxbP3B56NP8FTy/m9YL3BMyL6+uEPBEUPRZ2a5y0nuIq0gzm
xrVQGu1Apfzcg==
Date: Tue, 24 May 2022 16:23:23 +0200
MIME-Version: 1.0
To: drodriguez@basspet.com
From: info@domain.com
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Subject: Here is the last warning! Your information has been compromised! The
entry in system is completed.
Message-ID: <70630528962558.3883S44UFY@domain.com>
Form-Sub: v=2; ip=154.127.42.35
Hello There.
This is your final notice.
I compromised your computer thru the Wireless network router you were linking to.
A few months ago, I gotten to the machines that you previously used to get on-line.
All of the data from your own gadgets & devices was automatically duplicated to my hosting space.
I can access all of your mobile messengers, social networks, e-mail, chat history, & contacts.
My virus constantly upgrades its signature (driver-based), therefore it stays unnoticeable to anti-malware applications.
I assume right now you fully grasp, why I remained unnoticed until this present day
While get together info about you, I found you happen to be a huge follower of mature web sites & more.
You actually prefer to visit adult web pages and watch dirty clips whilst having an orgasm.
I've actually created a webcam recording of you jerking off.
The editing of the video you're viewing right at that moment & your self pleasure.
Your own facial expression is obviously visible. I don't believe this type of content would be really good for your personal profile.
I can now direct this video footage out to everyone who realize who you really are.
I also have no trouble with rendering all of your private information open public in cyberspace.
I'm sure you know exactly what i am talking about.
It would be a true disaster for you personally.
I'll be able to mess up your life for a long time.
I really feel that you do not need this to take place.
Let us fix it this fashion: you send me 1400 $ (US dollars) via btc equivalent at the time of transaction), and I will promptly erase all of your information from my computers.
And after that, we'll forget about each other.
My btc transaction address for transfering: bc1q92w0gkhdxwzuf5ax7pvgxdgm6m6ttnctrnhq4c
If you do not realize how to send finances and what exactly btc is. Simply just type in the Search engines like google "Get btc".
I provide you with only two business days to send the cash.
The timer started counting instantly as soon as you opened the email.
I'll receive a warning when this letter is open.
Don't try to search for aid, as the wallet address can't be monitored, e mail the message came from & can't be traced also and created digitally, so there is no point in texting to me.
Don't make an attempt to get hold of the law enforcement and other security services, and if you do, your data will undoubtedly be posted.
Switching security passwords in social networks, email, and gadgets isn't going to help you, since all the information is already downloaded to my web servers.
Good luck & try to not do something stupid. Carefully consider your possible future.
*** HEADER EXTRACTED deferred/0/01D1781D3D ***
named_attribute: encoding=8bit
*** MESSAGE FILE END deferred/0/01D1781D3D ***
Good to know that Postfix restart stopped the spam.
@Ilia would it be possible to get Virtualmin to restart services when a virtual server is disabled so that this is taken care of automatically for this use case?
I read on some forums people speaking about virtualmin configuration involved (postfix - How to prevent sasl_username root from loggin in? - Server Fault). So I went here to find some help, but not sure what is really responsible. Maybe I did some manual bad modification after debian install and virtualmin setup… But most of my modifications was to restrict access and checks in postfix rather than allowing root access
