Problems with Email
I thought I had everything set up correctly in postfix. I even did a Google "Sanity" MX check and was able to set up everything but DMARC (because I use Aweber).
Is there any way to fix this? MXToolbox says I need to set up reverse PTR and that I have a SMTP Banner Mismatch. I believe I did this a while back also with reverse DNS in the Linode Admin panel (same thing?). I'm not sure what unraveled here but it has me really worried.
Please help.
Notes: Ubuntu 12.04 LTS, Ngins Server is secured by fail2ban. I have the most powerful security plugins set up in WordPress. Most of the ports on the server are either filtered or unreachable. Server is passwordless SSH. Wondering if this is enough at this point.
10 Replies
v=spf1 +a +mx +ip4:[MYSERVERIP] +a:aweber.com +include:_spf.google.com ~all
First is an insecure web form that generates e-mail. Check any Wordpress plugins or other web applications you have running. Anything which allows the user to specify a destination e-mail address is a potential problem. This includes less-obvious things such as a plugin which lets users e-mail each other - if spammers can create an unverified account with someone else's e-mail address, they then have an avenue to spam that user.
Select one of the Yahoo destination e-mail addresses and look through your mail logs for the first occurrence of that address to see if the source is local. The following log examples show what this might look like (localhost will appear as 127.0.0.1 instead of ::1 if you don't have IPv6 set up):
# Local message submitted via sendmail command
Jun 19 03:51:13 linode postfix/pickup[9252]: 341F6119B: uid=0 from= <root>Jun 19 03:51:13 linode postfix/cleanup[9992]: 341F6119B: message-id=<20150619075113.341F6119B@example.org>
Jun 19 03:51:13 linode postfix/qmgr[2281]: 341F6119B: from=<root@example.org>, size=617, nrcpt=1 (queue active)
Jun 19 03:51:13 linode postfix/cleanup[9992]: 39C41116B: message-id=<20150619075113.341F6119B@example.org>
Jun 19 03:51:13 linode postfix/qmgr[2281]: 39C41116B: from=<root@example.org>, size=742, nrcpt=6 (queue active)
Jun 19 03:51:13 linode postfix/local[9995]: 341F6119B: to=<root@example.org>, relay=local, delay=0.05, delays=0.02/0.02/0/0.01, dsn=2.0.0, status=sent (forwarded as 39C41116B)
Jun 19 03:51:13 linode postfix/qmgr[2281]: 341F6119B: removed
# Local message submitted via SMTP
Jun 7 09:22:11 linode postfix/smtpd[24385]: connect from localhost[::1]
Jun 7 09:22:11 linode postfix/smtpd[24385]: 9A8FEC57: client=localhost[::1]
Jun 7 09:22:11 linode postfix/cleanup[24409]: 9A8FEC57: message-id= <mailman.59.1433683330.2122.example@example.org>Jun 7 09:22:11 linode postfix/qmgr[2300]: 9A8FEC57: from=<mailman-bounces@none.example.org>, size=10664, nrcpt=1 (queue active)
Jun 7 09:22:11 linode postfix/smtpd[24385]: disconnect from localhost[::1]
Jun 7 09:22:12 linode postfix/smtp[24407]: 9A8FEC57: to=<someoneelse@elsewhere.org>, relay=smtp.elsewhere.org[1.2.3.4]:25, delay=0.6, delays=0.04/0/0.49/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 23C8CA3EE)
Jun 7 09:22:12 linode postfix/qmgr[2300]: 9A8FEC57: removed</someoneelse@elsewhere.org></mailman-bounces@none.example.org></mailman.59.1433683330.2122.example@example.org></root@example.org></root@example.org></root@example.org></root>
The second most likely source is that Postfix is improperly configured to relay messages. Supposedly MXToolbox checks for this, but it may not be foolproof. You can look in your logs for the first occurrence of a victim e-mail address and see if it's preceded by a connect message from a non-local source, such as this:
Jun 7 07:34:19 linode postfix/smtpd[23139]: connect from 5r4wv.sabbage.eu[64.74.161.39]
Jun 7 07:34:19 linode postfix/smtpd[23139]: 8B1C0C55: client=5r4wv.sabbage.eu[64.74.161.39]
Jun 7 07:34:19 linode postfix/cleanup[23140]: 8B1C0C55: message-id=<105018811725353010501214209112475250@5r4wv.sabbage.eu>
Jun 7 07:34:19 linode postfix/qmgr[2300]: 8B1C0C55: from=<onlineeducationtoday@sabbage.eu>, size=7530, nrcpt=1 (queue active)
Jun 7 07:34:19 linode postfix/local[23141]: 8B1C0C55: to=<example@example.org>, relay=local, delay=0.38, delays=0.21/0.02/0/0.16, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post example)
Jun 7 07:34:19 linode postfix/qmgr[2300]: 8B1C0C55: removed</example@example.org></onlineeducationtoday@sabbage.eu>
Sadly I did not keep any copies of the mails that were in queue. After learning that 100,000 emails were bouncing around in my queue I freaked out and deleted them all before I could do any sort of forensics. I did try to restore a back up to my server to see if I could find it that way but the incident occurred between backups.
