On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for. The first "large" log file is Jan 5. I'll start with that one and maybe I can see the emails coming into the system. I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com. Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions? I think my main.cf is very vanilla: queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix mail_owner = postfix mydomain = intelligentavatar.net myorigin = $mydomain unknown_local_recipient_reject_code = 550 mynetworks = <redacted>/32 home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = maildrop html_directory = /usr/share/doc/packages/postfix-doc/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/packages/postfix-doc/samples readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES biff = no content_filter = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no inet_interfaces = all inet_protocols = ipv4 masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root mydestination = $myhostname, localhost.$mydomain myhostname = <redacted> mynetworks_style = subnet alias_maps = hash:/etc/aliases canonical_maps = hash:/etc/postfix/canonical relocated_maps = hash:/etc/postfix/relocated sender_canonical_maps = hash:/etc/postfix/sender_canonical transport_maps = hash:/etc/postfix/transport mail_spool_directory = /var/mail message_strip_characters = \0 defer_transports = mailbox_command = mailbox_transport = mailbox_size_limit = 0 message_size_limit = 0 strict_8bitmime = no strict_rfc821_envelopes = no smtpd_helo_required = no smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_auth_enable = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhontname relay_clientcerts = smtp_use_tls = no smtp_enforce_tls = no smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database = smtpd_use_tls = no smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_ask_ccert = no smtpd_tls_received_header = no virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_base = /srv/maildirs virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 1000 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_limit = 0 virtual_mailbox_limit_inbox = no disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_banner = $myhostname ESMTP
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
As long as your server continues to send spam, it will likely remain on various blacklists.
Agreed. I definitely want to kill the spam activity. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org