[SMS] - Superb Mini Server Project Support Forum
  
Log inUsernamePassword
Log me on automatically each visit    
 Register
Register		 Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
Spam email sender unknown
View previous topic :: View next topic  
Author Message
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania
PostPosted: Tue Jan 29, 2019 5:59 pm    Post subject: Spam email sender unknown Reply with quote
Hi all,

I am in the situation my server sends SPAM and I cannot trace the source to eliminate.
In the maillog I see from time to time records like:

Quote:

Jan 29 17:17:44 MailServ postfix/pickup[1672]: 9E2785400302: uid=80 from=<apache>
Jan 29 17:17:44 MailServ postfix/cleanup[3272]: 9E2785400302: hold: header Received: by mail.xxxxxxx.yyy (Postfix, from userid 80)??id 9E2785400302; Tue, 29 Jan 2019 17:17:44 +0200 (EET) from local; from=<apache@xxxxxxx.yyy>
Jan 29 17:17:44 MailServ postfix/cleanup[3272]: 9E2785400302: message-id=<20190129151744.9E2785400302@mail.xxxxxxx.yyy>
Jan 29 17:17:50 MailServ MailScanner[1787]: New Batch: Scanning 1 messages, 25108 bytes
Jan 29 17:17:50 MailServ MailScanner[1787]: Virus and Content Scanning: Starting
Jan 29 17:17:50 MailServ MailScanner[1787]: Delivery of nonspam: message 9E2785400302.A9C74 from apache@xxxxxxx.yyy to lgdick@mymts.net with subject You have authorized a payment to Privacy Pop, LLC
Jan 29 17:17:50 MailServ MailScanner[1787]: Content Checks: Detected and have disarmed web bug tags in HTML message in 9E2785400302.A9C74 from apache@xxxxxxx.yyy
Jan 29 17:17:50 MailServ MailScanner[1787]: Requeue: 9E2785400302.A9C74 to 1C2AF54002FF
Jan 29 17:17:50 MailServ postfix/qmgr[1921]: 1C2AF54002FF: from=<apache@xxxxxxx.yyy>, size=24829, nrcpt=1 (queue active)
Jan 29 17:17:50 MailServ MailScanner[1787]: Uninfected: Delivered 1 messages
Jan 29 17:17:50 MailServ MailScanner[1787]: Deleted 1 messages from processing-database
Jan 29 17:17:52 MailServ postfix/smtp[3281]: 1C2AF54002FF: to=<lgdick@mymts.net>, relay=mx.mymts.net[69.168.103.61]:25, delay=7.5, delays=5.9/0/0.62/0.96, dsn=2.0.0, status=sent (250 2.0.0 OK D6/B0-03578-3EE605C5)
Jan 29 17:17:52 MailServ postfix/qmgr[1921]: 1C2AF54002FF: removed


It is not a php script because I set the trap in php.ini
Code:

mail.add_x_header = On
mail.log = /var/log/phpmail.log


And found nothing related to the excerpt above.

Any help please?
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece
PostPosted: Wed Jan 30, 2019 11:18 pm    Post subject: Reply with quote
Quote:
from apache@xxxxxxx.yyy

Indicate that message was send from a web form or a web script...

Do you have a joomla or any other CMS with an outdated contact form plugin or any other input fields that used to send emails?

gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania
PostPosted: Thu Jan 31, 2019 12:23 pm    Post subject: Reply with quote
Thank you very much for your answer.

Yes, not a CMS but an old "handmade" php-html website. It's activity was caught by the php.ini trap and I disabled and renamed the script.

But again, as you can see below, the attempt repetead, this time without any record being made in phpmail.log and this is concerning me.

Quote:

