Author Topic: Fake users sending spam  (Read 4790 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Fake users sending spam
« on: January 11, 2022, 02:40:26 PM »
On one server, I am facing problems with SPAM.
A few months ago, I noticed shots to unknown senders.
I mitigated the problem by blocking the recipient's domain.

Quote
Jan 11 08:47:53 cwp postfix/smtpd[18216]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <recipient@random.tdl>: Recipient address rejected: 1; from=<non-existent-email@myserver.tdl> to=<recipient@random.tdl> proto=ESMTP helo=<myserver.tdl>

PHP's mail function is disabled.
I cannot detect the origin of these messages.

Offline
***
Re: Fake users sending spam
« Reply #1 on: January 11, 2022, 03:55:26 PM »
Can you post the lines above and below this single log-line...

Offline
*
Re: Fake users sending spam
« Reply #2 on: January 11, 2022, 05:37:51 PM »
Jan 11 08:44:43 cwp postfix/smtpd[17250]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17250]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=collatedbg@myserver.tdl, to=b.lichtenberg@random.de, reason=quota_match, policy=6, quota=
3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <b.lichtenberg@random.de>: Recipient address rejected: 1; from=<collatedbg@myserver.tdl> to=<b.lichtenberg@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[17260]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=f_ycqxcyirp@myserver.tdl, to=frank-rilling@random.de, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17258]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <frank-rilling@random.de>: Recipient address rejected: 1; from=<f_ycqxcyirp@myserver.tdl> to=<frank-rilling@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17258]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17258]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:17 cwp postfix/smtpd[17254]: warning: hostname examsection.earacheevince.com does not resolve to address 212.192.246.26
Jan 11 08:45:17 cwp postfix/smtpd[17254]: connect from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: warning: unknown[212.192.246.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:20 cwp postfix/smtpd[17254]: lost connection after AUTH from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: disconnect from unknown[212.192.246.26] ehlo=1 auth=0/1 commands=1/2
Jan 11 08:45:41 cwp postfix/smtpd[17224]: connect from unknown[85.202.169.215]
Jan 11 08:45:44 cwp postfix/smtpd[17224]: warning: unknown[85.202.169.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:44 cwp postfix/smtpd[17224]: lost connection after AUTH from unknown[85.202.169.215]
Jan 11 08:45:44 cwp postfix/smtpd[17224]: disconnect from unknown[85.202.169.215] ehlo=1 auth=0/1 commands=1/2
Jan 11 08:45:57 cwp postfix/smtpd[17257]: connect from localhost[127.0.0.1]
Jan 11 08:45:57 cwp cbpolicyd[17233]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=falcon64se@myserver.tdl, to=jgrjr@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.36/10 (113.6%)
Jan 11 08:45:57 cwp postfix/smtpd[17257]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <jgrjr@random.com>: Recipient address rejected: 1; from=<falcon64se@myserver.tdl> to=<jgrjr@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:45:57 cwp postfix/smtpd[17257]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:45:57 cwp postfix/smtpd[17257]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:57 cwp postfix/smtpd[17251]: connect from localhost[127.0.0.1]
Jan 11 08:45:57 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=equip@myserver.tdl, to=hardypark@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.36/10 (113.6%)
Jan 11 08:45:57 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <hardypark@random.com>: Recipient address rejected: 1; from=<equip@myserver.tdl> to=<hardypark@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:45:57 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:45:57 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:47:53 cwp postfix/smtpd[18216]: connect from localhost[127.0.0.1]
Jan 11 08:47:53 cwp cbpolicyd[21400]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=eor@myserver.tdl, to=bigdadztoyz@random.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.02/10 (110.2%)
Jan 11 08:47:53 cwp postfix/smtpd[18216]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <bigdadztoyz@random.com>: Recipient address rejected: 1; from=<eor@myserver.tdl> to=<bigdadztoyz@random.com> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:47:53 cwp postfix/smtpd[18216]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:47:53 cwp postfix/smtpd[18216]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:48:28 cwp clamd[30013]: SelfCheck: Database status OK.

