We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How to find script that is sending spam?
How to find script that is sending spam?
My server is sending spam but I can't figured out which script is sending it. I have more that 50 websites hosted in multiple users accounts.
I have testes this command
This should tell me the path for the scripts that are sending emails but I get this:
I have testes this command
Code: Select all
grep cwd /var/log/exim/main.log|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
Any tip? There are any log that I can enable on exim to start recording the script that is sending the emails?
3
21854 /
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: How to find script that is sending spam?
sorry,
this isn't so straightforward to find out. There are many threads here about this, including how to rate limit Mail Sending from your VPS.
Sadly the breach won't stop just at the mail, your server is compromised and you'll need to
1. read and research alot
or
2. hire someone professional to fix it for you
Do you have each website in different VestaCP user? if not, there isn't much you can do.
Here's a good start point
To start off!
# Check abusing domain Generate Exim Stats (helped by Skurudo)
it will create an html file with todays datetime in your /root which you can analyze
this isn't so straightforward to find out. There are many threads here about this, including how to rate limit Mail Sending from your VPS.
Sadly the breach won't stop just at the mail, your server is compromised and you'll need to
1. read and research alot
or
2. hire someone professional to fix it for you
Do you have each website in different VestaCP user? if not, there isn't much you can do.
Here's a good start point
To start off!
# Check abusing domain Generate Exim Stats (helped by Skurudo)
Code: Select all
eximstats -nr -html -byemaildomain -bydomain /var/log/exim4/mainlog | less > /root/stats-bydomain$(date +"%b-%d-%H%M%S").html
Re: How to find script that is sending spam?
Here are some log from exim.
I think the spam is coming from dovecot, since when I stop dovecot service the exim queue stop incresing. Is this log useful? I have hundreds of emails from [email protected], that if not one of my websites.
Code: Select all
2017-02-16 01:41:01 [2584] 1ce9cW-0003CK-8N => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8572 H=mailin-03.mx.aol.com [152.163.0.100]:25 I=[176.58.109.90]:59700 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=yes DN="/C=US/ST=Virginia/L=Dulles/O=AOL Inc./OU=AOL Mail/CN=mx.aol.com" C="250 2.0.0 Ok: queued as 6010B70000083" QT=1h32m37s DT=3s
2017-02-16 01:41:02 [2185] 1ce9VA-0002qP-5P H=malabo.co [69.172.201.153]:25 Connection timed out
2017-02-16 01:41:02 [2184] 1ce9VA-0002qP-5P == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-02-16 01:41:02 [2584] 1ce9cW-0003CK-8N => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8565 H=mx3.hotmail.com [65.55.37.120]:25 I=[176.58.109.90]:41122 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes DN="/CN=*.hotmail.com" K C="250 <[email protected]> Queued mail for delivery" QT=1h32m38s DT=1s
2017-02-16 01:41:02 [2584] 1ce9cW-0003CK-8N -> [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8565 H=mx3.hotmail.com [65.55.37.120]:25 I=[176.58.109.90]:41122 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes DN="/CN=*.hotmail.com" K C="250 <[email protected]> Queued mail for delivery" QT=1h32m38s DT=1s
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: How to find script that is sending spam?
kandalf:
you didn't even bother to read what I suggested... did you ?
and then... people like you will yell on the forum "no one helps"
you didn't even bother to read what I suggested... did you ?
and then... people like you will yell on the forum "no one helps"
Re: How to find script that is sending spam?
mehargags wrote:kandalf:
you didn't even bother to read what I suggested... did you ?
and then... people like you will yell on the forum "no one helps"
Sorry mehargags, I put the log because I was under an attack at that time.
Here is the a link for the information that I get using your command http://fabricadeapps.pt/stats-bydomainF ... 04439.html
I look on that file and there are many information but I don't know what should I look
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: How to find script that is sending spam?
check these sections in the HTML
Doesn't that give you an idea ?
Code: Select all
Top 50 mail rejection reasons by message count
Top 50 sending domains by message count
Top 50 local senders by message count
Top 50 local senders by volume
Re: How to find script that is sending spam?
- The "Top 50 mail rejection reasons by message count" are unknown and SMTP Sender rate overlimit, so the spam is being sent using SMTP.mehargags wrote:check these sections in the HTMLDoesn't that give you an idea ?Code: Select all
Top 50 mail rejection reasons by message count Top 50 sending domains by message count Top 50 local senders by message count Top 50 local senders by volume
- "Top 50 sending domains by message count" I don't know exactly what this means, can you give me a tip? None of the Sending domains are websites hosted in my server, maybe only the "localdomain"
- "Top 50 local senders by message count" the show that the users in my server, exim is the one that is sending a lot of emails and only "exim" and "root" are not real users with websites. So the spam is being sent through exim account.
- "Top 50 local senders by volume " is the same that above, the exim is the one that is sending many emails.
So the spam is being sent through SMTP and not from a script, how can I prevent this?
Note I cleared the exim log, to tomorrow I only will se on the logs the most recent information.
Re: How to find script that is sending spam?
I found the problem I was being attacked by "ylmf-pc" a well known botnet. It does a brute force attack and find on of the password of one of my clients and start sending spam. In the logs I found the account and change the password.
But more important I block the "helo" command on exim configuration file.
This is what I add to the exim.conf (it might help someone):
I also activate fail2ban on smtp, to prevent multiple attempts from the same ip.
But more important I block the "helo" command on exim configuration file.
This is what I add to the exim.conf (it might help someone):
Code: Select all
acl_smtp_helo = acl_check_helo
acl_check_helo:
drop
condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
log_message = HELO/EHLO - ylmf-pc blocked
message = I Nailed You at HELO
accept
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: How to find script that is sending spam?
Nice tip on vestacp security.kandalf wrote:I found the problem I was being attacked by "ylmf-pc" a well known botnet. It does a brute force attack and find on of the password of one of my clients and start sending spam. In the logs I found the account and change the password.
But more important I block the "helo" command on exim configuration file.
This is what I add to the exim.conf (it might help someone):I also activate fail2ban on smtp, to prevent multiple attempts from the same ip.Code: Select all
acl_smtp_helo = acl_check_helo acl_check_helo: drop condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}} log_message = HELO/EHLO - ylmf-pc blocked message = I Nailed You at HELO accept
And what configuration have you done to fail2ban on smtp?