Ubuntu server being used to send spam


We run a Ubuntu server - we have been used as a spamtrap, our mail.logs are full of spammers emulating our domain name but with different peoples names. (any idea why they do this?)

How do I see where these attacks are coming from? and stop them?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In most cases you won't be able to see the origin of messages as the spammers tend to be good at disguising back paths.

In the mail headers there are a trace back of ip addresses that the mail is supposedly passed through.  The only one that is going to be relevant to you is the one immediately before your mail server address.  You can add this to a blocked list of ip's addressing your system in your network primary router.  Odds are that there are a lot of different addresses though, so be certain that they are addresses you wish to block.

The first question is, are they emulating your domain by sending messages to others as you, or are you seeing a whole pile of messages coming into your system as you.

It is also useful to set up SPF record in your DNS and have your mail server set to reject invalid SPF records for incoming mail.  Be cautious here as you will need to ensure that sites that have no SPF record are still allowed access, as not all sites have SPF records for their domains.
intangiblemediaAuthor Commented:
Hi Sweetfa2,

We are seeing a whole pile of messages coming into our system as us.

Any ideas?

Set up an SPF record in your main domain point.

See How to setup SPF record in DNS properly

Then configure your mail server to only accept mail from domains that have SPF configured, or no SPF configured.  That should cut most of your faked email.

I don't know whether you are using Postfix or some other mail handler so am unable to point you towards configuration items for your smtp server.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

intangiblemediaAuthor Commented:
Thanks for your help.

Let me explain the setup:

1) Dedicated Ubuntu server used to host 2 websites, one is Joomla and one is Magento using 2 domain names.

2) Mail service is NOT used on this server, except for sending email forms through - however the mail service is running but I do not know if the attacks are coming from php email form scripts or from direct mail server attack. We dont need the mail server for anything else except for sending emails from our website system.

3) We use our emails via a 3rd provider, Rackspace. So our MX records for both domains are pointed to them, not our dedicated server. I also believe we have an SPF record set up for our domains.

How do I check email headers to trace where the problem is coming from??


You say you are receiving emails on the server purporting to be you.  And then you say you do NOT use mail service.

I am at a loss to understand exactly how the emails are received into the server.  If you are just reading them in your email client that is one thing, if you are seeing them in your Mail server logs/postfix logs then you are using a mail server.

You don't need a mail service that is receiving emails (ie. has port 25 open) on your server if you are only sending emails out.

In any standard email client there is an option to view headers (Outlook is under Options), other clients will vary but usually say something like view header details.

If your port 25 is listening to the internet then you may well be receiving emails via that point, and if so you have a serious security issue if things are coming in different ports and you are not aware of it.

If you still intend to listen to port 25 incoming then configure postfix to ignore unknown users

Postfix ignoring unknown local users

If the email is coming from Rackspace then you should be talking to them about blocking non SPF accredited entries for your domain.
intangiblemediaAuthor Commented:
How can I see what mail service is running on my ubuntu? And what ports it is listening to?
netstat -a

look for something with a port 25

ps -ef | grep postfix

will see if postfix is running.
intangiblemediaAuthor Commented:
Im seeing all kind of weird connections in netstat...

So, if we only wish to use the server to send out PHP to email forms, like contact forms on our website, should I just disable postfix?? I mean, we dont use it except for that purpose...

That would stop any issues, a bit of a radical way of addressing it, but a fix nonetheless.