Offline
*
Re: Fake users sending spam
« Reply #3 on: January 11, 2022, 09:12:44 PM »
I've had similar problem, a few weeks ago...
CWP team should investigate this, as this kind of spam can really make server IP address reputation bad...

Offline
*
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
***
Re: Fake users sending spam
« Reply #5 on: January 11, 2022, 11:47:30 PM »
(...)
Jan 11 08:44:43 cwp postfix/smtpd[17250]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[10726]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=collatedbg@myserver.tdl, to=b.lichtenberg@random.de, reason=quota_match, policy=6, quota=
3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17251]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <b.lichtenberg@random.de>: Recipient address rejected: 1; from=<collatedbg@myserver.tdl> to=<b.lichtenberg@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17251]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17251]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:44:43 cwp cbpolicyd[17260]: module=Quotas, action=defer, host=127.0.0.1, helo=myserver.tdl, from=f_ycqxcyirp@myserver.tdl, to=frank-rilling@random.de, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:@myserver.tdl, counter=MessageCount, quota=11.58/10 (115.8%)
Jan 11 08:44:43 cwp postfix/smtpd[17258]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 <frank-rilling@random.de>: Recipient address rejected: 1; from=<f_ycqxcyirp@myserver.tdl> to=<frank-rilling@random.de> proto=ESMTP helo=<myserver.tdl>
Jan 11 08:44:43 cwp postfix/smtpd[17258]: lost connection after RCPT from localhost[127.0.0.1]
Jan 11 08:44:43 cwp postfix/smtpd[17258]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3
Jan 11 08:45:17 cwp postfix/smtpd[17254]: warning: hostname examsection.earacheevince.com does not resolve to address 212.192.246.26
Jan 11 08:45:17 cwp postfix/smtpd[17254]: connect from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: warning: unknown[212.192.246.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 11 08:45:20 cwp postfix/smtpd[17254]: lost connection after AUTH from unknown[212.192.246.26]
Jan 11 08:45:20 cwp postfix/smtpd[17254]: disconnect from unknown[212.192.246.26] ehlo=1 auth=0/1 commands=1/2
(...)

The spam is coming from localhost. It doesn't appear to be an open relay. It looks like some script on the server itself is allowing this sending attempt. The web logs for the same time and/or spam start time should be investigated to try to identify which scripts are allowing this.
The following files/directories must be scanned:
/usr/local/apache/logs/
/usr/local/apache/domlogs/
/usr/local/cwpsrv/var/services/roundcube/logs/

Offline
*
Re: Fake users sending spam
« Reply #6 on: January 12, 2022, 03:16:19 PM »
i`am experiencing the same problem from last week again from localhost the clamav doesn`t find malware ?

Offline
***
Re: Fake users sending spam
« Reply #7 on: January 12, 2022, 06:26:22 PM »
The spam is coming from localhost. It doesn't appear to be an open relay. It looks like some script on the server itself is allowing this sending attempt. The web logs for the same time and/or spam start time should be investigated to try to identify which scripts are allowing this.
The following files/directories must be scanned:
/usr/local/apache/logs/
/usr/local/apache/domlogs/
/usr/local/cwpsrv/var/services/roundcube/logs/

my thought exactly. Since php mail is disabled, you will have to go the route of "process of elimination".
Btw, make sure mail in php is diabled by confirming that it's disabled everywhere:
Check "disable_functions = mail"
PHP-FPM- /opt/alt/php-fpm**/usr/php/php.ini
PHP-CGI- /opt/alt/php**/usr/php/php.ini
PHP-Main- /usr/local/php/php.ini
PHP-CWP- /usr/local/cwp/php71/php.ini <-- [Not sure if webpanel mail will break if disabled here]

Another measure is to put this in main.cf file:
Code: [Select]
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain

and to make it more strict, is to change the order of the first two lines, but the server won't be able to send mail without authentication:
Code: [Select]
smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
« Last Edit: January 12, 2022, 06:32:41 PM by iraqiboy90 »