Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


We cannot find the source of the spam emails on our Debian 7 server

Posted on 2016-10-26
Medium Priority
Last Modified: 2016-11-11
We have a Debian 7 server on which Virtualmin-Webmin is installed for serving virtual servers.
Spam emails are being sent continuously and we cannot find out how.

There is NO email set on the server at all. The base sendmail was deleted.
For each virtual server there is a separate mail log which works well: the system logs the emails sent by the web pages.
But in the log there is no trace of the spam mails.

The whole server was checked with ClamAV and all the files in its report were deleted. However even after this the spam emails didn't stop.

On the server there are custom webpages (created by us), Joomla 1.5-3.5  and updated Wordpress systems,
A tárhelyeken egyedi forrású weboldalak, Joomla 1.5-3.5 rendszerek és folyamatosan frissített wordpress rendszerek vannak.

For our emails we use an external SMTP server which is user and password protected and stores all outgoing emails.
We couldn't find the spam emails here either.

How can we track back that from which virtual server sends the spam emails and how the emails are sent?

Thank you very much!
Question by:Member_2_7965240
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 36

Expert Comment

ID: 41860536
Check the incoming logfiles on IP numbers if the email is really coming from that machine. Any email server should be able to log all the activities, especially IP numbers. So if you didn't find any log files containing the info you need (the whole first part of the email converstation, from helo to mail from, rcpt to etc), you should enable it first. After you get a few spam mails, you can search the log file either on time or from/to.
LVL 79

Expert Comment

ID: 41860598
Check the mail log files to see whether the messages are actually leaving your server.
What is your environment.

Are you getting bounce messages? Look at the message headers within the bounce section to confirm the email originated from you.

Your web based email interace might be vulnerable such that it is being used on one of the sites to relay.
I.e. you have a contact us form, there have been some that instead of using your form to submit the data, you can structure a request to your web server where the request includes the sender (not you) the destination (not yours) and the message.

Web based contact that had this issue is if you are using a variation of this, the way to eliminate the problem, is by restricting the by limiting the domains or better still the specific email addresses to which it can email. An email address to any other destination will not be sent.
this way

Author Comment

ID: 41862232
We cannot check the log because the email system was deleted. Do you mean to reinstall it so as we could check the logs?

We'll check the
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

LVL 79

Accepted Solution

arnold earned 2000 total points
ID: 41862408
I would think that /var/log/maillog should remain even if you uninstall the mail server. If after uninstalling the email server app, your system is still sending out spam, this means that your web based mailing scripts use SMTP and actually connect to external hosts and transmit messages directly or they use another mail server internal to your organization to send emails through.

The bounceback or email samples you are provided must include the full message headers for you to determine whether the mailings actually originated from your network, and if so which path they took. The header entries of importance to make such a determination are the Received: lines.
These Received: Lines are prepended to the top of the data by each mail server that handles the message.
If this was the message
Received:  <= This will be the entry from the mail server that handled the message last as it delivered it to the recipient
Received: <=This will be an entry from the earlier  handling mail server
Received: <=This will be the first server that handle the mail and

That is the flow of record. The received line has the information of from what IP/method and by which mail server the message was handled.
from pickup, means direct inject no SMTP session
from: severname [ip] by current server

Running up the received lines they have to be consistent. The receiver on the ealier line, should be reflected as the source on the line above it........

Hope this helps, but to identify you would have to search all web scripts/pages to for different ways you might be implementing contact us, me etc. options.  One thing simple scan all cgi-bin referenced paths and make sure you do not have a or formmail.cgi  that either was placed there or ..... loaded as part of an old deployment.

Try creating a mail form designating one of your emails as the recipient/sender  and see whether your form can submit contact through the other site's and you actually get the email. The one/s through which your form works, are effectively the open relays through which spam is being sent out,
Web client spammer with form/script mimicing form submission <=> internet <=> your web server/client site/processing script <=> internal mail server => back out over the internet to the recipient.

Author Comment

ID: 41869884
I couldn't find anything in the e-mail source connecting to our server.
Can I send you such an email in private message just to be sure?

Thank you.
LVL 79

Expert Comment

ID: 41870698
Message me with just the full message headers.the information included in the bounce after the error why the message could not be delivered to the recipient.

Author Comment

ID: 41873690
I have sent it.
LVL 79

Expert Comment

ID: 41874342
The header info is conflicting because of double interpay received line reflecting a server receiving the message from itself via SMTP
Received: from myserver by myserver via SMTP...a sevond later than the received.
Only possible if there are two instances of the mailserver running.
Further, the Message-ID was added by an external server into which a client authenticated, with the client Ip reflected there in.
LVL 27

Expert Comment

ID: 41875061
There is no requirement that these e-mails are processed by system e-mail services on your server. A process might run on your server that connects (via sockets) to any other e-mail server in the world as long as a route is available. That's no different from how most e-mail clients on PCs work. Such clients are almost trivial to write for anyone familiar with basic sockets programming.

Expert Comment

ID: 41883219
I would log outgoing packets that are directed to any tcp 25 in iptables. I would then sort and dissect the logged packets, set up an local honeypot that has the spammer ip to accept incoming smtp and set up a static route to it, suspend sendmail process on the honeypot at an opportune moment, notice a process id from your Debian7 netstat -pa that has honeypot:25 as its connected endpoint and proceed from here.

Featured Post

Cloud Training Guides

FREE GUIDES: In-depth and hand-crafted Linux, AWS, OpenStack, DevOps, Azure, and Cloud training guides created by Linux Academy instructors and the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
The purpose of this video is to demonstrate how to manually back up a WordPress Database. This will be demonstrated using a Windows 8 PC. The Host used will be Log into your Hosting account. IPage will be used for demonstration : Locat…
The purpose of this video is to demonstrate how to Test the speed of a WordPress Website. Site Speed is an important metric of a site’s health. Slow site speed can result in viewers leaving your site quickly and not seeing your content. This…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question