• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

We cannot find the source of the spam emails on our Debian 7 server

We have a Debian 7 server on which Virtualmin-Webmin is installed for serving virtual servers.
Spam emails are being sent continuously and we cannot find out how.

There is NO email set on the server at all. The base sendmail was deleted.
For each virtual server there is a separate mail log which works well: the system logs the emails sent by the web pages.
But in the log there is no trace of the spam mails.

The whole server was checked with ClamAV and all the files in its report were deleted. However even after this the spam emails didn't stop.

On the server there are custom webpages (created by us), Joomla 1.5-3.5  and updated Wordpress systems,
A tárhelyeken egyedi forrású weboldalak, Joomla 1.5-3.5 rendszerek és folyamatosan frissített wordpress rendszerek vannak.

For our emails we use an external SMTP server which is user and password protected and stores all outgoing emails.
We couldn't find the spam emails here either.

How can we track back that from which virtual server sends the spam emails and how the emails are sent?

Thank you very much!
1 Solution
Check the incoming logfiles on IP numbers if the email is really coming from that machine. Any email server should be able to log all the activities, especially IP numbers. So if you didn't find any log files containing the info you need (the whole first part of the email converstation, from helo to mail from, rcpt to etc), you should enable it first. After you get a few spam mails, you can search the log file either on time or from/to.
Check the mail log files to see whether the messages are actually leaving your server.
What is your environment.

Are you getting bounce messages? Look at the message headers within the bounce section to confirm the email originated from you.

Your web based email interace might be vulnerable such that it is being used on one of the sites to relay.
I.e. you have a contact us form, there have been some that instead of using your form to submit the data, you can structure a request to your web server where the request includes the sender (not you) the destination (not yours) and the message.

Web based contact that had this issue is formmail.pl if you are using a variation of this, the way to eliminate the problem, is by restricting the formmail.pl by limiting the domains or better still the specific email addresses to which it can email. An email address to any other destination will not be sent.
this way
Member_2_7965240Author Commented:
We cannot check the log because the email system was deleted. Do you mean to reinstall it so as we could check the logs?

We'll check the formmail.pl.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

I would think that /var/log/maillog should remain even if you uninstall the mail server. If after uninstalling the email server app, your system is still sending out spam, this means that your web based mailing scripts use SMTP and actually connect to external hosts and transmit messages directly or they use another mail server internal to your organization to send emails through.

The bounceback or email samples you are provided must include the full message headers for you to determine whether the mailings actually originated from your network, and if so which path they took. The header entries of importance to make such a determination are the Received: lines.
These Received: Lines are prepended to the top of the data by each mail server that handles the message.
If this was the message
Received:  <= This will be the entry from the mail server that handled the message last as it delivered it to the recipient
Received: <=This will be an entry from the earlier  handling mail server
Received: <=This will be the first server that handle the mail and

That is the flow of record. The received line has the information of from what IP/method and by which mail server the message was handled.
from pickup, means direct inject no SMTP session
from: severname [ip] by current server

Running up the received lines they have to be consistent. The receiver on the ealier line, should be reflected as the source on the line above it........

Hope this helps, but to identify you would have to search all web scripts/pages to for different ways you might be implementing contact us, me etc. options.  One thing simple scan all cgi-bin referenced paths and make sure you do not have a formmail.pl or formmail.cgi  that either was placed there or ..... loaded as part of an old deployment.

Try creating a mail form designating one of your emails as the recipient/sender  and see whether your form can submit contact through the other site's and you actually get the email. The one/s through which your form works, are effectively the open relays through which spam is being sent out,
Web client spammer with form/script mimicing form submission <=> internet <=> your web server/client site/processing script <=> internal mail server => back out over the internet to the recipient.
Member_2_7965240Author Commented:
I couldn't find anything in the e-mail source connecting to our server.
Can I send you such an email in private message just to be sure?

Thank you.
Message me with just the full message headers.the information included in the bounce after the error why the message could not be delivered to the recipient.
Member_2_7965240Author Commented:
I have sent it.
The header info is conflicting because of double interpay received line reflecting a server receiving the message from itself via SMTP
Received: from myserver by myserver via SMTP...a sevond later than the received.
Only possible if there are two instances of the mailserver running.
Further, the Message-ID was added by an external server into which a client authenticated, with the client Ip reflected there in.
There is no requirement that these e-mails are processed by system e-mail services on your server. A process might run on your server that connects (via sockets) to any other e-mail server in the world as long as a route is available. That's no different from how most e-mail clients on PCs work. Such clients are almost trivial to write for anyone familiar with basic sockets programming.
I would log outgoing packets that are directed to any tcp 25 in iptables. I would then sort and dissect the logged packets, set up an local honeypot that has the spammer ip to accept incoming smtp and set up a static route to it, suspend sendmail process on the honeypot at an opportune moment, notice a process id from your Debian7 netstat -pa that has honeypot:25 as its connected endpoint and proceed from here.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now