Spam being sent (via Postfix?)
I'm at a bit of a loss. I noticed that my Linode has been sending out a load of spam emails. It normally sends just a couple of emails a day but has recently been up in the hundreds.
I've turned verbose logging on in /etc/postfix/master.cf, and here's the sort of thing I see:
Dec 21 19:47:58 hartnell postfix/pickup[14943]: 7D08C105EE: uid=1002 from= <dong-1387655278@geek-speak.co.uk>Dec 21 19:47:58 hartnell postfix/cleanup[14949]: 7D08C105EE: message-id=<1847.22@geek-speak.co.uk>
Dec 21 19:47:58 hartnell postfix/qmgr[13686]: 7D08C105EE: from=<dong-1387655278@geek-speak.co.uk>, size=3291, nrcpt=1 (queue active)
Dec 21 19:47:59 hartnell postfix/smtp[14951]: 7D08C105EE: to=<msbondslady@hotmail.com>, relay=mx4.hotmail.com[65.54.188.126]:25, delay=0.99, delays=0.02/0.01/0.43/0.53, dsn=2.0.0, status=sent (250 <1847.22@geek-speak.co.uk> Queued mail for delivery)
Dec 21 19:47:59 hartnell postfix/qmgr[13686]: 7D08C105EE: removed</msbondslady@hotmail.com></dong-1387655278@geek-speak.co.uk></dong-1387655278@geek-speak.co.uk>
Geek-Speak.co.uk is one of the domains I host on my Linode. There are similar spammy senders for some of the other domains.
I've checked through the syslog and auth.log and I'm pretty sure nobody is accessing the server via ssh.
I'm not sure if it's helpful, but here is my main.cf file:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = hartnell.cdh-it.co.uk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cdh-it.co.uk, hartnell.cdh-it.co.uk, localhost.cdh-it.co.uk, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
Any advice on how to proceed with working out how this is happening would be really appreciated.
Thanks in advance,
Chris
3 Replies
I've blocked the originating IPs in iptables, but is there anything else I should do? I'm running WordPress on the domains that are being affected but everything is up to date.
Any thoughts?
Edit: It seems iptables isn't stopping the traffic. It's originating from 173.245.51.120 and 173.245.51.121, both of which I have added to my iptables rules, but it's somehow still getting through and still generating the spam emails.
It's all gone quiet for now so (touch wood) I might have finally managed to block those two servers that I think were triggering the problem.
Thanks