# Problem with Postfix, Spam and Apache - my server sends SPAM

## spottraining

Hi

I have problem 

I discover that in my server is working some spam bot or script what sends mails trough apache out.

But I cant find - in witch domain that script is located.

From message header I see:

```
Received:    by localhost.one.server.com (Postfix, from userid 81) id 69C269C0D82; Mon, 4 Dec 2006 07:48:04 +0000 (UTC)

To:    mymeil

Subject:    one meiladress

From:    ShedUnwantedPounds@one.weblab.ee

Content-Transfer-Encoding:    quoted-printable

Content-Type:    text/plain

Subject:    Weight loss has never been this convenient and easy

Message-Id:    <20061204074804.69C269C0D82@localhost.one.server.com>

Date:    Mon, 4 Dec 2006 07:48:04 +0000 (UTC)
```

This one.server.com is my server and userid is apache.

Right now I don't have any idea - how to fix that. I make some rules to spamassasin, but its not good - script changing names.

Can someone give good advice pleace?

EDIT:

Also - Postfix sending me these meils:

```

Postfix SMTP server: errors from unknown[66.75.160.128]

Transcript of session follows.

 Out: 220 localhost.one.server.com VHCS2 2.4 Spartacus Managed ESMTP 2.4.6.2

 In:  EHLO orngca-mx-01.mgw.rr.com

 Out: 250-localhost.server.com

 Out: 250-PIPELINING

 Out: 250-SIZE 10240000

 Out: 250-VRFY

 Out: 250-ETRN

 Out: 250-AUTH LOGIN PLAIN

 Out: 250-AUTH=LOGIN PLAIN

 Out: 250 8BITMIME

 In:  MAIL FROM:<> SIZE=2719

 Out: 250 Ok

 In:  RCPT TO:<apache@one.server.com>

 Out: 451 <apache@one.server.com>: Temporary lookup failure

 In:  RSET

 Out: 250 Ok

 In:  QUIT

 Out: 221 Bye

```

----------

## erik258

it is not apache that is to blame - looks like postfix output to me.  (i am running postfix too)

it looks like you're recieving this message, so i assume someone is sending you spam.  it should turn up in your inbox or a spam filter folder maybe.

----------

## spottraining

Received:    by localhost.one.server.com (Postfix, from userid 81) id 69C269C0D82; Mon, 4 Dec 2006

But thats is my server and user 81 is apache in my server. When I look to Webmin Postfix Mail Queue, then I see that Queued is messages from apache@one.server.com and To - there is lot of yahoo and other addresses.

EDIT:

Here is one picture, what I see in webmin - here

Also - I am getting also these mails - these mail headers look same.

how its possible, that in postfix I see lot of TO adresses, but none is in header?

