Postfix - Spamming Server

We have a few alerts which send out an email if the mail queue gets a bit unwieldy on our server. This helps us to identify any potential spammy hacks which get onto our server. Wordpress and Drupal being the most popular CMS's are normally the most at risk unless security updates are regularly applied.

Recently a Wordpress site was hacked and placed a nicely base encoded script which spammed and got our server on a blacklist. Looking in our logs we could see a file 'view.php' was being run to spam from our servers. Removing the script, within 15 minutes it was back up.

In the short term we renamed the file and we ended up editing the postfix configuration file to prevent the domain sending out more spam.

Great little grep

Handy for finding most used email addresses in mail logs, its not authoritive, but a handy pointer

grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/mail.log | sort | uniq -c | sort -n | tail -n 10

grep "status=sent" /var/log/mail.log | grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" | sort | uniq -c | sort -n | tail -n 10

Preventing more spam being generated by the user

  1. Within Webmin > Servers > Postfix Mail Server > Mail Queue
    Find out who is generating the email.
  2. Use logs to identify which user is sending the emails and troubleshoot where spam is being generated. If the spam is being generated from a particular email address the IP can be identified which points to a trojan on a users machine.
    tail /var/log/mail.log
    tail /var/log/syslog

  3. Within postfix configuration files, edit details, to prevent user from sending emails.
    http://serverfault.com/questions/530406/postfix-block-local-user-from-sending
    This prevents the administration account user "USERNAME" sending emails. However any other email accounts associated with the account will not be prevented from sending and receiving emails.
    /etc/postfix/main.cf
    authorized_submit_users = !thepetsi, static:anyone

  4. Using mxtoolbox identify if any of our servers are on the blacklist and apply to be white-listed again.
    http://mxtoolbox.com/blacklists.aspx

  5. Virtualmin > Email Messages > Mail Rate Limit
    Limit domains or across whole server amount of mail clients are able to send.
    This allows us space to fix the issue and test without adversely affecting other email users on our server.

  6. Regularly check outgoing mail queue. Many hacks use php mail function rather than any smtp, thereby avoiding postfix completely.

More info

Other research on Postfix configuration to prevent spamming can be viewed here:
http://wiki.centos.org/HowTos/postfix_restrictions

Also policyp an addon for Postfix can be installed
http://wiki.policyd.org/quotas
and set up here:
http://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/