spamming, how to find origin

Locked
Zoltan
Posts: 9
Joined: Mon 6. Apr 2020, 11:23

spamming, how to find origin

Post by Zoltan »

Hello,

somebody started massive spamming from my Keyhelp server, I have found this in mail.log, how to know the way of the spammer?

May 24 22:30:33 user postfix/smtpd[7048]: 7DD115DD44: client=localhost[127.0.0.1]
May 24 22:30:33 user postfix/cleanup[6694]: 7DD115DD44: message-id=<0b14a1e176f9431ee38789b133f0910b@example.com>
May 24 22:30:33 user postfix/smtpd[7048]: disconnect from localhost[127.0.0.1] ehlo=1 mail=2 rcpt=2 data=2 noop=1 quit=1 commands=9
May 24 22:30:33 user postfix/qmgr[2733]: 7DD115DD44: from=<user.somebody@gmail.com>, size=2826, nrcpt=1 (queue active)
May 24 22:30:33 user postfix/error[6709]: 7DD115DD44: to=<somebody@gmx.de>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx01.emig.gmx.net[212.227.17.5] refused to talk to me: 554-gmx.net (mxgmx116) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For explanation visit https://www.gmx.net/mail/senderguidelin ... .12&c=rdns)
May 24 22:30:33 user amavis[7037]: (07037-02) Passed CLEAN {RelayedOpenRelay}, [127.0.0.1] <user.somebody@gmail.com> -> <somebody@gmx.de>, Message-ID: <0b14a1e176f9431ee38789b133f0910b@example.com>, mail_id: vCvoh5bEv1_q, Hits: 3.202, size: 2389, queued_as: 7DD115DD44, 997 ms
May 24 22:30:33 user postfix/smtp[6701]: 81B6A5DD3B: to=<somebody@gmx.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.01/0/0.01/1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7DD115DD44)


thank you
Zoltan
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: spamming, how to find origin

Post by Alexander »

Hello,

I am going to quote the text, which is written within KeyHelp on the "Email Queue" page, this should help you.
You can analyze the email header using the "postcat -qh <MAIL_ID>" command from the console.
If you encounter that your server is sending spam emails, the "X-ORIGINATING-SCRIPT" line in the email header could indicate which file is responsible for sending them.
(These are the mail IDs from your example: 7DD115DD44 or 81B6A5DD3B)
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Zoltan
Posts: 9
Joined: Mon 6. Apr 2020, 11:23

Re: spamming, how to find origin

Post by Zoltan »

Thank you Alexander,

the quoted text I posted above is the output of the command which is written within KeyHelp on the "Email Queue" page.
The problem is, there is no X-ORIGINATING-SCRIPT line in the output.

Zoltan
User avatar
Florian
Keyweb AG
Posts: 1243
Joined: Wed 20. Jan 2016, 02:28

Re: spamming, how to find origin

Post by Florian »

Hello,

1. grep the Maillog for sasl logins:

cat /var/log/mail.log | grep sasl_username

To see if there are massive logins from one user.

2. Grep the access Logs of the Domains for POST requests.

If you see massive requests of one scipt or page via POST this can be a a source of spamming, e.g. a contact form
Mit freundlichen Grüßen / Best regards
Florian Cheno

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Locked