----------

## spottraining

here is also part from mail.log

```

Dec  4 06:00:01 one postfix/smtp[2321]: F2C079C0DEA: to=<helen@tpisp.net>, relay=none, delay=2, status=deferred (connect to tpisp.net[204.13.160.131]: Connection refused)

Dec  4 06:00:01 one postfix/smtp[2337]: F2C079C0DEA: to=<angie_nunally@administaff.com>, relay=administaff.com.s8a1.psmtp.com[64.18.7.10], delay=2, status=sent (250 Thanks)

Dec  4 06:00:01 one postfix/smtp[2284]: F2C079C0DEA: to=<qiirrc@allaboutopl.com>, relay=mail.allaboutopl.com[74.52.48.114], delay=2, status=deferred (host mail.allaboutopl.com[74.52.48.114] said: 451 Could not complete sender verify callout (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2356]: F2C079C0DEA: to=<swamod@gwtc.net>, relay=gwtc.net.s6a1.psmtp.com[64.18.5.10], delay=3, status=sent (250 Thanks)

Dec  4 06:00:02 one postfix/smtp[2336]: F2C079C0DEA: to=<jdelo@bellsouth.net>, relay=mx01.mail.bellsouth.net[205.152.58.33], delay=3, status=sent (250 Message received: 20061204040015.SAHZ8987.ibm15aec.bellsouth.net@localhost.one.weblab.ee)

Dec  4 06:00:02 one postfix/smtp[2336]: F2C079C0DEA: to=<juanz@bellsouth.net>, relay=mx01.mail.bellsouth.net[205.152.58.33], delay=3, status=sent (250 Message received: 20061204040015.SAHZ8987.ibm15aec.bellsouth.net@localhost.one.weblab.ee)

Dec  4 06:00:02 one postfix/smtp[2299]: F2C079C0DEA: to=<mdiscep@itsa.ucsf.edu>, relay=cuda.ucsf.edu[64.54.132.101], delay=3, status=bounced (host cuda.ucsf.edu[64.54.132.101] said: 550 <mdiscep@itsa.ucsf.edu>: Recipient address rejected: No such user (mdiscep@itsa.ucsf.edu) (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2294]: F2C079C0DEA: to=<swilliamson@odmdllp.com>, relay=mail.global.sprint.com[65.55.251.22], delay=3, status=sent (250 Ok: queued as 03F25FD8064)

Dec  4 06:00:02 one postfix/smtp[2279]: F2C079C0DEA: to=<opni@taconic.net>, relay=mx2.taconic.net[205.231.144.69], delay=3, status=bounced (host mx2.taconic.net[205.231.144.69] said: 550 <opni@taconic.net>: Recipient address rejected: sorry, no mailbox here by that name (#5.1.1 - chkusr) (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2309]: F2C079C0DEA: to=<bagley@csrsonline.com>, relay=mail.csrsonline.com[70.169.65.99], delay=3, status=bounced (host mail.csrsonline.com[70.169.65.99] said: 550 5.1.1 User unknown (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2275]: F2C079C0DEA: to=<rvg@kvn.com>, relay=mail.kvn.com[216.38.143.2], delay=3, status=bounced (host mail.kvn.com[216.38.143.2] said: 550 <rvg@kvn.com>: Recipient address rejected: User unknown in relay recipient table (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2334]: F2C079C0DEA: to=<jhayes@nvrinc.com>, relay=mail.nvrinc.com[204.96.165.90], delay=3, status=bounced (host mail.nvrinc.com[204.96.165.90] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2359]: F2C079C0DEA: to=<fjmillerjr@mindspring.com>, relay=mx12.mindspring.com[207.69.200.17], delay=3, status=bounced (host mx12.mindspring.com[207.69.200.17] said: 550 fjmillerjr@mindspring.com...User unknown (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2356]: connect to vztpa.verizon.com[192.76.82.131]: Connection refused (port 25)

Dec  4 06:00:02 one postfix/smtp[2306]: F2C079C0DEA: to=<herman@backpacker.com>, relay=rodale.com.mail5.psmtp.com[64.18.5.10], delay=3, status=sent (250 Thanks)

Dec  4 06:00:02 one postfix/smtp[2347]: F2C079C0DEA: to=<biddyallan@proxad.net>, relay=mx2.proxad.net[212.27.32.78], delay=3, status=bounced (host mx2.proxad.net[212.27.32.78] said: 550 user unknown (in reply to RCPT TO command))

Dec  4 06:00:02 one postfix/smtp[2356]: connect to vzftw.verizon.com[192.76.86.129]: Connection refused (port 25)

Dec  4 06:00:02 one postfix/smtp[2358]: F2C079C0DEA: to=<deljanshaver@earthlink.net>, relay=mx4.earthlink.net[209.86.93.229], delay=3, status=bounced (host mx4.earthlink.net[209.86.93.229] said: 550 deljanshaver@earthlink.net...User unknown (in reply to RCPT TO command))
```

I still have no idea  :Sad: 

Sending my server spam or not.

----------

## spottraining

up

I still need help  :Sad: 

Now is my server listed on spamcop - http://www.spamcop.net/w3m?action=blcheck&ip=212.47.220.124

Here is also my Postfix main.cf

```

#

# Postfix MTA Manager Main Configuration File;

#

# Please do NOT edit this file manually;

#

#

# Postfix directory settings; These are critical for normal Postfix MTA functionallity;

#

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

program_directory = /usr/lib/postfix

#

# Some common configuration parameters;

#

mynetworks_style = host

mydomain = one.weblab.ee

myorigin = $mydomain

smtpd_banner = $myhostname VHCS2 2.4 Spartacus Managed ESMTP 2.4.6.2

setgid_group = postdrop

#

# Receiving messages parameters;

#

mydestination = $myhostname, $mydomain

append_dot_mydomain = no

append_at_myorigin = yes

local_transport = local

virtual_transport = virtual

transport_maps = hash:/etc/postfix/vhcs2/transport

#

# Delivering local messages parameters;

#

mail_spool_directory = /var/spool/mail

mailbox_size_limit = 0

mailbox_command = procmail -a "$EXTENSION"

biff = no

alias_database = hash:/etc/mail/aliases

local_destination_recipient_limit = 1

local_recipient_maps = unix:passwd.byname $alias_database

#

# Delivering virtual messages parameters;

#

virtual_mailbox_base = /var/spool/mail/virtual

virtual_mailbox_limit = 0

virtual_mailbox_domains = hash:/etc/postfix/vhcs2/domains

virtual_mailbox_maps = hash:/etc/postfix/vhcs2/mailboxes

virtual_alias_maps = hash:/etc/postfix/vhcs2/aliases

virtual_minimum_uid = 1000

virtual_uid_maps = static:1000

virtual_gid_maps = static:12

#

# SASL paramters;

#

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = vhcs.net

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

   reject_unverified_sender,

   permit_sasl_authenticated,

   permit_mynetworks,

   reject_unauth_destination,

 check_policy_service inet:127.0.0.1:10030

