-2

We have a Debian Squeeze server running a fairly standard LAMP stack (back in the days it was set up using the Perfect Server guide at Howtoforge, so we're using ISPConfig as our backend admin panel) which has been locked down pretty well with regards to MTA's (nothing installed, no postfix, no EXIM etc.) and with the php mail() function thoroughly disabled, port 25 firewalled.

We routinely get SPAM warnings from e.g. MegaRBL however identifying our server IP as the source

Usually we track down a hacked Wordpress site, where we see a bunch of encrypted/obfuscated scripts and other junk, which we then nuke and hope for the best.

This approach is not satisfying to me as I am going mad with trying to figure out HOW they manage to send out SPAM from this server. I am guessing (and this might be totally wrong) that the scripts they manage to drop into the hacked Wordpress sites are Mail Transport Agents themselves. I obviously cannot gain much insight into what they are doing exactly as these scripts are encrypted / obfuscated.

All my google searches and research always points to Postfix or the mail() function and various guides on how to track this down and mitigate spam from these sources - but I am certain that all that stuff has been nuked from our server.

So my question here is threefold:

  1. Is it possible that these obfuscated scripts we find are in fact sending out mail without the aid of any binaries installed on my server? (e.g. Postfix, sendmail, whatever)
  2. Is there any way of logging / detecting this type of traffic being emitted from our server?
  3. Am I missing something? Postfix has been removed, I've doublechecked that the PHP mail() function is disabled, I've scoured the binaries looking for anything that might be mail related and nuked it, but I'm worried I might just be retarded and missing something obvious ...
Arni J
  • 75

2 Answers2

0

There's a few things we do for this.

Option 1 if you do not want any emails outbound, check that your OUTBOUND firewall is set to block TCP/25, assuming you do not want to send email.

iptables -A OUTPUT -p tcp --dport 25 -j DENY
iptables-save

Option 2, install postfix, and add BCC to get copies of sent emails

postconf -e always_bcc=abusemonitor@example.com
service postfix restart

Option 3, redirect all outbound traffic to a catch-all, there are a few options so search around, One I prefer is using mailcatcher.me, there's a few others floating around, Email catch all (domain and subdomains) Postfix

Mailcatcher.me you would need to redirect outbound mail to it, as well as a system that can run ruby.

postconf -e relayhost=mailcatcherIP:1025
service postfix restart

Option 4, Firewall Redirect, get with your Network Admin and setup a NAT rule to redirect outbound 25 from the internal IP of the web system to point to another system or filter such as an outbound filter like https://www.spamexperts.com/services/outgoing-filtering

Lastly as extra info, postfix is an MTA, however you don't need an MTA to send email, just the ability to open a connection on TCP/25.
If you can telnet to an MX record on port 25, you can potentially send email (without postfix/sendmail/etc)

If you have some clients with wordpress that should be allowed to send email, suggest they use the Sendgrid or Mailchimp plugins, they can use API Tools over HTTPS or the client SMTPS port (submission 587)

Community
  • 1
Jacob Evans
  • 8,431
-3

Look in var/log at: maillog

Make your own php Mail script and see if it works. Mostly anything that's going on mail wise will show in the mail log

Gordon Snappleweed
  • 83