Spam being sent from an email account

SYSTEM INFORMATION
OS type and version Ubuntu 20.04
Webmin version 1.994
Virtualmin version 7.1-1

One of the email accounts on my started sending loads of spam today out of the blue. I tried looking for a rogue script that could be sending spam but didn’t find any so I disabled the entire server. I also changed the password of that email account but the spam has had no effect. I’m not able to understand how are they able to send spam through that account. Can you help me troubleshoot the situation?

Here is a sample log

May 24 21:40:37 primary postfix/smtpd[809981]: 2663180225: client=unknown[178.156.62.161], sasl_method=PLAIN, sasl_username=info@domain.com
May 24 21:40:38 primary postfix/cleanup[809407]: 2663180225: message-id=<14282066433573.0531F65WRM@domain.com>
May 24 21:40:38 primary postfix/qmgr[1741]: 2663180225: from=<info@domain.com>, size=3490, nrcpt=1 (queue active)
May 24 21:40:43 primary postfix/smtp[805666]: 2663180225: to=<somepoorguy@mailforkids.net>, relay=imap.mailforkids.net[163.172.38.160]:25, delay=7, delays=2.1/0/1.9/2.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8BDAD1AC21A0)
May 24 21:40:43 primary postfix/qmgr[1741]: 2663180225: removed

Does the first line mean that they used smtp to simply connect to the account with email and password? If so how’s that possible after password change and virtualmin disabled?

Ok, disabling the server will not disable a script. You must restart PHP-FPM (and Apache / Nginx for good measure) to kill any scripts running under the user of the virtual server that you have disabled in Virtualmin.

Why do you have to guess where the spam is being generated from? The headers in the mail queue and the logs should tell you exactly where and how.

The sending IP, do you know it?

Okay so I restarted postfix for good measure and then I started seeing login auth fails in the postfix logs and emails have stopped going out. Looks to me like they somehow obtained the password of the account. Here is 1 sample email:

*** ENVELOPE RECORDS deferred/0/01D1781D3D ***
message_size:            3355             768               1               0            3355               0
message_arrival_time: Tue May 24 19:53:25 2022
create_time: Tue May 24 19:53:27 2022
named_attribute: log_ident=01D1781D3D
named_attribute: rewrite_context=remote
named_attribute: sasl_method=PLAIN
named_attribute: sasl_username=info@domain.com
sender: info@domain.com
named_attribute: log_client_name=unknown
named_attribute: log_client_address=154.127.42.35
named_attribute: log_client_port=46047
named_attribute: log_message_origin=unknown[154.127.42.35]
named_attribute: log_helo_name=[127.0.0.1]
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=154.127.42.35
named_attribute: client_port=46047
named_attribute: server_address=MY.IP
named_attribute: server_port=25
named_attribute: helo_name=[127.0.0.1]
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;drodriguez@basspet.com
original_recipient: drodriguez@basspet.com
recipient: drodriguez@basspet.com
*** MESSAGE CONTENTS deferred/0/01D1781D3D ***
Received: from [127.0.0.1] (unknown [154.127.42.35])
        by primary.myfqdn.com (Postfix) with ESMTPSA id 01D1781D3D
        for <drodriguez@basspet.com>; Tue, 24 May 2022 19:53:25 +0530 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=domain.com;
        s=202200; t=1653402209;
        bh=+V4rhjB6IOFIbXS0DhU3TDFkCjsoDn68mn/QYB/LC9g=;
        h=Date:To:From:Subject:From;
        b=B4stXHdCzoBHjFflNQnxdGmSOUJxAl/Wg1uxIK5gN02BImcu+3ZYRX2t/hqOIgwmk
         9BqPzV70FHRCg3xdGWby5iZSQDJrMb8O12iVQjuUKFnzas0gxmG1Mxrf8ol4p84fV3
         0c2lIhaBfTKB8jHMwzEeW+pIM57A+tQ8JBooj6c/gH/1P86/FIQG1E5ozDjtl1FAVY
         /SEsqykgz1XYNdLOmYAz6gAZIBlVd5Ei2thH6dyBupY/QuxkOoo/FH3mH3tK3+rLd1
         QgmnT0MT4WJETg6p1+DxbP3B56NP8FTy/m9YL3BMyL6+uEPBEUPRZ2a5y0nuIq0gzm
         xrVQGu1Apfzcg==
Date: Tue, 24 May 2022 16:23:23 +0200
MIME-Version: 1.0
To: drodriguez@basspet.com
From: info@domain.com
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Subject: Here is the last warning! Your information has been compromised! The
 entry in system is completed.
Message-ID: <70630528962558.3883S44UFY@domain.com>
Form-Sub: v=2; ip=154.127.42.35

Hello There.

This is your final notice.

I compromised your computer thru the Wireless network router you were linking to.

A few months ago, I gotten to the machines that you previously used to get on-line.

All of the data from your own gadgets & devices was automatically duplicated to my hosting space.