I will take a look at any and all plugins to see if any are at risk. I know I did have issues with files being uploaded to the wordfence cache folder and other folders. I think I cleaned it up ok (That incident I wasn't able to find a cause either). One of them was a "proxy.php" file which may have been used for locally relaying emails as you mentioned. Certainly the domain in question has been under attack for the last few days so I'm going to take a closer look with the WordPress files.
And if this incident happens again (hopefully it won't). I know what to look for.
Thanks again for your help.
(BTW, my log example for relaying is not 100% exactly what you'd see - in this case, the destination was a local address.)
Here is the mail log. I'm at point I'm just shut down my server after all these years. I have no idea how to fix this and starting from scratch is not really an option. I set up server using a script and info from VPSBible.com That side is pretty much halfway workable (Long story it went through changes and left some of its original users in the dark.) . I learned to shore up things pretty much. At some point I was using OSSEC but later I got sick of the emails it sent.
Dec 16 16:26:38 mymail postfix/cleanup[16801]: 244D12411C: message-id=<
Dec 16 16:26:38 mymail postfix/qmgr[17107]: 244D12411C: from=<
Dec 16 16:26:38 mymail postfix/error[11189]: 244D12411C: to=<
Dec 16 16:26:38 mymail postfix/pickup[16692]: 27AF52411D: uid=33 from=<
Dec 16 16:26:38 mymail postfix/cleanup[16801]: 27AF52411D: message-id=<
Dec 16 16:26:38 mymail postfix/qmgr[17107]: 27AF52411D: from=<
Dec 16 16:26:38 mymail postfix/error[11192]: 27AF52411D: to=<
Dec 16 16:26:38 mymail postfix/pickup[16692]: 2B00E2411E: uid=33 from=<
Dec 16 16:26:38 mymail postfix/cleanup[16801]: 2B00E2411E: message-id=<
Dec 16 16:26:38 mymail postfix/qmgr[17107]: 2B00E2411E: from=<
Dec 16 16:26:38 mymail postfix/pickup[16692]: 2E0C12411F: uid=33 from=<
Dec 16 16:26:38 mymail postfix/cleanup[16801]: 2E0C12411F: message-id=<
Dec 16 16:26:38 mymail postfix/qmgr[17107]: 2E0C12411F: from=<
Dec 16 16:26:38 mymail postfix/error[11212]: 2E0C12411F: to=<
Dec 16 16:26:38 mymail postfix/pickup[16692]: 33D2B24120: uid=33 from=<
Dec 16 16:26:38 mymail postfix/cleanup[16801]: 33D2B24120: message-id=<
Dec 16 16:26:38 mymail postfix/qmgr[17107]: 33D2B24120: from=<
Dec 16 16:34:40 mail postfix/smtp[18468]: 20110B2FE5: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 554 5.7.1 CCRX 173.255.237.18: Connection refused. Your IP address is blocked(anti-spam). If you need, please contact
Dec 16 16:34:40 mail postfix/smtp[18525]: 687C1B3278: to=<
Dec 16 16:34:40 mail postfix/smtp[18495]: 3824A240FC: to=<
Dec 16 16:34:40 mail postfix/smtp[18510]: BCD60B3319: host mx.vgs.untd.com[64.136.52.37] refused to talk to me: 550 IP 173.255.237.18 in zen.spamhaus.org : Access Denied, please see
Dec 16 16:34:40 mail postfix/smtp[18509]: B2440B2C43: to=<
Dec 16 16:34:40 mail postfix/smtp[18473]: EFC79B332E: to=<
Dec 16 16:34:40 mail postfix/smtp[18493]: E1446B3340: to=<
Dec 16 16:34:40 mail postfix/smtp[18459]: 8B251B3192: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi211 cox 173.255.237.18 blocked. Error Code: IPBL0001 - Refer to Error Codes section at
Dec 16 16:34:40 mail postfix/smtp[18476]: DE73E2414F: to=<
Dec 16 16:34:40 mail postfix/smtp[18483]: 74D60B3289: to=<
Dec 16 16:34:40 mail postfix/smtp[18479]: 7228824186: to=<
Dec 16 16:34:40 mail postfix/smtp[18512]: 1F2FFB325F: to=<
Dec 16 16:34:40 mail postfix/smtp[18457]: CAE74B331B: to=<
Dec 16 16:34:40 mail postfix/smtp[18468]: 20110B2FE5: to=<
Dec 16 16:34:40 mail postfix/smtp[18507]: B9238B2D4E: to=<
Dec 16 16:34:40 mail postfix/smtp[18494]: 3D125241A3: to=<
Dec 16 16:34:41 mail postfix/smtp[18510]: BCD60B3319: to=<
Dec 16 16:34:41 mail postfix/smtp[18459]: 8B251B3192: to=<
Wordfence and other such plugins did nothing to stop the repeated POST requests from various IPs.
It was a week ago I ripped apart that website.. deleted the database and everything only for this to happen. Hackers win
Its been 4? years.. good run for a very amateur webmistress but I'm no match for morons who spend 24/7 trying to find ways to spam people and such. And in general don't have much business running a server unless I'm professionally trained. So I'm out!
Thanks to you and everyone on this forum for your help.