What do you think?
intangiblemediaAuthor Commented:
 2004  tcp        0      0 localhost.localdo:mysql *:*                     LISTEN
 2005  tcp        0      0 *:http                  *:*                     LISTEN
 2006  tcp        0      0 localhost.locald:domain *:*                     LISTEN
 2007  tcp        0      0 *:smtp                  *:*                     LISTEN
 2008  tcp        0      0 localhost.localdoma:953 *:*                     LISTEN
 2009  tcp        0      0 *:2622                  *:*                     LISTEN
 2010  tcp        0      1 ourservernamehidden.net:43565        SYN_SENT
 2011  tcp        0      0 ourservernamehidden.net:55429  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2012  tcp        0      0 ourservernamehidden.net:55575  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2013  tcp        0      1 ourservernamehidden.net:36589  www.centralpets.co:smtp SYN_SENT
 2014  tcp        0      0 ourservernamehidden.net:55559  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2015  tcp        0      1 ourservernamehidden.net:37897  mtain-dk.r1000.mx.:smtp SYN_SENT
 2016  tcp        0      0 ourservernamehidden.net:55576  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2017  tcp        0      0 ourservernamehidden.net:42877     ESTABLISHED
 2018  tcp        0      1 ourservernamehidden.net:48882      SYN_SENT
 2019  tcp        0      1 ourservernamehidden.net:56587  prduction.ziploc.c:smtp SYN_SENT
 2020  tcp        0      1 ourservernamehidden.net:36106  ec2-54-208-119-30.:smtp SYN_SENT
 2021  tcp        0      1 ourservernamehidden.net:41268  any-in-2415.1e100.:smtp SYN_SENT
 2022  tcp        0      1 ourservernamehidden.net:56561  prduction.ziploc.c:smtp SYN_SENT
 2023  tcp        0      0 ourservernamehidden.net:55511  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2024  tcp        0      0 ourservernamehidden.net:55583  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2025  tcp        0      1 ourservernamehidden.net:41067  parked-ntc.evip.ao:smtp SYN_SENT
 2026  tcp        0      1 ourservernamehidden.net:59034     SYN_SENT
 2027  tcp        0      0 ourservernamehidden.net:55480  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2028  tcp        0      0 ourservernamehidden.net:49143  mx.poczta.onet.pl:smtp  TIME_WAIT
 2029  tcp        0      1 ourservernamehidden.net:39581  www.huffingtonpost:smtp SYN_SENT
 2030  tcp        0      0 ourservernamehidden.net:55564  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2031  tcp        0      0 ourservernamehidden.net:55514  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2032  tcp        0      1 ourservernamehidden.net:38755  www178.sedoparking:smtp SYN_SENT
 2033  tcp        0      1 ourservernamehidden.net:51151  emex06.nni.com:smtp     SYN_SENT
 2034  tcp        0      1 ourservernamehidden.net:38378      SYN_SENT
 2035  tcp        0      1 ourservernamehidden.net:48276  hpdevinspect.net:smtp   SYN_SENT
 2036  tcp        0      1 ourservernamehidden.net:57237  floyd.gms.lu:smtp       SYN_SENT
 2037  tcp        0      1 ourservernamehidden.net:53620  webhop-lax.dyndns.:smtp SYN_SENT
 2038  tcp        0      1 ourservernamehidden.net:55353        SYN_SENT
 2039  tcp        0      1 ourservernamehidden.net:54977  surveyslive.com:smtp    SYN_SENT
 2040  tcp        0      1 ourservernamehidden.net:50663     SYN_SENT
 2041  tcp        0      1 ourservernamehidden.net:42327  skypeforasterisk.n:smtp SYN_SENT
 2042  tcp        0      1 ourservernamehidden.net:38482  hosted-by.leaseweb:smtp SYN_SENT
 2043  tcp        0      1 ourservernamehidden.net:36295  wwwhotmail.com:smtp     SYN_SENT
 2044  tcp        0      1 ourservernamehidden.net:49828      SYN_SENT
 2045  tcp        0    264 ourservernamehidden.net:2622   165.red-80-28-211:58754 ESTABLISHED
 2046  tcp        0      1 ourservernamehidden.net:52704  ash.parking.local:smtp  SYN_SENT
 2047  tcp        0      0 ourservernamehidden.net:47382  enux0-193.go180.ne:smtp TIME_WAIT
 2048  tcp        0      1 ourservernamehidden.net:52996  www.mountaincable.:smtp SYN_SENT
 2049  tcp        0      1 ourservernamehidden.net:34093  200-147-3-205-205.:smtp SYN_SENT
 2050  tcp        0      0 ourservernamehidden.net:57869        ESTABLISHED
 2051  tcp        0      1 ourservernamehidden.net:43368      SYN_SENT
 2052  tcp        0      1 ourservernamehidden.net:47727     SYN_SENT
 2053  tcp        0      1 ourservernamehidden.net:55679     SYN_SENT
 2054  tcp        0      1 ourservernamehidden.net:56604  prduction.ziploc.c:smtp SYN_SENT
 2055  tcp        0      1 ourservernamehidden.net:52611  ash.parking.local:smtp  SYN_SENT
 2056  tcp        0      1 ourservernamehidden.net:57721  csfb.com:smtp           SYN_SENT