I can access all of your mobile messengers, social networks, e-mail, chat history, & contacts.

My virus constantly upgrades its signature (driver-based), therefore it stays unnoticeable to anti-malware applications.
I assume right now you fully grasp, why I remained unnoticed until this present day

While get together info about you, I found you happen to be a huge follower of mature web sites & more.
You actually prefer to visit adult web pages and watch dirty clips whilst having an orgasm.

I've actually created a webcam recording of you jerking off.
The editing of the video you're viewing right at that moment & your self pleasure.
Your own facial expression is obviously visible. I don't believe this type of content would be really good for your personal profile.

I can now direct this video footage out to everyone who realize who you really are.

I also have no trouble with rendering all of your private information open public in cyberspace.
I'm sure you know exactly what i am talking about.

It would be a true disaster for you personally.

I'll be able to mess up your life for a long time.

I really feel that you do not need this to take place.

Let us fix it this fashion: you send me 1400 $ (US dollars) via btc equivalent at the time of transaction), and I will promptly erase all of your information from my computers.
And after that, we'll forget about each other.

My btc transaction address for transfering: bc1q92w0gkhdxwzuf5ax7pvgxdgm6m6ttnctrnhq4c

If you do not realize how to send finances and what exactly btc is. Simply just type in the Search engines like google "Get btc".

I provide you with only two business days to send the cash.
The timer started counting instantly as soon as you opened the email.
I'll receive a warning when this letter is open.

Don't  try to search for aid, as the wallet address can't be monitored, e mail the message came from & can't be traced also and created digitally, so there is no point in texting to me.
Don't make an attempt to get hold of the law enforcement and other security services, and if you do, your data will undoubtedly be posted.

Switching security passwords in social networks, email, and gadgets isn't going to help you, since all the information is already downloaded to my web servers.

Good luck & try to not do something stupid. Carefully consider your possible future.

*** HEADER EXTRACTED deferred/0/01D1781D3D ***
named_attribute: encoding=8bit
*** MESSAGE FILE END deferred/0/01D1781D3D ***

Good to know that Postfix restart stopped the spam.

@Ilia would it be possible to get Virtualmin to restart services when a virtual server is disabled so that this is taken care of automatically for this use case?

#FeatureRequest

This shouldn’t be necessary as we rebuild /etc/postfix/virtual after changing it.

@Jamie, although the action log looks really odd – why does it looks reversed?

If this is a real chronology of actions, it won’t work!

Unfortunately the order of actions as shown on that page between file edits and commands run doesn’t necessarily match the actual order.

But I assume that we restart Postfix at the very end (after changing configs)?

SYSTEM INFORMATION
OS type and version Debian Linux 11
Webmin version 1.994
Virtualmin version 7.1-1
Package updates All installed packages are up to date

Hi,
Since few days I struggle with this spam issue too… The problem is that the spammer could login on sasl with root account! Tranquillo…

In mail.log I have tons of lines like:

Jun 22 12:13:18 myserver postfix/smtpd[3568806]: 1838C10A8D9: client=unknown[82.209.134.6], sasl_method=LOGIN, sasl_username=root

postcat -vq 1838C10A8D9 returns:

.../...
message_arrival_time: Thu Jun 22 12:13:18 2022
create_time: Thu Jun 22 12:13:18 2022
named_attribute: log_ident=1838C10A8D9
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
sender: facturaenlinea@fel.com.mx
named_attribute: log_client_name=unknown
named_attribute: log_client_address=82.209.134.6
named_attribute: log_client_port=63091
named_attribute: log_message_origin=unknown[82.209.134.6]
named_attribute: log_helo_name=xd1.org
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=xd1.org
named_attribute: client_address=82.209.134.6
named_attribute: client_port=63091
named_attribute: server_address=xxx.xxx.xxx.xxx
named_attribute: server_port=587
named_attribute: helo_name=xd1.org
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;magda@xxflex.com
original_recipient: magda@xxflex.com
recipient: magda@xxflex.com
named_attribute: dsn_orig_rcpt=rfc822;alejandra@xxtronics.com
original_recipient: alejandra@xxtronics.com
.../...

My root account was disabled for logins but no password set. It seems the spam stopped after I set a password, but not sure about that.

In auth.log before:

Jun 22 14:33:47 myserver saslauthd[795]: pam_unix(smtp:auth): user [root] has blank password; authenticated without it

and after:

Jun 22 15:39:10 myserver saslauthd[785]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root
Jun 23 16:39:12 myserver saslauthd[785]:                 : auth failure: [user=root] [service=smtp] [realm=] [mech=pam] [reason=PAM auth err$

I read on some forums people speaking about virtualmin configuration involved (postfix - How to prevent sasl_username root from loggin in? - Server Fault). So I went here to find some help, but not sure what is really responsible. Maybe I did some manual bad modification after debian install and virtualmin setup… But most of my modifications was to restrict access and checks in postfix rather than allowing root access :woozy_face:

Any help welcome, thx.