Linode Forum :: My linode has been banned for SPAM! Please help.

Linode Forum https://forum.linode.com/

My linode has been banned for SPAM! Please help. https://forum.linode.com/viewtopic.php?f=11&t=10478	Page 1 of 2

Author:

sblantipodi [ Thu Oct 03, 2013 1:49 pm ]

Post subject:

My linode has been banned for SPAM! Please help.

Hi,
my linode is on since more than 4 years without any problem.
Today it has been banned for spam.

Someone or something is sending spam using my linode and I'm not able to understand what is it.
I'm very sad, I'm 100% sure that no one logged into my vps using SSH, logs says no unauthorized login.
I'm 100% sure that apache is not sending email via scripts because today I have seen my vps sending spam with apache stopped.

This is my postconf, do you see some security hole in this?

Code:

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = myname@mydomain.org
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.org
myhostname = mail.mydomain.org
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
relay_domains =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/etc/postfix/sender_access,   permit_sasl_authenticated,   reject_unauth_destination,   reject_rbl_client zen.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.mydomain.org.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.mydomain.org.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

How they damn sending spam with my server?

Author:

sblantipodi [ Thu Oct 03, 2013 2:25 pm ]

Post subject:

Re: My linode has been banned for SPAM! Please help.

I see dozens of msg like this:

Code:

: to=<momyassumsnip@emailfreepop2010.co.cc>, relay=emailfreepop2010.co.cc[199.2.137.140]:25, delay=275593, delays=275292/0.02/300/0, dsn=4.4.2, status=deferred (conversation with emailfreepop2010.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1257]: 471CB5651: to=<adres@yrus.co.cc>, relay=yrus.co.cc[199.2.137.140]:25, delay=337708, delays=337407/0.03/300/0, dsn=4.4.2, status=deferred (conversation with yrus.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1264]: 9E5BB568D: to=<vikij@43gosi.co.cc>, relay=43gosi.co.cc[199.2.137.140]:25, delay=336340, delays=336040/0.02/300/0, dsn=4.4.2, status=deferred (conversation with 43gosi.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1278]: 3032656A7: to=<order-viagra@fgjfjfjfyjryjf.co.cc>, relay=fgjfjfjfyjryjf.co.cc[199.2.137.140]:25, delay=336715, delays=336414/0.01/300/0, dsn=4.4.2, status=deferred (conversation with fgjfjfjfyjryjf.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1281]: 15B6A5B5E: to=<aslik@anded.co.cc>, relay=anded.co.cc[199.2.137.140]:25, delay=280508, delays=280207/0.03/300/0, dsn=4.4.2, status=deferred (conversation with anded.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1279]: 5C78386659: to=<info@bmsw.de>, relay=mail.bmsw.de[94.102.209.215]:25, delay=92138, delays=91834/0.04/304/0, dsn=4.4.2, status=deferred (conversation with mail.bmsw.de[94.102.209.215] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1284]: B541B866F6: to=<info@gbap.de>, relay=mail.gbap.de[94.102.209.215]:25, delay=89731, delays=89428/0.03/304/0, dsn=4.4.2, status=deferred (conversation with mail.gbap.de[94.102.209.215] timed out while receiving the initial server greeting)

is this my server that is trying to send spam?

Author:	sblantipodi [ Thu Oct 03, 2013 2:31 pm ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
I recently installed pidgeonhole (managesieve plugin) and enabled lmtp sieve do you think that this can be the root cause?

Author:

petarpetrovic [ Thu Oct 03, 2013 5:46 pm ]

Post subject:

Re: My linode has been banned for SPAM! Please help.

The problem lies in your /etc/postfix/main.cf configuration file, or, more precisely, this:

Code:

smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit

You basically allowed anyone with access to the Internet to be able to send unlimited amounts of mails completely unauthenticated, that is, without any username or password, therefore making your mail server an open relay.

Change it to this:

Code:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit

There are additional options that you can add, but you can begin with this one (reject_unauth_destination). That option will stop anyone from sending any email using your server without authenticating, effectively stopping anyone who doesn't have an account on your server from sending email.

Keep us posted if you encounter additional problems.

