Fake users sending spam

On one server, I am facing problems with SPAM.
A few months ago, I noticed shots to unknown senders.
I mitigated the problem by blocking the recipient's domain.

Jan 11 08:47:53 cwp postfix/smtpd[18216]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <recipient@random.tdl>: Recipient address rejected: 1; from=<non-existent-email@myserver.tdl> to=<recipient@random.tdl> proto=ESMTP helo=<myserver.tdl>

PHP's mail function is disabled.
I cannot detect the origin of these messages.

Can you post the lines above and below this single log-line...

Jan 11 08:44:43 cwp postfix/smtpd[17250]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17250]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=collatedbg@myserver.tdl, to=b.lichtenberg@random.de, reason=quota_match, policy=6, quota=
3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <b.lichtenberg@random.de>: Recipient address rejected: 1; from=<collatedbg@myserver.tdl> to=<b.lichtenberg@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[17260]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=f_ycqxcyirp@myserver.tdl, to=frank-rilling@random.de, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17258]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <frank-rilling@random.de>: Recipient address rejected: 1; from=<f_ycqxcyirp@myserver.tdl> to=<frank-rilling@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17258]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17258]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:17 cwp postfix/smtpd[17254]: warning: hostname examsection.earacheevince.com does not resolve to address 212.192.246.26
Jan 11 08:45:17 cwp postfix/smtpd[17254]: connect from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: warning: unknown[212.192.246.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:20 cwp postfix/smtpd[17254]: lost connection after AUTH from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: disconnect from unknown[212.192.246.26] ehlo=1 auth=0/1 commands=1/2
Jan 11 08:45:41 cwp postfix/smtpd[17224]: connect from unknown[85.202.169.215]
Jan 11 08:45:44 cwp postfix/smtpd[17224]: warning: unknown[85.202.169.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:44 cwp postfix/smtpd[17224]: lost connection after AUTH from unknown[85.202.169.215]
Jan 11 08:45:44 cwp postfix/smtpd[17224]: disconnect from unknown[85.202.169.215] ehlo=1 auth=0/1 commands=1/2
Jan 11 08:45:57 cwp postfix/smtpd[17257]: connect from localhost[127.0.0.1]
Jan 11 08:45:57 cwp cbpolicyd[17233]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=falcon64se@myserver.tdl, to=jgrjr@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.36/10 (113.6%)
Jan 11 08:45:57 cwp postfix/smtpd[17257]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <jgrjr@random.com>: Recipient address rejected: 1; from=<falcon64se@myserver.tdl> to=<jgrjr@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:45:57 cwp postfix/smtpd[17257]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:45:57 cwp postfix/smtpd[17257]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:57 cwp postfix/smtpd[17251]: connect from localhost[127.0.0.1]
Jan 11 08:45:57 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=equip@myserver.tdl, to=hardypark@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.36/10 (113.6%)
Jan 11 08:45:57 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <hardypark@random.com>: Recipient address rejected: 1; from=<equip@myserver.tdl> to=<hardypark@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:45:57 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:45:57 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:47:53 cwp postfix/smtpd[18216]: connect from localhost[127.0.0.1]
Jan 11 08:47:53 cwp cbpolicyd[21400]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=eor@myserver.tdl, to=bigdadztoyz@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.02/10 (110.2%)
Jan 11 08:47:53 cwp postfix/smtpd[18216]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <bigdadztoyz@random.com>: Recipient address rejected: 1; from=<eor@myserver.tdl> to=<bigdadztoyz@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:47:53 cwp postfix/smtpd[18216]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:47:53 cwp postfix/smtpd[18216]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:48:28 cwp clamd[30013]: SelfCheck: Database status OK.

I've had similar problem, a few weeks ago...
CWP team should investigate this, as this kind of spam can really make server IP address reputation bad...

simple info:
http://wiki.centos-webpanel.com/tracking-php-script-spam
http://wiki.centos-webpanel.com/track-spam-infected-scripts

(...)
Jan 11 08:44:43 cwp postfix/smtpd[17250]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=collatedbg@myserver.tdl, to=b.lichtenberg@random.de, reason=quota_match, policy=6, quota=
3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <b.lichtenberg@random.de>: Recipient address rejected: 1; from=<collatedbg@myserver.tdl> to=<b.lichtenberg@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[17260]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=f_ycqxcyirp@myserver.tdl, to=frank-rilling@random.de, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17258]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <frank-rilling@random.de>: Recipient address rejected: 1; from=<f_ycqxcyirp@myserver.tdl> to=<frank-rilling@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17258]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17258]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:17 cwp postfix/smtpd[17254]: warning: hostname examsection.earacheevince.com does not resolve to address 212.192.246.26
Jan 11 08:45:17 cwp postfix/smtpd[17254]: connect from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: warning: unknown[212.192.246.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:20 cwp postfix/smtpd[17254]: lost connection after AUTH from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: disconnect from unknown[212.192.246.26] ehlo=1 auth=0/1 commands=1/2
(...)

The spam is coming from localhost. It doesn't appear to be an open relay. It looks like some script on the server itself is allowing this sending attempt. The web logs for the same time and/or spam start time should be investigated to try to identify which scripts are allowing this.
The following files/directories must be scanned:
/usr/local/apache/logs/
/usr/local/apache/domlogs/
/usr/local/cwpsrv/var/services/roundcube/logs/

i`am experiencing the same problem from last week again from localhost the clamav doesn`t find malware ?

The spam is coming from localhost. It doesn't appear to be an open relay. It looks like some script on the server itself is allowing this sending attempt. The web logs for the same time and/or spam start time should be investigated to try to identify which scripts are allowing this.
The following files/directories must be scanned:
/usr/local/apache/logs/
/usr/local/apache/domlogs/
/usr/local/cwpsrv/var/services/roundcube/logs/

my thought exactly. Since php mail is disabled, you will have to go the route of "process of elimination".
Btw, make sure mail in php is diabled by confirming that it's disabled everywhere:
Check "disable_functions = mail"
PHP-FPM- /opt/alt/php-fpm**/usr/php/php.ini
PHP-CGI- /opt/alt/php**/usr/php/php.ini
PHP-Main- /usr/local/php/php.ini
PHP-CWP- /usr/local/cwp/php71/php.ini <-- [Not sure if webpanel mail will break if disabled here]

Another measure is to put this in main.cf file:

Code: [Select]

smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain

and to make it more strict, is to change the order of the first two lines, but the server won't be able to send mail without authentication:

Code: [Select]

smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain