View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions My linode has been banned for SPAM! Please help.
Log in to Ask a Question

My linode has been banned for SPAM! Please help.

email

Hi,

my linode is on since more than 4 years without any problem.

Today it has been banned for spam.

Someone or something is sending spam using my linode and I'm not able to understand what is it.

I'm very sad, I'm 100% sure that no one logged into my vps using SSH, logs says no unauthorized login.

I'm 100% sure that apache is not sending email via scripts because today I have seen my vps sending spam with apache stopped.

This is my postconf, do you see some security hole in this?

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = myname@mydomain.org
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.org
myhostname = mail.mydomain.org
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
relay_domains =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/etc/postfix/sender_access,   permit_sasl_authenticated,   reject_unauth_destination,   reject_rbl_client zen.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.mydomain.org.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.mydomain.org.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

How they damn sending spam with my server?

19 Replies

I see dozens of msg like this:

: to=<momyassumsnip@emailfreepop2010.co.cc>, relay=emailfreepop2010.co.cc[199.2.137.140]:25, delay=275593, delays=275292/0.02/300/0, dsn=4.4.2, status=deferred (conversation with emailfreepop2010.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1257]: 471CB5651: to=<adres@yrus.co.cc>, relay=yrus.co.cc[199.2.137.140]:25, delay=337708, delays=337407/0.03/300/0, dsn=4.4.2, status=deferred (conversation with yrus.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1264]: 9E5BB568D: to=<vikij@43gosi.co.cc>, relay=43gosi.co.cc[199.2.137.140]:25, delay=336340, delays=336040/0.02/300/0, dsn=4.4.2, status=deferred (conversation with 43gosi.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1278]: 3032656A7: to=<order-viagra@fgjfjfjfyjryjf.co.cc>, relay=fgjfjfjfyjryjf.co.cc[199.2.137.140]:25, delay=336715, delays=336414/0.01/300/0, dsn=4.4.2, status=deferred (conversation with fgjfjfjfyjryjf.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1281]: 15B6A5B5E: to=<aslik@anded.co.cc>, relay=anded.co.cc[199.2.137.140]:25, delay=280508, delays=280207/0.03/300/0, dsn=4.4.2, status=deferred (conversation with anded.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1279]: 5C78386659: to=<info@bmsw.de>, relay=mail.bmsw.de[94.102.209.215]:25, delay=92138, delays=91834/0.04/304/0, dsn=4.4.2, status=deferred (conversation with mail.bmsw.de[94.102.209.215] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1284]: B541B866F6: to=<info@gbap.de>, relay=mail.gbap.de[94.102.209.215]:25, delay=89731, delays=89428/0.03/304/0, dsn=4.4.2, status=deferred (conversation with mail.gbap.de[94.102.209.215] timed out while receiving the initial server greeting)</info@gbap.de></info@bmsw.de></aslik@anded.co.cc></order-viagra@fgjfjfjfyjryjf.co.cc></vikij@43gosi.co.cc></adres@yrus.co.cc></momyassumsnip@emailfreepop2010.co.cc>

is this my server that is trying to send spam?

I recently installed pidgeonhole (managesieve plugin) and enabled lmtp sieve

do you think that this can be the root cause?

The problem lies in your /etc/postfix/main.cf configuration file, or, more precisely, this:

smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit

You basically allowed anyone with access to the Internet to be able to send unlimited amounts of mails completely unauthenticated, that is, without any username or password, therefore making your mail server an open relay.

Change it to this:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit

There are additional options that you can add, but you can begin with this one (rejectunauthdestination). That option will stop anyone from sending any email using your server without authenticating, effectively stopping anyone who doesn't have an account on your server from sending email.

Keep us posted if you encounter additional problems.

@petarpetrovic:

The problem lies in your /etc/postfix/main.cf configuration file, or, more precisely, this:

smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit

You basically allowed anyone with access to the Internet to be able to send unlimited amounts of mails completely unauthenticated, that is, without any username or password, therefore making your mail server an open relay.

Change it to this:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit

There are additional options that you can add, but you can begin with this one (rejectunauthdestination). That option will stop anyone from sending any email using your server without authenticating, effectively stopping anyone who doesn't have an account on your server from sending email.

