Hi all,

I'm at a bit of a loss. I noticed that my Linode has been sending out a load of spam emails. It normally sends just a couple of emails a day but has recently been up in the hundreds.

I've turned verbose logging on in /etc/postfix/master.cf, and here's the sort of thing I see:

Dec 21 19:47:58 hartnell postfix/pickup[14943]: 7D08C105EE: uid=1002 from=<dong-1387655278@geek-speak.co.uk>
Dec 21 19:47:58 hartnell postfix/cleanup[14949]: 7D08C105EE: message-id=<1847.22@geek-speak.co.uk>
Dec 21 19:47:58 hartnell postfix/qmgr[13686]: 7D08C105EE: from=<dong-1387655278@geek-speak.co.uk>, size=3291, nrcpt=1 (queue active)
Dec 21 19:47:59 hartnell postfix/smtp[14951]: 7D08C105EE: to=<msbondslady@hotmail.com>, relay=mx4.hotmail.com[65.54.188.126]:25, delay=0.99, delays=0.02/0.01/0.43/0.53, dsn=2.0.0, status=sent (250  <1847.22@geek-speak.co.uk> Queued mail for delivery)
Dec 21 19:47:59 hartnell postfix/qmgr[13686]: 7D08C105EE: removed

Geek-Speak.co.uk is one of the domains I host on my Linode. There are similar spammy senders for some of the other domains.

I've checked through the syslog and auth.log and I'm pretty sure nobody is accessing the server via ssh.

I'm not sure if it's helpful, but here is my main.cf file:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = hartnell.cdh-it.co.uk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cdh-it.co.uk, hartnell.cdh-it.co.uk, localhost.cdh-it.co.uk, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

Any advice on how to proceed with working out how this is happening would be really appreciated.

Thanks in advance,
Chris

OK, I think I might be a bit closer. Let's say an email is send with an @geek-speak.co.uk address. At the same time, I'm seeing POST requests coming in to geek-speak.co.uk in the apache log. They appear to be hits on the home page (the URI is "/").

I've blocked the originating IPs in iptables, but is there anything else I should do? I'm running WordPress on the domains that are being affected but everything is up to date.

Any thoughts?

Edit: It seems iptables isn't stopping the traffic. It's originating from 173.245.51.120 and 173.245.51.121, both of which I have added to my iptables rules, but it's somehow still getting through and still generating the spam emails.

Does your site - or your codebase - have any feature that lets someone tell someone else about an article or post on your site? I had to fix a "tell a friend" bug for someone several months back that was allowing spam to go out as a page recommendation.

Yes - two of the sites being affected have email contact forms (not the third one, though). I'll have a look into that.

It's all gone quiet for now so (touch wood) I might have finally managed to block those two servers that I think were triggering the problem.

Thanks