Please help massive spam being sent out

English Applications
#1

I’m currently trying to get a bunch of spam stopped in my server, my internet provider gave me a call and said that they were recieving mass amounts of spam from an email address coming of my sever. here are parts of the logs.
http://pastebin.com/44Dpinjq
If anyone can help me learn how to stop this I will be very grateful my dad started this business quite a few years ago and I lost him in January and I had to keep the business going, but sadly I didn’t pay attention when he was trying to teach me how to maintain the servers and now I’m here trying to learn what is running this and how to stop it. Please also don’t get frustrated if I ask a lot of questions, like I said I’m trying to learn to keep my dad’s business going, I’m also only 17.
Another thing popped up in the log, here it is:
2015-07-02 23:07:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZAu8P-0005M5-Bo 2015-07-02 23:07:38 1ZAu8P-0005M5-Bo ** ed@edschooler.com: Too many “Received” headers - suspected mail loop 2015-07-02 23:07:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1ZAu8P-0005M5-Bo 2015-07-02 23:07:38 1ZAu8O-0005Ly-23 => ed@edschooler.com R=dnslookup T=remote_smtp H=mail.wecanhost4u.com [174.75.35.98] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 C=“250 OK id=1ZAu8P-0005M5-Bo” 2015-07-02 23:07:38 1ZAu8O-0005Ly-23 Completed

Please if this is the wrong please guide me to the correct, I really need to get this fixed have angry customers that I’ve had to keep the servers offline to prevent more spam being sent out.

#2

Need to know a few things:

  • What is your exact setup?
  • What operating system version?
  • What mail server are you using?
  • Are you forwarding mail from LAN to WAN?

Without knowing your exact setup, we can’t really say anything. You could be effectively forwarding spam mail from compromised internal machines or you could be facing a backscatter bomb (your server forwards fake mail from external sources with a fake return address).

#3

Once upon a time, you could setup a mail server. If mail arrived that was not for a local user, you forwarded it.

Then spam was invented.

These days, you have to be very strict in setting up a mail server.

In particular, you must not accept and forward mail unless:

  • the mail originates locally; or
  • the mail was received from a trusted network (typically your LAN); or
  • the sender of the mail has authenticated with a password or some similar method.

At present, it is clear what you are doing. However, the easiest way to become a spam forwarder is to not insist on the above restrictions.

#4

what do you mean by exact setup?
Opensuse 13.1 KDE
Exim, I also have dovecot, fail2ban, spamassassin, deamon (I may be missing more, but these are the ones I know about)
and Yes I’m forwarding mail from LAN to WAN

I’m really sorry I may be a real pain, I did not set this servers up my dad did, and he just passed away in January from cancer and I’m trying to keep his business going, so If I’m not getting the correct information or not understand I’m sorry I’m a complete noob to Linux.

#5

We use authenticated passwords.

#6

Sorry scratch that, the 13.1 was one of my other servers, the one that is sending out mass spam as far as I can tell, is running 12.3 KDE. also all servers have clamav

#7

On 2015-07-05 18:36, mindlessghost wrote:

> what do you mean by exact setup?
> Opensuse 13.1
> Exim, I also have dovecot, fail2ban, spamassassin, deamon (I may be
> missing more, but these are the ones I know about)
> and Yes I’m forwarding mail from LAN to WAN
>
> I’m really sorry I may be a real pain, I did not set this servers up my
> dad did, and he just passed away in January from cancer and I’m trying
> to keep his business going, so If I’m not getting the correct
> information or not understand I’m sorry I’m a complete noob to Linux.

Well… My recommendation is to hire some one that understands Linux to
have a good look at those servers, quick. And probably to maintain them.
You can not have a mail server facing outside if you don’t understand
how it works. And… this is not intended as criticism of you, far from
it. You have inherited a setup which you did not create nor really
understand, and you simply need help. It is difficult even for an expert.

By exact setup we mean “all”. What operating system version, yes, but
specifically how is email configured. What faces outside (probably
exim), what does exim with what he gets, the configuration files (at
least for exim). And if there are several machines, how they interact.

I can not help with exim, sorry, I’m not familiar at all with it. I can
not even understand those logs, no background.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

#8

not possible to hire someone, kinda broke. That’s why I’m trying to learn how to fix it myself.

#9

On 2015-07-05 20:06, mindlessghost wrote:
>
> not possible to hire someone, kinda broke. That’s why I’m trying to
> learn how to fix it myself.

Well, let’s hope somebody comes by that understand Exim. If none comes,
you will have to ask on the Exim forum or mail list.

I would consider stopping the mail server meanwhile, though.

Otherwise… you may have to consider redoing the server yourself, so
that you understand how it works and become its admin. I think that may
be easier than understanding a server built by another person.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

#10

considering restarting one of our backup servers and trying to learn how to get mail servers running that way and if I’m sucessful then maybe I’ll just re do all the servers, but for the meantime the servers are offline so I’m not getting spam sent out.

#11

You’re most likely acting as a backscatter proxy currently.

Google for backscatter and exim to see how you can put in place protection for it - essentially it involves only accepting mail to email addresses you know and dropping the rest on the floor.

#12

Alright I’ll look into it and post back, thank you

#13

On Sun, 05 Jul 2015 17:16:02 +0000, mindlessghost wrote:

> Sorry scratch that, the 13.1 was one of my other servers, the one that
> is sending out mass spam as far as I can tell, is running 12.3 KDE. also
> all servers have clamav

clamav won’t stop spamming.

It’s an anti-virus package - that has nothing to do with spam forwarding.

As others said, start by stopping the mail server service until you can
get it configured properly. It probably is not running with
authentication (if it is and you’re still relaying spam, someone has
guessed the password you’re using, and you need to change it).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

#14

When you operate an SMTP server (server for outbound mail), there are two basic ways for someone to send spam through your server which may need to be addressed

An open SMTP relay. If this happens, it’s horrendous. If this happens you can be put on global (world wide) block lists and then be unable to send mail to a large number of others world wide. There are various free testing services which you can use. Try to find one that is reliable without using one run by one of the major block lists (else that would speed up putting you on their list). I see in the log snippet you posted you’ve already come to the attention of, and are being probed by one of these block lists (Spamhaus) but I don’t think your server is responding inappropriately, in other words I <think> your server isn’t an open relay. But you have to check.

A compromised account. The first thing you need to configure is consider and configure appropriately is whether your SMTP server should be facing towards the Internet or only serving the machine itself or the LAN behind it. If you face the Internet, it enables you to send email from anywhere without having to use someone else’ SMTP server, but it exposes you to risk. In other words, if you don’t need to use your Server from remote locations, then disable inbound Internet access. Your logfile doesn’t clearly show a compromised account but your log is only a snippet.

A possible third possibility but much less likely if you maintain a supported version of openSUSE is that the machine itself could be compromised. Make sure you’re running a supported version of openSUSE (today, that’s 13.1 and later) and are patching and/or updating constantly.

A fourth possibility is that someone is only accusing you of not taking steps to prevent spamming according to their own opinion without your actually spamming. There are many things various people want without universal acceptance like Yahoo’s SenderID.

There are two suspicious things happening in your logs, but your logs don’t explicitly indicate you’re compromised… but you need to follow up…

  • Spamhaus is probing you. Usually that doesn’t happen unless you’re reported. You need to do an open SMTP relay check and possibly check any of many block lists to see if you’re on them.
  • You’re getting attempts to email from someone claiming an address “mindless@mindlessgamerz.com” Anyone who uses a “z” to replace an “s” in their name is a common practice claiming themselves to be warez supporters (promotes illegal activity). It’s not clear you’re doing anything more than denying him, but again you need to follow up.

If necessary, ask whoever notified you (your ISP?) if they have details about the supposed spamming.