Author:	sblantipodi [ Thu Oct 03, 2013 5:59 pm ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
petarpetrovic wrote: The problem lies in your /etc/postfix/main.cf configuration file, or, more precisely, this: Code: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, permit You basically allowed anyone with access to the Internet to be able to send unlimited amounts of mails completely unauthenticated, that is, without any username or password, therefore making your mail server an open relay. Change it to this: Code: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit There are additional options that you can add, but you can begin with this one (reject_unauth_destination). That option will stop anyone from sending any email using your server without authenticating, effectively stopping anyone who doesn't have an account on your server from sending email. Keep us posted if you encounter additional problems. I love you for your answer! I really missed that damn settings but why every "open relay" test passed without that settings also? There are dozens of open relay test on the net, sites that tries more than 20 different tests, my linode passed every test always, how this can be possible? another question, do you think that lmtp and sieve opened on my dovecot.conf can have caused this problem? I'm really warried about reopening the lmtp and sieve on that linode.

Author:	petarpetrovic [ Thu Oct 03, 2013 7:00 pm ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
Well, I don't realle have enough experience with lmtp so I can't really comment on it, but you can always enable it and then watch if it changes your config file. It might be a little bit risky, but that's your safest approach. If it does turn out that lmtp changes your config file, which is in my opinion unlikely, you'll know what causes the problem and you'll know more about how you might solve it.

Author:

sblantipodi [ Fri Oct 04, 2013 1:49 am ]

Post subject:

Re: My linode has been banned for SPAM! Please help.

Code:

[code]
[root@netstar ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = myname@mydomain.org
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.org
myhostname = mail.mydomain.org
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
relay_domains =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/etc/postfix/sender_access,   permit_sasl_authenticated,   reject_unauth_destination,   reject_rbl_client zen.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_unknown_sender_domain,    reject_unauth_destination,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.mydomain.org.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.mydomain.org.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
[/code]

I updated my main.cf like this, is it better now?
Thanks!!!

I updated my main.cf like this, is it better now?
Thanks!!!

Author:	petarpetrovic [ Fri Oct 04, 2013 8:34 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help.

Author:	sblantipodi [ Fri Oct 04, 2013 8:51 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
petarpetrovic wrote: It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help. Thank you very much for your help, you helped me more than what Linode Customer Service does, I will open a thread on this matter, but this is another story. I'm quite worried on reopen 4190 telnet for lmtp and sieve. I will try tomorrow while monitoring the maillog day and night.

Author:	sweh [ Fri Oct 04, 2013 9:15 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
sblantipodi wrote: Thank you very much for your help, you helped me more than what Linode Customer Service does, Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra). If you are paying for managed services then it'll depend on what the actual agreement is.

Author:	sblantipodi [ Fri Oct 04, 2013 9:36 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
sweh wrote: sblantipodi wrote: Thank you very much for your help, you helped me more than what Linode Customer Service does, Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra). If you are paying for managed services then it'll depend on what the actual agreement is. this is not the thread where to talk about this, I will talk of this when I will open a thread for this. now please don't continue here on this matter, the problem on this thread is another I will link here the thread for the customer service talking when I will open it.

Author:	jebblue [ Fri Oct 04, 2013 9:40 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
sblantipodi wrote: petarpetrovic wrote: It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help. Thank you very much for your help, you helped me more than what Linode Customer Service does, I will open a thread on this matter, but this is another story. I'm quite worried on reopen 4190 telnet for lmtp and sieve. I will try tomorrow while monitoring the maillog day and night. Linode Customer Service is First Class and has always helped me fast and efficiently.

Author:	sblantipodi [ Fri Oct 04, 2013 9:48 am ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
jebblue wrote: Linode Customer Service is First Class and has always helped me fast and efficiently. This is not the thread for this.

Author:	sweh [ Fri Oct 04, 2013 1:14 pm ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
sblantipodi wrote: sweh wrote: sblantipodi wrote: Thank you very much for your help, you helped me more than what Linode Customer Service does, Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra). If you are paying for managed services then it'll depend on what the actual agreement is. this is not the thread where to talk about this Wow, you run this forum now? Neat! Hint: you bitch about something and people _will_ respond where you bitch.

Author:	sweh [ Fri Oct 04, 2013 1:14 pm ]
Post subject:	Re: My linode has been banned for SPAM! Please help.
sblantipodi wrote: jebblue wrote: Linode Customer Service is First Class and has always helped me fast and efficiently. This is not the thread for this. It is, now!

Page 1 of 2	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/