Chakravarthy Cuddapah

Q: Yosemite Server sending out spam

I received a call from ISP informing that our Yosemite server is sending out spam. Server Admin/SMTP Log does show spam going out and our IP address being blocked by gmail/hotmail/yahoo mail.

I ran /Applications/Server.app/Contents/ServerRoot/usr/sbin//postsuper -d ALL to delete all mail. Whenever I stop and start mail, I see hundreds of spam going out from user() and coming in to non-existent user.

I don't want to reinstall server. Is there any way to clean up any infected config files ?

Appreciate any help. 

OS X Yosemite (10.10), OS X Yosemite Server

Posted on Jan 28, 2016 2:57 AM

Close

Q: Yosemite Server sending out spam

  • All replies
  • Helpful answers

  • by ephraimephraim,

    ephraimephraim ephraimephraim Jan 29, 2016 4:10 PM in response to Chakravarthy Cuddapah
    Level 1 (0 points)
    Jan 29, 2016 4:10 PM in response to Chakravarthy Cuddapah

    I have a similar situation though I'm running El Capitan (10.11.3). My guess is that somebody's found a way around the mail relay restrictions, though I don't know how. What I'd like to do is restrict outgoing mail to known accounts. The spam all has made-up usernames.

  • by pterobyte,

    pterobyte pterobyte Feb 5, 2016 2:46 AM in response to Chakravarthy Cuddapah
    Level 6 (11,101 points)
    Servers Enterprise
    Feb 5, 2016 2:46 AM in response to Chakravarthy Cuddapah

    Usually (most of the time), this is due to a compromised user rather than an actually compromised server.

     

    Make sure your logging level for SMTP is at least at "info", if not set it first:

     

    sudo serveradmin settings mail:postfix:log_level = "info"

     

    Then, wait for a while for the mail log to populate. Might take some time if the rogue sender only sends during certain timeframes. Next, issue:

     

    grep -i "sasl_username=" /var/log/mail.log

     

    If you see the same username over and over again in short succession, you have the culprit and can change the user's password. If in doubt about your password policy in general, change all user's passwords and make sure only strong passwords are allowed.

     

    HTH,

    Alex

  • by ephraimephraim,

    ephraimephraim ephraimephraim Feb 5, 2016 4:35 AM in response to pterobyte
    Level 1 (0 points)
    Feb 5, 2016 4:35 AM in response to pterobyte

    Pterobyte, I think that's good advice. My case included mail going out under a variety of made-up names. Once I restricted the mail settings to allow outbound mail only from real account names, the remaining spam was from a single account. That one happened to exist only for forwarding. I replaced the forwarding with a rule in /etc/postfix/virtual, deleted the entire account, and the spamming stopped.

  • by Chakravarthy Cuddapah,

    Chakravarthy Cuddapah Chakravarthy Cuddapah Feb 5, 2016 7:18 PM in response to pterobyte
    Level 4 (1,875 points)
    Feb 5, 2016 7:18 PM in response to pterobyte

    Thanks for your response. I tried these commands and grep -i "sasl_username=" /var/log/mail.log outputs nothing.

     

    These are the entries for mail.log:

    Feb  5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: CONNECT from [68.17.50.219]:20392 to [my_server_IP_Address]:25

    Feb  5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: PASS OLD [68.17.50.219]:20392

    Feb  5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: connect from srhs-mail-mbx4.mysrhs.com[68.17.50.219]

    Feb  5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: NOQUEUE: reject: RCPT from srhs-mail-mbx4.mysrhs.com[68.17.50.219]: 454 4.7.1 <mildred_reyes@mydomain1.net>: Relay access denied; from=<> to=<mildred_reyes@mydomain1.net> proto=ESMTP helo=<EXCHANGE.MYSRHS.COM>

     

    I don't understand how it can be from=<>. Also the domain/website server is hosting doesn't have any email addresses and I didn't setup MX record either.

     

    Another set of entries from mail.log:

    Feb  5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: CONNECT from [127.0.0.1]:56890 to [127.0.0.1]:25

    Feb  5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: WHITELISTED [127.0.0.1]:56890

    Feb  5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: connect from localhost[127.0.0.1]

    Feb  5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <print@pitstopprint.com>: Relay access denied; from=<opal_murray@mydomain1.net> to=<print@pitstopprint.com> proto=ESMTP helo=<mydomain1.net>

    Feb  5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: disconnect from localhost[127.0.0.1]

     

    I disabled webmail. So I don't understand how 127.0.0.1 can attempt to send out email from a non-existing email address @ mydomain1. net

     

    I couldn't find manual for Server Admin command line commands like (sudo serveradmin settings mail:postfix). Can you please give me a link to where I can find the manual. I tried man serveradmin which didn't list options that can be used for mail.

     

    Appreciate your help.

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 5, 2016 7:57 PM in response to Chakravarthy Cuddapah
    Level 4 (3,477 points)
    Feb 5, 2016 7:57 PM in response to Chakravarthy Cuddapah

    HI Chakravarthy Cuddapah

     

    You should have sasl entries in your mail.log even when not having a spammer issue.

    DId you adjust the postfix log level as Pterobyte suggested?

    sudo serveradmin settings mail:postfix:log_level = "info"

     

    What do you get with this command:

    mailq


    The output of mailq looks something like this

    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

    3C496225B169   14533 Fri Feb  5 16:50:17  spammer@mydomain.com

                                             bob@spamvictim.com


    If you have alot of mysterious messages listed, lets gather the details on a few.

    Each message has a Queue ID, run the following command on a few of the suspicious messages.


    # assuming a Queue ID of: 3C496225B169

    /Applications/Server.app//Contents/ServerRoot/usr/sbin/postcat -q 3C496225B169

     

    The output should reveal clues.


    Jeff

  • by Chakravarthy Cuddapah,

    Chakravarthy Cuddapah Chakravarthy Cuddapah Feb 6, 2016 5:27 AM in response to UptimeJeff
    Level 4 (1,875 points)
    Feb 6, 2016 5:27 AM in response to UptimeJeff

    Hi Jeff,

     

    Here's what I did:

     

    bash-3.2# sudo serveradmin settings mail:postfix:log_level = "info"

    mail:postfix:log_level = "info"

     

    bash-3.2# /Applications/Server.app/Contents/ServerRoot/usr/sbin//postfix reload

    postfix/postfix-script: refreshing the Postfix mail system

     

    bash-3.2# mailq

    Mail queue is empty

     

    I guess since the queue is empty now, we can do much to debug. I will leave log_level at info and check again. I noticed that emails start going out from localhost in the evening. I will post back here.

     

    BTW, Apple's support section for manuals doesn't have command line manual anymore. Can you please point me to where I can find manual for command line administration. Thanks !