Solved

We cannot find the source of the spam emails on our Debian 7 server

Posted on 2016-10-26
10
89 Views
Last Modified: 2016-11-11
We have a Debian 7 server on which Virtualmin-Webmin is installed for serving virtual servers.
Spam emails are being sent continuously and we cannot find out how.

There is NO email set on the server at all. The base sendmail was deleted.
For each virtual server there is a separate mail log which works well: the system logs the emails sent by the web pages.
But in the log there is no trace of the spam mails.

The whole server was checked with ClamAV and all the files in its report were deleted. However even after this the spam emails didn't stop.

On the server there are custom webpages (created by us), Joomla 1.5-3.5  and updated Wordpress systems,
A tárhelyeken egyedi forrású weboldalak, Joomla 1.5-3.5 rendszerek és folyamatosan frissített wordpress rendszerek vannak.

For our emails we use an external SMTP server which is user and password protected and stores all outgoing emails.
We couldn't find the spam emails here either.

How can we track back that from which virtual server sends the spam emails and how the emails are sent?

Thank you very much!
0
Comment
Question by:Member_2_7965240
10 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 41860536
Check the incoming logfiles on IP numbers if the email is really coming from that machine. Any email server should be able to log all the activities, especially IP numbers. So if you didn't find any log files containing the info you need (the whole first part of the email converstation, from helo to mail from, rcpt to etc), you should enable it first. After you get a few spam mails, you can search the log file either on time or from/to.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41860598
Check the mail log files to see whether the messages are actually leaving your server.
What is your environment.

Are you getting bounce messages? Look at the message headers within the bounce section to confirm the email originated from you.

Your web based email interace might be vulnerable such that it is being used on one of the sites to relay.
I.e. you have a contact us form, there have been some that instead of using your form to submit the data, you can structure a request to your web server where the request includes the sender (not you) the destination (not yours) and the message.

Web based contact that had this issue is formmail.pl if you are using a variation of this, the way to eliminate the problem, is by restricting the formmail.pl by limiting the domains or better still the specific email addresses to which it can email. An email address to any other destination will not be sent.
this way
0
 

Author Comment

by:Member_2_7965240
ID: 41862232
We cannot check the log because the email system was deleted. Do you mean to reinstall it so as we could check the logs?

We'll check the formmail.pl.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 41862408
I would think that /var/log/maillog should remain even if you uninstall the mail server. If after uninstalling the email server app, your system is still sending out spam, this means that your web based mailing scripts use SMTP and actually connect to external hosts and transmit messages directly or they use another mail server internal to your organization to send emails through.

The bounceback or email samples you are provided must include the full message headers for you to determine whether the mailings actually originated from your network, and if so which path they took. The header entries of importance to make such a determination are the Received: lines.
These Received: Lines are prepended to the top of the data by each mail server that handles the message.
If this was the message
Received:  <= This will be the entry from the mail server that handled the message last as it delivered it to the recipient
Received: <=This will be an entry from the earlier  handling mail server
.
.
.
.
.
Received: <=This will be the first server that handle the mail and
From:


That is the flow of record. The received line has the information of from what IP/method and by which mail server the message was handled.
from pickup, means direct inject no SMTP session
from: severname [ip] by current server

Running up the received lines they have to be consistent. The receiver on the ealier line, should be reflected as the source on the line above it........

Hope this helps, but to identify you would have to search all web scripts/pages to for different ways you might be implementing contact us, me etc. options.  One thing simple scan all cgi-bin referenced paths and make sure you do not have a formmail.pl or formmail.cgi  that either was placed there or ..... loaded as part of an old deployment.

Try creating a mail form designating one of your emails as the recipient/sender  and see whether your form can submit contact through the other site's and you actually get the email. The one/s through which your form works, are effectively the open relays through which spam is being sent out,
Web client spammer with form/script mimicing form submission <=> internet <=> your web server/client site/processing script <=> internal mail server => back out over the internet to the recipient.
0
 

Author Comment

by:Member_2_7965240
ID: 41869884
I couldn't find anything in the e-mail source connecting to our server.
Can I send you such an email in private message just to be sure?

Thank you.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:arnold
ID: 41870698
Message me with just the full message headers.the information included in the bounce after the error why the message could not be delivered to the recipient.
1
 

Author Comment

by:Member_2_7965240
ID: 41873690
I have sent it.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41874342
The header info is conflicting because of double interpay received line reflecting a server receiving the message from itself via SMTP
Received: from myserver by myserver via SMTP...a sevond later than the received.
Only possible if there are two instances of the mailserver running.
Further, the Message-ID was added by an external server into which a client authenticated, with the client Ip reflected there in.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 41875061
There is no requirement that these e-mails are processed by system e-mail services on your server. A process might run on your server that connects (via sockets) to any other e-mail server in the world as long as a route is available. That's no different from how most e-mail clients on PCs work. Such clients are almost trivial to write for anyone familiar with basic sockets programming.
0
 
LVL 8

Expert Comment

by:jako
ID: 41883219
I would log outgoing packets that are directed to any tcp 25 in iptables. I would then sort and dissect the logged packets, set up an local honeypot that has the spammer ip to accept incoming smtp and set up a static route to it, suspend sendmail process on the honeypot at an opportune moment, notice a process id from your Debian7 netstat -pa that has honeypot:25 as its connected endpoint and proceed from here.
1

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Delete email that have a topic like  Cpanel 3 48
linux ssh 4 34
Wordpress CSS Link Issue 2 17
LINUX CENTOS + APACHE 9 36
WordPress is constantly evolving, and with each evolution appears to get better and better.  One of the big drawbacks prior to version 3 was that there was no way to be able to set up a custom menu from the backend. The Old Way Adding menus is…
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now