As I noted above, the quick and simple approach is to simply disable inbound SMTP connections to your SMTP server (you should only have inbound SMTP to your POP/IMAP/whatever mail server). If your SMTP server and mail server are on the same machine, then it gets a bit more complicated separating how each is configured and may require the expertise of someone who supports mail servers regularly.

The alternative to fixing your SMTP mail server is to sign up for an SMTP relay and filtering service, typical cost is about $10/mo/email account. You would then configure your inbound SMTP connections to be only from your subscribed service and let them address proper Internet connection configuring. Services are usually pretty helpful setting up your machine to point securely only to their service. Then, typically you can view/manage/modify settings on their machine through a web dashboard, but they would still protect you from hackers and probing.

HTH,
TSU

#15

I believe it is a compromised account, because all the spam is coming from one email so that I can tell, I’ve changed his password and waiting to see if the spam comes back. But I’ve got this, a whole bunch of frozen messages and a few no ip address found for host.

http://pastebin.com/Xb1J8wVf

#16

And the ISP said they were getting the mass spam. and I would love to take the server up to 13.1(or later), but I haven’t learned how to configure anything, I’m trying to keep everything from where my dad left it, and upgrading would mean i would have to start all over, and I don’t know a single thing about where to start or how to configure the files. and I am afraid that I may not be able to get the mail servers running again if I do. Also mindless@mindlessgamerz.com is my email I started a gaming website a few years back and the gamers was already taken so I decided to put a Z instead. Also I rather learn and build my servers correctly then pay some company to do all that, my dad had it running great before he got sick had spam pretty much minimized in the servers, was always stopping the hack attempts, he never had anything like this happen, but that’s because he learned from his mistakes and made it correctly, and that’s why I’m asking here for some pointers in which way to go to fix all of this, and yes my STMP and Mail server all run on the same machine.

#17

If your mailserver doesn’t permit deleting the messages in queue directly, the common method is to direct the queue output to a non-existent destination which generally sends them to oblivion…

TSU

#18

2015-07-13 11:46:34 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:46:54 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:47:14 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:47:34 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:47:54 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:48:14 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:48:34 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:48:54 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:49:14 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:49:34 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:49:54 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:50:14 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])
2015-07-13 11:50:54 no IP address found for host cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection from [66.219.103.191])

This is being thrown out all over my exim log all the sudden.

#19

On 2015-07-13 21:46, mindlessghost wrote:
>


> 2015-07-13 11:46:34 no IP address found for host
> cdn.cloudybackup.net.103.219.66.in-addr.arpa (during SMTP connection
> from [66.219.103.191])

And it is true, reverse DNS does not work for that host.domain. Look:


cer@minas-tirith:~> host 66.219.103.191
191.103.219.66.in-addr.arpa domain name pointer
cdn.cloudybackup.net.103.219.66.in-addr.arpa.
cer@minas-tirith:~> host 191.103.219.66.in-addr.arpa
cer@minas-tirith:~> host cdn.cloudybackup.net.103.219.66.in-addr.arpa.
cer@minas-tirith:~>

> This is being thrown out all over my exim log all the sudden.

The message itself doesn’t mean much, it is only informative. The action
taken by exim would be the important thing to know: is the mail accepted
or rejected?

Notice that the decision is yours to take, there is no absolute. But it
seems to be quite common for mail servers to reject mail from hosts with
not complete DNS resolution, direct and reverse. It cuts on spam.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

#20

Alright, I recently upgraded the server to 13.2, but the spam is still going through some how, and the account that seemed to be compromised is no longer on the server, but its still the user that seems to be sending out the spam? The email is on my other server, I think they’re using the incoming list of the server it is primarily on and using my second server as the outgoing server, but everytime I try to send out an email now my server kicks back and says SMTP failed. I’m going to clear my log, let the server run for about an hour and copy the entire log into pastebin and let you guys filter through and maybe you will see something I am missing and help me solve this mishap.