On Sun, Dec 26, 2010 at 07:28:11PM +0100, Martin Kellermann wrote:
> Am 25.12.2010 19:55, schrieb ASAI:
>> In the logs I have been seeing many attempts made to send messages
>> to gmail which seem like there's spam being sent from my server.
>> In the logs I see this:
>>
>> Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
>> <apa...@triata.globalchangemultimedia.net> ->
>> <ickovjulee...@gmail.com>, Message-ID:
>> <20101224070510.bf7acfd8...@triata.globalchangemultimedia.net>,
>> mail_id: s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as:
>> 9F457FD80A9, 898 ms
>> Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
>> to=<ickovjulee...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024,
>> delay=1, delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0
>> Ok: queued as 9F457FD80A9)
>>
>> What is a problem is that there is no user named apa...@triata...
>> and this user is sending hundreds of emails out to Gmail. So it
>> looks like there's been a compromise. My question is, how do I
>> begin to plug this hole?
>>
> as already told, find the malicious script/form in apache.
Another step not yet mentioned was "postfix stop". Don't continue
sending these.
> maybe start with comparing the apache log timestamps with postfix
> logs. you should see a POST at the time when postfix gets the mail
> from localost.
Or, more likely, pickup(8). And it's also worth mentioning that the
most significant log entries were omitted from this post. Of highest
interest are the logging which shows the mail originally coming into
Postfix. We'd want to see all logging pertaining to BF7ACFD8063, as
well as the initial connection, if it arrived via smtpd(8).
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