Jan 30 16:54:33 MailServ postfix/pickup[24911]: 04C215400385: uid=80 from=<apache>
Jan 30 16:54:33 MailServ postfix/cleanup[30618]: 04C215400385: hold: header Received: by mail.xxxxxxx.yyy (Postfix, from userid 80)??id 04C215400385; Wed, 30 Jan 2019 16:54:32 +0200 (EET) from local; from=<apache@xxxxxxx.yyy>
Jan 30 16:54:33 MailServ postfix/cleanup[30618]: 04C215400385: message-id=<20190130145433.04C215400385@mail.xxxxxxx.yyy>
Jan 30 16:54:33 MailServ MailScanner[22539]: New Batch: Scanning 1 messages, 22917 bytes
Jan 30 16:54:33 MailServ MailScanner[22539]: Virus and Content Scanning: Starting
Jan 30 16:54:33 MailServ MailScanner[22539]: Delivery of nonspam: message 04C215400385.A8008 from apache@xxxxxxx.yyy to tcosad@xplornet.com with subject Receipt for Your Payment to Scrap of Paradise.
Jan 30 16:54:33 MailServ MailScanner[22539]: Content Checks: Detected and have disarmed web bug tags in HTML message in 04C215400385.A8008 from apache@xxxxxxx.yyy
Jan 30 16:54:33 MailServ MailScanner[22539]: Requeue: 04C215400385.A8008 to 900A45400384
Jan 30 16:54:33 MailServ MailScanner[22539]: Uninfected: Delivered 1 messages
Jan 30 16:54:33 MailServ postfix/qmgr[14932]: 900A45400384: from=<apache@xxxxxxx.yyy>, size=22629, nrcpt=1 (queue active)
Jan 30 16:54:33 MailServ MailScanner[22539]: Deleted 1 messages from processing-database
Jan 30 16:54:33 MailServ MailScanner[22539]: MailScanner child dying of old age
Jan 30 16:54:33 MailServ MailScanner[30912]: MailScanner E-Mail Virus Scanner version 4.84.6 starting...
Jan 30 16:54:33 MailServ MailScanner[30912]: Reading configuration file /opt/MailScanner/etc/MailScanner.conf
Jan 30 16:54:33 MailServ MailScanner[30912]: Reading configuration file /opt/MailScanner/etc/conf.d/README
Jan 30 16:54:33 MailServ MailScanner[30912]: Using SpamAssassin results cache
Jan 30 16:54:33 MailServ MailScanner[30912]: Connected to SpamAssassin cache database
Jan 30 16:54:33 MailServ MailScanner[30912]: Enabling SpamAssassin auto-whitelist functionality...
Jan 30 16:54:36 MailServ MailScanner[30912]: Connected to Processing Attempts Database
Jan 30 16:54:36 MailServ MailScanner[30912]: Found 0 messages in the Processing Attempts Database
Jan 30 16:54:36 MailServ MailScanner[30912]: Using locktype = flock
Jan 30 16:54:36 MailServ postfix/smtp[30911]: 900A45400384: to=<tcosad@xplornet.com>, relay=mx.xplornet.com.cust.a.hostedemail.com[216.40.42.4]:25, delay=3.7, delays=0.56/0.01/1.3/1.8, dsn=2.0.0, status=sent (250
Ok Queued as rock52_156def197c831)
Jan 30 16:54:36 MailServ postfix/qmgr[14932]: 900A45400384: removed
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece
PostPosted: Thu Jan 31, 2019 10:24 pm    Post subject: Reply with quote
check your mail queue with "mailq" and delete the spam messages not delivered with "postsuper -d {ID}" or "postsuper -d ALL" to delete all queue...

Also if your php-html website had a mysql database look also in database for stored spam messages...
I've seen that in joomla sites where I had to clean databases too.

gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania
PostPosted: Fri Feb 01, 2019 1:28 am    Post subject: Reply with quote
OK, thanks

The mailq is empty.
I'll search about mysql database and post what found.

In the meantime, another email was sent from uid=80 apache without beeing recorded into phpmail.log ... strange...

Quote:

Jan 31 18:41:04 MailServ postfix/pickup[28047]: E1F635400404: uid=80 from=<apache>
Jan 31 18:41:07 MailServ MailScanner[31230]: Delivery of nonspam: message E1F635400404.AA192 from apache@xxxxxxx.yyy to buckb@sasktel.net with subject You submitted an order in the amount of .53 USD to Musictoday II
, LLC
....
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece
PostPosted: Fri Feb 01, 2019 2:43 pm    Post subject: Reply with quote
What your access log says...
It should give you the at list the page or link visited...

What SMS version are you running?

gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania
PostPosted: Sat Feb 02, 2019 10:06 pm    Post subject: Reply with quote
There are several sotes hosted on the server. I've every access log file around the last attempt for a POST record. Nothing
SMS version is 2.0.9 clean install then migrated websites.

Spam attempts are rare like once a day but annoyingly without any trace...
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece
PostPosted: Sat Feb 02, 2019 10:58 pm    Post subject: Reply with quote
Do you have webmin active, and if yes is it updated..?

I can take a look at your server if you like, 4 eyes are better than 2...

gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania
PostPosted: Sun Feb 03, 2019 1:37 am    Post subject: Reply with quote
No, webmin disabled.

PM sent.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional