Author Topic: Problem with spam  (Read 2372 times)

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Problem with spam
« on: March 21, 2016, 02:46:10 pm »
The server came running well, but today was a terrible day .
Were continually entering junk, it seems that virus ..
To all domains hosted .
That I can review ?
From already thank you very much.
I'm running Ubuntu Server 14.04.4 LTS and the EHCP with the last updates.

« Last Edit: March 21, 2016, 02:47:52 pm by colifato »

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: Problem with spam
« Reply #1 on: March 22, 2016, 08:50:25 pm »
What does your screenshot show?  Are those incoming email messages you received?  My mail accounts also receive a large amount of incoming spam, but usually Spam Assassin correctly handles it.  Check /var/log/mail.log for information regarding incoming emails.

If it is outgoing mail, you need to identify where the spam is coming from.  You can do so by following this guide (I recently had to track down a hacked installation of WordPress responsible for sending massive amounts of spam):

http://www.jasom.net/what-to-do-when-your-ubuntu-server-is-used-by-botnet-to-spread-email-spam

Please help me better understand your issue. 

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Re: Problem with spam
« Reply #2 on: March 23, 2016, 07:16:55 am »
I just made the checks and really everything is fine .. perfect
I'm not blacklisted , my server is not relay ..
I really can not find what is wrong.
I am going to keep searching

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Re: Problem with spam
« Reply #3 on: March 23, 2016, 05:43:57 pm »
For comments I'm getting from computer colleagues informed me that everywhere ( not saying it's my server ) are coming mails with the virus that encrypts files on the computer.
I hope I get them from elsewhere and not I who sent them .

regards

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: Problem with spam
« Reply #4 on: March 24, 2016, 09:03:04 pm »
I've received similar spam email messages containing virus attachments.  These messages are usually sent to one of my domain email addresses that a bot or spammer has somehow indexed.  The sender and the recipient are the same.  Thus, it may appear that you're sending yourself email, but this is far from the case!  It is most likely not coming from your server.  When an email message is sent, mail programs allow you to dynamically specify the sender's email address, the recipient's email address, and more.

As such, since there is no way to verify who an email truly comes from, you should use SpamAssassin with ClamAV to filter out some of these emails.  However, even this system is far from perfect. 

To see where an email originated from, view the original message's headers by looking at the email file.

Quote
Received: from [103.41.45.19] (unknown [103.41.45.19])
   by HOST (Postfix) with ESMTP id 9AC0044CCAD
   for <emailaddress>; Thu, 24 Mar 2016 08:56:15 -0600 (MDT)

You can do this in various email clients.  See here for instructions:  http://umyhacker.blogspot.com/2014/01/how-to-get-ip-address-of-e-mail-sender.html

You can also check the mail log like this using an email address that received the spam or by using the IP address that sent the message:

Code: [Select]
cat /var/log/mail.log | grep "email_address_YOU_RECEIVED_SPAM_FROM@YOURDOMAIN.com"

Doing this, I found the following entry:

Quote
Mar 24 08:56:19 amavis[29443]: (29443-09) Passed SPAMMY, [103.41.45.19] [103.41.45.19] <emailaddress> -> <emailaddress>, Message-ID: <2CAEA1519BE34C544355FC9530@BORO-SBS.boro.local>, mail_id: Dyt554BAqhhN, Hits: 7.769, size: 8356, queued_as: 4ED5044CCAE, 1751 ms

Then, I looked up entries using that IP address:

Code: [Select]
cat /var/log/mail.log | grep "103.41.45.19"

I found this:

Code: [Select]
Mar 24 08:56:13 postfix/smtpd[30589]: connect from unknown[103.41.45.19]
Mar 24 08:56:15 postfix/smtpd[30589]: 9AC0044CCAD: client=unknown[103.41.45.19]
Mar 24 08:56:18 postfix/smtpd[30589]: disconnect from unknown[103.41.45.19]
Mar 24 08:56:19 amavis[29443]: (29443-09) Passed SPAMMY, [103.41.45.19] [103.41.45.19] <emailaddress> -> <emailaddress>, Message-ID: <2CAEA1519BE34C544355FC9530@BORO-SBS.boro.local>, mail_id: Dyt554BAqhhN, Hits: 7.769, size: 8356, queued_as: 4ED5044CCAE, 1751 ms

In my case, the email originated from 103.41.45.19, which is not from my server.  The best way to avoid these kind of attacks is to never expose your email address.  You can do this by using contact forms which hide email addresses, but once you reply to a message, your email address is revealed.  As you can see, it's a tough battle to fight. 
« Last Edit: March 24, 2016, 09:09:01 pm by earnolmartin »