Keep us posted if you encounter additional problems.

I love you for your answer! I really missed that damn settings but why every "open relay" test passed without that settings also?

There are dozens of open relay test on the net, sites that tries more than 20 different tests, my linode passed every test always, how this can be possible?

another question, do you think that lmtp and sieve opened on my dovecot.conf can have caused this problem?

I'm really warried about reopening the lmtp and sieve on that linode.

Well, I don't realle have enough experience with lmtp so I can't really comment on it, but you can always enable it and then watch if it changes your config file. It might be a little bit risky, but that's your safest approach. If it does turn out that lmtp changes your config file, which is in my opinion unlikely, you'll know what causes the problem and you'll know more about how you might solve it.

`` [code]
[root@netstar ~]# postconf -n
aliasdatabase = hash:/etc/aliases aliasmaps = hash:/etc/aliases
alwaysbcc = myname@mydomain.org brokensaslauthclients = yes
commanddirectory = /usr/sbin configdirectory = /etc/postfix
daemondirectory = /usr/libexec/postfix datadirectory = /var/lib/postfix
debugpeerlevel = 2
homemailbox = Maildir/ htmldirectory = no
inetinterfaces = $myhostname, localhost inetprotocols = all
mailowner = postfix mailboxsizelimit = 1024000000 mailqpath = /usr/bin/mailq.postfix
manpagedirectory = /usr/share/man messagesizelimit = 102400000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = mydomain.org myhostname = mail.mydomain.org mynetworks = 192.168.0.0/24, 127.0.0.0/8 myorigin = $myhostname newaliasespath = /usr/bin/newaliases.postfix
queuedirectory = /var/spool/postfix readmedirectory = /usr/share/doc/postfix-2.6.6/READMEFILES recipientbccmaps = hash:/etc/postfix/bccmaps
relaydomains = sampledirectory = /usr/share/doc/postfix-2.6.6/samples
senderbccmaps = hash:/etc/postfix/bccmaps sendmailpath = /usr/sbin/sendmail.postfix
setgidgroup = postdrop smtpddelayreject = yes smtpdhelorequired = no smtpdhelorestrictions = permitmynetworks, permitsaslauthenticated, permit
smtpdrecipientrestrictions = permitmynetworks, checksenderaccess hash:/etc/postfix/senderaccess, permitsaslauthenticated, rejectunauthdestination, rejectrblclient zen.spamhaus.org, permit
smtpdsaslauthenable = yes smtpdsaslpath = private/auth smtpdsaslsecurityoptions = noanonymous
smtpdsasltype = dovecot
smtpdsenderrestrictions = permitmynetworks, permitsaslauthenticated, rejectnonfqdnsender, rejectunknownsenderdomain, rejectunauthdestination, permit smtpdtlsauthonly = yes
smtpdtlscertfile = /etc/pki/tls/certs/mail.mydomain.org.cert smtpdtlskeyfile = /etc/pki/tls/private/mail.mydomain.org.key
smtpdtlsloglevel = 1
smtpdtlssecuritylevel = may smtpdtlssessioncachedatabase = btree:/var/spool/postfix/smtpdtlscache smtpdtlssessioncachetimeout = 3600s tlsrandomsource = dev:/dev/urandom unknownlocalrecipientreject_code = 550
[/code]`

I updated my main.cf like this, is it better now?

