Unable to identify spam that seemingly came from server
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unable to identify spam that seemingly came from server
Hi,
I'm working on a server that has found itself on a spam list. Upon contacting they sent an example of the spam coming from the server, which is below. They redacted some info, the rest I have removed.
-----
Received: from [our-server.net] ([our.ip.address])
by [redacted]
id [redacted]; Mon, 11 Apr 2016 xx:xx:xx +0000 Received: (qmail 14775 invoked by uid 34767); 11 Apr 2016 xx:xx:xx -0000
Date: 11 Apr 2016 xx:xx:xx -0000
From: "Diedre Waldemar" <rinagreenwellw@brunoandgeorge.com>
Subject: Haley wants you for a fortuitous meeting write 1.518.289.xx.xx
-----
I looked up the userid who spawned this in /etc/passwd, and there is no matching user. Furthermore, qmail doesn't operate on this server, as it's a cpanel server which has exim, although I understand this could be spoofed.
How can I track down where this originated from. Monitoring the exim log, there is no mail being sent out right now either, and there's nothing in the log.
I have since restricted SMTP connections in WHM to root, exim, and mailman and blocked 'nobody' from sending. Is this likely to help based on the nature described so far? I obviously still want to get rid of whatever may have sent this.
Run open relay test, there are several online. If your box is "owned" they can use their own MTA to send spam. In case your box is compromised take it offline immediately.
Thanks for your help. I ran a few online tests: mxtoolbox, mailradar, and one at http://www.rbl.jp. All returned that no relays were accepted by the server. What next would be best to check/determine what's going on here?
Thanks. I ran a few open relay tests, (mxtoolbox, mailradar, and http://www.rbl.jp), and they all returned saying that no relays were accepted by remote host. What would next be best to check?
It could be that the your box is not compromised, maybe you need to fine tune your sender policy settings.
The email address could just be a spoof email address. What MTA are you using?
Check your email platform whether it has this equivalent setting:
Sender anti-spoofing protection
User must authenticate in order to send messages from a local domain
Last edited by JJJCR; 04-14-2016 at 01:32 AM.
Reason: edit
I have since restricted SMTP connections in WHM to root, exim, and mailman and blocked 'nobody' from sending. Is this likely to help based on the nature described so far? I obviously still want to get rid of whatever may have sent this.
Given you enabled some "common sense" restrictions after-the-fact I'd suggest you run a complete check of the server, its configurations, access restrictions, system and daemon logs and software (including themes, plugins and whatnot) running in the web stack.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.