# [SOLVED] Mailserver being used as SPAM zombie server

## oslinux

Hi all,

One of my servers in OVH was having problems with HDD space, when i checked i found that the problem was mail.log growing fastly.

It seems that someone is using postfix to send mails around the world and that the world is blacklisting my server   :Crying or Very sad:  .

Postfix SMTP should be protected with dovecot sasl so i don't know how they're sending this volume of mails. There are a small number of users of the mailserver and each one is trusted.

When i noticed this traffic i blocked outbound traffic with IPTABLES, but i need to found the source of the problems or i won't be able to use the SMTP server no more (I'm planning to change the mailserver IP address to solve the blacklists problem).

this is an extract from mail.log, following a spam e-mail:

http://pastebin.com/7q4uQMf9

this is postfix main.cf

http://pastebin.com/7s5zCfp8

Thank you for any hint!

LucaLast edited by oslinux on Tue May 03, 2011 10:53 pm; edited 1 time in total

----------

## ianw1974

Changing the IP address isn't going to solve your problem in the long run.  You can have your existing IP removed from the blacklist but you need to address your problem.  Sounds to me that you are an open relay, which surprises me because postfix by default doesn't have this problem.  I expect your server isn't configured as it should be.

I'm using mydestination and mynetworks which you don't have, and these are some of the two options that stop your server from being used as an open relay.  mydestination should list all the domains you receive email for.  You need to look at other config options too, there's plenty out there on how to configure postfix as a virtual server, the gentoo docs had this at one point if I remember correctly.

First, fix the postfix config, then look at removing your IP from the blacklists, or change your IP if you feel this is easier.  But if you don't fix the problem, you'll only get blacklisted again.  There are ways to test to see if the server is an open relay, so once you've fixed the config you can test to make sure it's OK.

----------

## mmealman

You need to pin down your problem. First check to see if you're an open relay. From a machine that should not have relay access, do something like the below:

```

telnet mysmtpserver.com 25

Escape character is '^]'.

220 TEST.localdomain ESMTP Postfix

MAIL FROM: <mark@xxxx.org>

250 2.1.0 Ok

RCPT TO: <mark@yyyy.com>

554 5.7.1 <mark@yyyy.com>: Relay access denied

quit

221 2.0.0 Bye

```

----------

## oslinux

I'm not going to request an IP change before resolving this problem   :Wink: 

```
telnet mail.mydomain.com 25

Trying {server_ip}...

Connected to mail.mydomain.com.

Escape character is '^]'.

220 {server_ip} ESMTP Postfix

MAIL FROM: <mark@xxx.org>

250 2.1.0 Ok

RCPT TO: <mark@yyyy.com>

554 5.7.1 <mark@yyyy.com>: Relay access denied

quit

221 2.0.0 Bye

Connection closed by foreign host.
```

this is from my home computer, the same happens with another server in the serverfarm. Only host should be allowed, or authenticated clients, and this seems to be working   :Crying or Very sad: 

EDIT:

i'm using

```
mynetworks_style = host
```

that replaces mynetworks by only allowing connections from localhost.

----------

## Jaglover

Google for mail relay test, there are online services you can use.

OTOH, if your box is hacked then reinstall from scratch is in order.

----------

## oslinux

Reinstall :S

It's not hacked, ssh access is only allowed from an RSA protected OpenVPN and with SSH RSA Authentication, it allows access only to a single user who is member of wheels group, every single action from this account is logged and sent to my e-mail (I'm a bit paranoid   :Very Happy:  )

Also, IPTABLES blocks all incoming packets except HTTP, SMTP, IMAP, SSH and icmp protocol requests.

I tried some mail relay tests, it's all fine.

Then i had an idea and checked apache log... i've found the culprit: it's roundcube!

Someone (41.218.238.141) is using a bug in roundcube to send lots of messages everywhere!!

I'm checking the current installed version of roundcube, then i guess i should contact someone (Roundcube devs?) to report this (exploit?).

Luca

----------

## oslinux

I was using an old version of roundcube (0.3.1), upgraded to 0.5.1 i'm unlocking iptables and changing my ip.

Thanks,

Luca

----------

