Solved

We cannot find the source of the spam emails on our Debian 7 server

Posted on 2016-10-26
10
209 Views
Last Modified: 2016-11-11
We have a Debian 7 server on which Virtualmin-Webmin is installed for serving virtual servers.
Spam emails are being sent continuously and we cannot find out how.

There is NO email set on the server at all. The base sendmail was deleted.
For each virtual server there is a separate mail log which works well: the system logs the emails sent by the web pages.
But in the log there is no trace of the spam mails.

The whole server was checked with ClamAV and all the files in its report were deleted. However even after this the spam emails didn't stop.

On the server there are custom webpages (created by us), Joomla 1.5-3.5  and updated Wordpress systems,
A tárhelyeken egyedi forrású weboldalak, Joomla 1.5-3.5 rendszerek és folyamatosan frissített wordpress rendszerek vannak.

For our emails we use an external SMTP server which is user and password protected and stores all outgoing emails.
We couldn't find the spam emails here either.

How can we track back that from which virtual server sends the spam emails and how the emails are sent?

Thank you very much!
0
Comment
Question by:Member_2_7965240
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 36

Expert Comment

by:Kimputer
ID: 41860536
Check the incoming logfiles on IP numbers if the email is really coming from that machine. Any email server should be able to log all the activities, especially IP numbers. So if you didn't find any log files containing the info you need (the whole first part of the email converstation, from helo to mail from, rcpt to etc), you should enable it first. After you get a few spam mails, you can search the log file either on time or from/to.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41860598
Check the mail log files to see whether the messages are actually leaving your server.
What is your environment.

Are you getting bounce messages? Look at the message headers within the bounce section to confirm the email originated from you.

Your web based email interace might be vulnerable such that it is being used on one of the sites to relay.
I.e. you have a contact us form, there have been some that instead of using your form to submit the data, you can structure a request to your web server where the request includes the sender (not you) the destination (not yours) and the message.

Web based contact that had this issue is formmail.pl if you are using a variation of this, the way to eliminate the problem, is by restricting the formmail.pl by limiting the domains or better still the specific email addresses to which it can email. An email address to any other destination will not be sent.
this way
0
 

Author Comment

by:Member_2_7965240
ID: 41862232
We cannot check the log because the email system was deleted. Do you mean to reinstall it so as we could check the logs?

We'll check the formmail.pl.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 41862408
I would think that /var/log/maillog should remain even if you uninstall the mail server. If after uninstalling the email server app, your system is still sending out spam, this means that your web based mailing scripts use SMTP and actually connect to external hosts and transmit messages directly or they use another mail server internal to your organization to send emails through.

The bounceback or email samples you are provided must include the full message headers for you to determine whether the mailings actually originated from your network, and if so which path they took. The header entries of importance to make such a determination are the Received: lines.
These Received: Lines are prepended to the top of the data by each mail server that handles the message.
If this was the message
Received:  <= This will be the entry from the mail server that handled the message last as it delivered it to the recipient
Received: <=This will be an entry from the earlier  handling mail server
.
.
.
.
.
Received: <=This will be the first server that handle the mail and
From:


That is the flow of record. The received line has the information of from what IP/method and by which mail server the message was handled.
from pickup, means direct inject no SMTP session
from: severname [ip] by current server

Running up the received lines they have to be consistent. The receiver on the ealier line, should be reflected as the source on the line above it........

Hope this helps, but to identify you would have to search all web scripts/pages to for different ways you might be implementing contact us, me etc. options.  One thing simple scan all cgi-bin referenced paths and make sure you do not have a formmail.pl or formmail.cgi  that either was placed there or ..... loaded as part of an old deployment.

Try creating a mail form designating one of your emails as the recipient/sender  and see whether your form can submit contact through the other site's and you actually get the email. The one/s through which your form works, are effectively the open relays through which spam is being sent out,
Web client spammer with form/script mimicing form submission <=> internet <=> your web server/client site/processing script <=> internal mail server => back out over the internet to the recipient.
0
 

Author Comment

by:Member_2_7965240
ID: 41869884
I couldn't find anything in the e-mail source connecting to our server.
Can I send you such an email in private message just to be sure?

Thank you.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41870698
Message me with just the full message headers.the information included in the bounce after the error why the message could not be delivered to the recipient.
1
 

Author Comment

by:Member_2_7965240
ID: 41873690
I have sent it.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41874342
The header info is conflicting because of double interpay received line reflecting a server receiving the message from itself via SMTP
Received: from myserver by myserver via SMTP...a sevond later than the received.
Only possible if there are two instances of the mailserver running.
Further, the Message-ID was added by an external server into which a client authenticated, with the client Ip reflected there in.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 41875061
There is no requirement that these e-mails are processed by system e-mail services on your server. A process might run on your server that connects (via sockets) to any other e-mail server in the world as long as a route is available. That's no different from how most e-mail clients on PCs work. Such clients are almost trivial to write for anyone familiar with basic sockets programming.
0
 
LVL 8

Expert Comment

by:jako
ID: 41883219
I would log outgoing packets that are directed to any tcp 25 in iptables. I would then sort and dissect the logged packets, set up an local honeypot that has the spammer ip to accept incoming smtp and set up a static route to it, suspend sendmail process on the honeypot at an opportune moment, notice a process id from your Debian7 netstat -pa that has honeypot:25 as its connected endpoint and proceed from here.
1

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question