Thanks!!!

```

I updated my main.cf like this, is it better now?

Thanks!!!

It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help. :)

@petarpetrovic:

It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help. :)

Thank you very much for your help, you helped me more than what Linode Customer Service does,

I will open a thread on this matter, but this is another story.

I'm quite worried on reopen 4190 telnet for lmtp and sieve.

I will try tomorrow while monitoring the maillog day and night.

@sblantipodi:

Thank you very much for your help, you helped me more than what Linode Customer Service does,
Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra).

If you are paying for managed services then it'll depend on what the actual agreement is.

@sweh:

@sblantipodi:

Thank you very much for your help, you helped me more than what Linode Customer Service does,
Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra).

If you are paying for managed services then it'll depend on what the actual agreement is.

this is not the thread where to talk about this, I will talk of this when I will open a thread for this.

now please don't continue here on this matter, the problem on this thread is another :)

I will link here the thread for the customer service talking when I will open it.

@sblantipodi:

@petarpetrovic:

It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help. :)

Thank you very much for your help, you helped me more than what Linode Customer Service does,

I will open a thread on this matter, but this is another story.

I'm quite worried on reopen 4190 telnet for lmtp and sieve.

I will try tomorrow while monitoring the maillog day and night.

Linode Customer Service is First Class and has always helped me fast and efficiently.

@jebblue:

Linode Customer Service is First Class and has always helped me fast and efficiently.

This is not the thread for this.

@sblantipodi:

@sweh:

@sblantipodi:

Thank you very much for your help, you helped me more than what Linode Customer Service does,
Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra).

If you are paying for managed services then it'll depend on what the actual agreement is.

this is not the thread where to talk about this
Wow, you run this forum now? Neat!

Hint: you bitch about something and people will respond where you bitch.

@sblantipodi:

@jebblue:

Linode Customer Service is First Class and has always helped me fast and efficiently.

This is not the thread for this.
It is, now!

@sweh:

It is, now!

You are welcome, talk where you want but do that without me ;)

thread for my disappointing:

https://forum.linode.com/viewtopic.php?f=22&t=10480

Oct 5 14:50:59 netstar postfix/smtpd[3849]: lost connection after UNKNOWN from unknown[220.172.191.30] Oct 5 14:50:59 netstar postfix/smtpd[3849]: disconnect from unknown[220.172.191.30] Oct 5 14:51:00 netstar dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=220.172.191.30, lip=97.107.132.51 Oct 5 14:51:01 netstar postfix/smtpd[3849]: connect from unknown[220.172.191.30] Oct 5 14:51:01 netstar postfix/smtpd[3849]: lost connection after UNKNOWN from unknown[220.172.191.30] Oct 5 14:51:01 netstar postfix/smtpd[3849]: disconnect from unknown[220.172.191.30] Oct 5 14:51:02 netstar dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=220.172.191.30, lip=97.107.132.51

I'm again under attack but this time my postfix is saying fuckoff to them, damn bastards.

I'm receving hundred of message like the one I quoted in the maillog.

Now I banned that IP with iptables.

I need to add a rule in fail2ban to ban this type of request.

Have you got an idea on how to add a rule in fail2ban to ban this kind of request?

Something like this:

/etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

/etc/fail2ban/jail.conf

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,995,143,993", protocol=tcp]
         sendmail-whois[name=DOVECOT, dest=me@example.com]
logpath = /var/log/mail.log
maxretry = 3
findtime = 300
bantime  = 1800</host>

Edit as necessary of course….

I'm analyzing the maillog when my server was attacked and when it was sending spam,

in the maillog I have thousands of lines like this:

> Oct 2 04:57:16 netstar postfix/error[31271]: BF1725945: to=<test@members.linode.com>, relay=none, delay=147692, delays=147691/0.19/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to members.linode.com[67.18.186.61]:25:

Connection refused)

Oct 2 09:47:16 netstar postfix/qmgr[22640]: A8E0C52F8: from=<test@members.linode.com>, size=1368, nrcpt=1 (queue active)

Oct 2 09:47:16 netstar postfix/qmgr[22640]: A6BBA5561: from=<>, size=6300, nrcpt=1 (queue active)

and there is hundred of mail like this that confirms that they used postfix to send out the spam:

> Oct 2 11:54:38 netstar postfix/qmgr[22640]: D6097524C: from=<test@members.linode.com>, size=2018, nrcpt=1 (queue active)

Oct 2 11:54:38 netstar postfix/smtp[9053]: 2746851F5: to=<colton.adams@manordev.ch>, relay=feed.alexb.ch[91.208.173.143]:25, delay=1.2, delays=0.25/0/0.71/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D3D0F40130)

Don't understand what QMGR is and how they have sent message from test@members.linode.com using my VPS while I don't have test user and my domain name is not related with linode.com

I added this:

rejectnonfqdnsender, rejectunknownsenderdomain, rejectunauthdestination

to the

smtpdsenderrestrictions

after the attack, do you think that that was the cause of the connection from the test account?

I haven't set that restrictions when I was attacked. Do you think that this was the cause?

I haven't any test account on my system.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct