Go Premium for a chance to win a PS4. Enter to Win


We cannot find the source of the spam emails on our Debian 7 server

Posted on 2016-10-26
Medium Priority
Last Modified: 2016-11-11
We have a Debian 7 server on which Virtualmin-Webmin is installed for serving virtual servers.
Spam emails are being sent continuously and we cannot find out how.

There is NO email set on the server at all. The base sendmail was deleted.
For each virtual server there is a separate mail log which works well: the system logs the emails sent by the web pages.
But in the log there is no trace of the spam mails.

The whole server was checked with ClamAV and all the files in its report were deleted. However even after this the spam emails didn't stop.

On the server there are custom webpages (created by us), Joomla 1.5-3.5  and updated Wordpress systems,
A tárhelyeken egyedi forrású weboldalak, Joomla 1.5-3.5 rendszerek és folyamatosan frissített wordpress rendszerek vannak.

For our emails we use an external SMTP server which is user and password protected and stores all outgoing emails.
We couldn't find the spam emails here either.

How can we track back that from which virtual server sends the spam emails and how the emails are sent?

Thank you very much!
Question by:Member_2_7965240
LVL 37

Expert Comment

ID: 41860536
Check the incoming logfiles on IP numbers if the email is really coming from that machine. Any email server should be able to log all the activities, especially IP numbers. So if you didn't find any log files containing the info you need (the whole first part of the email converstation, from helo to mail from, rcpt to etc), you should enable it first. After you get a few spam mails, you can search the log file either on time or from/to.
LVL 80

Expert Comment

ID: 41860598
Check the mail log files to see whether the messages are actually leaving your server.
What is your environment.

Are you getting bounce messages? Look at the message headers within the bounce section to confirm the email originated from you.

Your web based email interace might be vulnerable such that it is being used on one of the sites to relay.
I.e. you have a contact us form, there have been some that instead of using your form to submit the data, you can structure a request to your web server where the request includes the sender (not you) the destination (not yours) and the message.

Web based contact that had this issue is formmail.pl if you are using a variation of this, the way to eliminate the problem, is by restricting the formmail.pl by limiting the domains or better still the specific email addresses to which it can email. An email address to any other destination will not be sent.
this way

Author Comment

ID: 41862232
We cannot check the log because the email system was deleted. Do you mean to reinstall it so as we could check the logs?

We'll check the formmail.pl.
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

LVL 80

Accepted Solution

arnold earned 2000 total points
ID: 41862408
I would think that /var/log/maillog should remain even if you uninstall the mail server. If after uninstalling the email server app, your system is still sending out spam, this means that your web based mailing scripts use SMTP and actually connect to external hosts and transmit messages directly or they use another mail server internal to your organization to send emails through.

The bounceback or email samples you are provided must include the full message headers for you to determine whether the mailings actually originated from your network, and if so which path they took. The header entries of importance to make such a determination are the Received: lines.
These Received: Lines are prepended to the top of the data by each mail server that handles the message.
If this was the message
Received:  <= This will be the entry from the mail server that handled the message last as it delivered it to the recipient
Received: <=This will be an entry from the earlier  handling mail server
Received: <=This will be the first server that handle the mail and

That is the flow of record. The received line has the information of from what IP/method and by which mail server the message was handled.
from pickup, means direct inject no SMTP session
from: severname [ip] by current server

Running up the received lines they have to be consistent. The receiver on the ealier line, should be reflected as the source on the line above it........

Hope this helps, but to identify you would have to search all web scripts/pages to for different ways you might be implementing contact us, me etc. options.  One thing simple scan all cgi-bin referenced paths and make sure you do not have a formmail.pl or formmail.cgi  that either was placed there or ..... loaded as part of an old deployment.

Try creating a mail form designating one of your emails as the recipient/sender  and see whether your form can submit contact through the other site's and you actually get the email. The one/s through which your form works, are effectively the open relays through which spam is being sent out,
Web client spammer with form/script mimicing form submission <=> internet <=> your web server/client site/processing script <=> internal mail server => back out over the internet to the recipient.

Author Comment

ID: 41869884
I couldn't find anything in the e-mail source connecting to our server.
Can I send you such an email in private message just to be sure?

Thank you.
LVL 80

Expert Comment

ID: 41870698
Message me with just the full message headers.the information included in the bounce after the error why the message could not be delivered to the recipient.

Author Comment

ID: 41873690
I have sent it.
LVL 80

Expert Comment

ID: 41874342
The header info is conflicting because of double interpay received line reflecting a server receiving the message from itself via SMTP
Received: from myserver by myserver via SMTP...a sevond later than the received.
Only possible if there are two instances of the mailserver running.
Further, the Message-ID was added by an external server into which a client authenticated, with the client Ip reflected there in.
LVL 27

Expert Comment

ID: 41875061
There is no requirement that these e-mails are processed by system e-mail services on your server. A process might run on your server that connects (via sockets) to any other e-mail server in the world as long as a route is available. That's no different from how most e-mail clients on PCs work. Such clients are almost trivial to write for anyone familiar with basic sockets programming.

Expert Comment

ID: 41883219
I would log outgoing packets that are directed to any tcp 25 in iptables. I would then sort and dissect the logged packets, set up an local honeypot that has the spammer ip to accept incoming smtp and set up a static route to it, suspend sendmail process on the honeypot at an opportune moment, notice a process id from your Debian7 netstat -pa that has honeypot:25 as its connected endpoint and proceed from here.

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question