 2057  tcp        0      1 ourservernamehidden.net:57979      SYN_SENT
 2058  tcp        0      1 ourservernamehidden.net:51827  phx2-ss-5-bug61684:smtp SYN_SENT
 2059  tcp        0      1 ourservernamehidden.net:33945  ext-ch1gw.online-a:smtp SYN_SENT
 2060  tcp        0      1 ourservernamehidden.net:35856  forward.markmonito:smtp SYN_SENT
 2061  tcp        0      1 ourservernamehidden.net:39956       SYN_SENT
 2062  tcp        0      1 ourservernamehidden.net:52015  a34-mta03.direcpc.:smtp SYN_SENT
 2063  tcp        0      1 ourservernamehidden.net:59485  ipex1.johnshopkins:smtp SYN_SENT
 2064  tcp        0      0 ourservernamehidden.net:36205  guama.canonical.co:http TIME_WAIT
 2065  tcp        0      1 ourservernamehidden.net:56913  host64-80-108-104.:smtp SYN_SENT
 2066  tcp        0      1 ourservernamehidden.net:55441  5minmedia.com:smtp      SYN_SENT
 2067  tcp        0      0 ourservernamehidden.net:55624  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2068  tcp        0      1 ourservernamehidden.net:59124  xnacreators.net:smtp    SYN_SENT
 2069  tcp        0      1 ourservernamehidden.net:38523  hosted-by.leaseweb:smtp SYN_SENT
 2070  tcp        0      1 ourservernamehidden.net:55342  5minmedia.com:smtp      SYN_SENT
 2071  tcp        0      1 ourservernamehidden.net:55446  5minmedia.com:smtp      SYN_SENT
 2072  tcp        0      0 ourservernamehidden.net:40956  jatoba.canonical.c:http TIME_WAIT
 2073  tcp        0     35 ourservernamehidden.net:55636  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2074  tcp        0      1 ourservernamehidden.net:39584  iad23s07-in-f22.1e:smtp SYN_SENT
 2075  tcp        0      1 ourservernamehidden.net:38732  origin.thatscricke:smtp SYN_SENT
 2076  tcp        0      1 ourservernamehidden.net:46661  gbrsmtp2.inet.frem:smtp SYN_SENT
 2077  tcp        0      0 ourservernamehidden.net:55573  qc-in-f26.1e100.ne:smt
 2078  tcp        0      0 ourservernamehidden.net:39159       ESTABLIS
 2079  tcp        0      1 ourservernamehidden.net:37814  mtain-dk.r1000.mx.:smtp SYN_SENT
 2080  tcp        0      0 ourservernamehidden.net:55493  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2081  tcp        0      0 ourservernamehidden.net:49225  mx.poczta.onet.pl:smtp  TIME_WAIT
 2082  tcp        0      0 ourservernamehidden.net:55550  qc-in-f26.1e100.ne:smtp ESTABLIS
 2083  tcp        0      0 ourservernamehidden.net:55490  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2084  tcp        0      1 ourservernamehidden.net:37173      SYN_SENT
 2085  tc
 2086  tcp        0      1 ourservernamehidden.net:52109      SYN_SENT
 2087  tcp        0      1 ourservernamehidden.net:38751  lavabit.com:smtp        SYN_SENT
 2088  tcp        0      0 ourservernamehidden.net:55693  qc-in-f26.1e100.ne:smtp ESTABLIS
 2089  tcp        0      0 ourservernamehidden.net:55673  qc-in-f26.1e100.ne:smtp ESTABLIS
 2090  tcp        0      0 ourservernamehidden.net:55667  qc-in-f26.1e100.ne:smtp ESTABLIS
 2091  tcp        0      1 ourservernamehidden.net:39767  www.huffingtonpost:smtp SYN_SENT
 2092  tcp        0      0 ourservernamehidden.net:55601  qc-in-f26.1e100.ne:smtp ESTABLIS
 2093  tcp        0      1 ourservernamehidden.net:56600     SYN_SENT
 2094  tcp        0      0 ourservernamehidden.net:32864        ESTABLIS
 2095  tcp        0      0 ourservernamehidden.net:32862        ESTABLIS
 2096  tcp        0      0 ourservernamehidden.net:55671  qc-in-f26.1e100.ne:smtp ESTABLIS
 2097  tcp        0      0 ourservernamehidden.net:55681  qc-in-f26.1e100.ne:smtp ESTABLIS
 2098  tcp        0      1 ourservernamehidden.net:44671  mx.mailix.net:smtp      SYN_SENT
 2099  tcp        0      0 ourservernamehidden.net:55668  qc-in-f26.1e100.ne:smtp ESTABLISHED
 2100  tcp        0      1 ourservernamehidden.net:39788  www.huffingtonpost:smtp SYN_SENT
 2101  tcp        0      0 ourservernamehidden.net:44902  mx2.emailsrvr.com:smtp  ESTABLISH
 2102  tcp        0      0 ourservernamehidden.net:55670  qc-in-f26.1e100.ne:smtp ESTABLIS
 2103  tcp6       0      0 ip6-localhost:domain    [::]:*                  LISTEN

Open in new window

2007  tcp        0      0 *:smtp                  *:*                     LISTEN

That indicates you have a mail server receiving messages.

Whether you can just turn it off will depend on how your web server is configured to send emails.  If it just dumps them to the local server you will still need it, in which case you just need to configure postfix to reject all incoming, otherwise if your web server directs all outgoing mail to a specific mail server, you can just turn off postfix.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intangiblemediaAuthor Commented:
ok thanks Sweetfa... Very helpful!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.