```

Here is my Postfix master.cf

```

#

# Postfix master process configuration file.  For details on the format

# of the file, see the Postfix master(5) manual page.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

#

# ==========================================================================

#Järgmise rea lisasin ASSP jaoks. Lisasin ette ainult localhost

smtp      inet  n       -       -       -       -       smtpd

#submission inet n      -       -       -       -       smtpd

#       -o smtpd_etrn_restrictions=reject

#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#smtps    inet  n       -       -       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

#submission inet n      -       -       -       -       smtpd

#  -o smtpd_etrn_restrictions=reject

#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

#628      inet  n       -       -       -       -       qmqpd

pickup    fifo  n       -       -       60      1       pickup

cleanup   unix  n       -       -       -       0       cleanup

qmgr      fifo  n       -       -       300     1       qmgr

#qmgr     fifo  n       -       -       300     1       oqmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr

rewrite   unix  -       -       -       -       -       trivial-rewrite

bounce    unix  -       -       -       -       0       bounce

defer     unix  -       -       -       -       0       bounce

trace     unix  -       -       -       -       0       bounce

verify    unix  -       -       -       -       1       verify

flush     unix  n       -       -       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       -       -       -       smtp

        -o fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       -       -       -       showq

error     unix  -       -       -       -       -       error

discard   unix  -       -       -       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       -       -       -       lmtp

anvil     unix  -       -       -       -       1       anvil

scache    unix  -       -       -       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix  -       n       n       -       2       pipe

  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman   unix  -       -       n       -       -       pipe

  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

  ${nexthop} ${user}

#

# vhcs delivery agent.

#

vhcs2-arpl unix  -      n       n       -       -       pipe flags=O user=vmail argv=/var/www/vhcs2/engine/messa$ 
```

And here is my SpamAssasin local.cf

```

# This is the right place to customize your installation of SpamAssassin.

#

# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be

# tweaked.

#

# Only a small subset of options are listed below

#

###########################################################################

#   Add *****SPAM***** to the Subject header of spam e-mails

#

# rewrite_header Subject *****SPAM*****

#   Save spam messages as a message/rfc822 MIME attachment instead of

#   modifying the original message (0: off, 2: use text/plain instead)

#

# report_safe 1

#   Set which networks or hosts are considered 'trusted' by your mail

#   server (i.e. not spammers)

#

# trusted_networks 212.17.35.

#   Set file-locking method (flock is not safe over NFS, but is faster)

#

# lock_method flock

#   Set the threshold at which a message is considered spam (default: 5.0)

#

# required_score 5.0

#   Use Bayesian classifier (default: 1)

#

# use_bayes 1

#   Bayesian classifier auto-learning (default: 1)

#

# bayes_auto_learn 1

#   Set headers which may provide inappropriate cues to the Bayesian

#   classifier

#

# bayes_ignore_header X-Bogosity

# bayes_ignore_header X-Spam-Flag

# bayes_ignore_header X-Spam-Status

blacklist_from *@winetime.co.kr

blacklist_from *@roseglen.demon.co.uk

blacklist_from *@juresa.com.br

blacklist_from *@bigmikes.org

blacklist_from *@zgplus.com

blacklist_from *@quatryxtatu.com

blacklist_from only@pingviin.org

blacklist_from weeks@one.weblab.ee

blacklist_from and@pingviin.org

blacklist_from t@one.weblab.ee

blacklist_from nitrite@pingviin.org

blacklist_from redos@one.weblab.ee

blacklist_from tucked@pingviin.org

score http://www.drecomla.com 1

header wight Subject =~ /You CAN lose weight safely and easily/

score wight 1

describe wight wight

blacklist_from *@AT-KC.COM

body tea /Scientific Breakthrough/

score tea 1

describe tea tea

blacklist_from *@centurytel.net

blacklist_from *@mxin3.lsn.net

blacklist_from jukwalter@t-online.de

blacklist_from *@grupodema.com.ar

blacklist_from TenPoundsInOneWeek@one.weblab.ee 
```

----------

## spottraining

After long time googling I find, that in my Apache whas enabled proxi modules. Also I installed now mod_security.

Now - I can only wait and look - starting this spam flow again or not.

EDIT: right now is all OK. I get removed from spamcop also.

Thanks to mod_security I have found also, that the main problem was kontakt_post.php file in phpBB Plus. That its one phpBB kontakt mod. http://www.phpbb2.de/ftopic38201.html - so I am not alone.

----------

