Yosemite Server sending out spam

Question

Yosemite Server sending out spam

I received a call from ISP informing that our Yosemite server is sending out spam. Server Admin/SMTP Log does show spam going out and our IP address being blocked by gmail/hotmail/yahoo mail.

I ran /Applications/Server.app/Contents/ServerRoot/usr/sbin//postsuper -d ALL to delete all mail. Whenever I stop and start mail, I see hundreds of spam going out from user() and coming in to non-existent user.

I don't want to reinstall server. Is there any way to clean up any infected config files ?

Appreciate any help.

OS X Yosemite (10.10), OS X Yosemite Server

Posted on Jan 28, 2016 2:57 AM

Reply

Answer 1

Jan 29, 2016 4:10 PM in response to Chakravarthy Cuddapah

I have a similar situation though I'm running El Capitan (10.11.3). My guess is that somebody's found a way around the mail relay restrictions, though I don't know how. What I'd like to do is restrict outgoing mail to known accounts. The spam all has made-up usernames.

Reply

Answer 2

pterobyte

Level 6

11,098 points

Feb 5, 2016 2:46 AM in response to Chakravarthy Cuddapah

Usually (most of the time), this is due to a compromised user rather than an actually compromised server.

Make sure your logging level for SMTP is at least at "info", if not set it first:

sudo serveradmin settings mail:postfix:log_level = "info"

Then, wait for a while for the mail log to populate. Might take some time if the rogue sender only sends during certain timeframes. Next, issue:

grep -i "sasl_username=" /var/log/mail.log

If you see the same username over and over again in short succession, you have the culprit and can change the user's password. If in doubt about your password policy in general, change all user's passwords and make sure only strong passwords are allowed.

HTH,

Alex

Reply

Answer 3

Feb 5, 2016 4:35 AM in response to pterobyte

Pterobyte, I think that's good advice. My case included mail going out under a variety of made-up names. Once I restricted the mail settings to allow outbound mail only from real account names, the remaining spam was from a single account. That one happened to exist only for forwarding. I replaced the forwarding with a rule in /etc/postfix/virtual, deleted the entire account, and the spamming stopped.

Reply

Answer 4

Feb 5, 2016 7:18 PM in response to pterobyte

Thanks for your response. I tried these commands and grep -i "sasl_username=" /var/log/mail.log outputs nothing.

These are the entries for mail.log:

Feb 5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: CONNECT from [68.17.50.219]:20392 to [my_server_IP_Address]:25

Feb 5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: PASS OLD [68.17.50.219]:20392

Feb 5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: connect from srhs-mail-mbx4.mysrhs.com[68.17.50.219]

Feb 5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: NOQUEUE: reject: RCPT from srhs-mail-mbx4.mysrhs.com[68.17.50.219]: 454 4.7.1 <mildred_reyes@mydomain1.net>: Relay access denied; from=<> to=<mildred_reyes@mydomain1.net> proto=ESMTP helo=<EXCHANGE.MYSRHS.COM>

I don't understand how it can be from=<>. Also the domain/website server is hosting doesn't have any email addresses and I didn't setup MX record either.

Another set of entries from mail.log:

Feb 5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: CONNECT from [127.0.0.1]:56890 to [127.0.0.1]:25

Feb 5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: WHITELISTED [127.0.0.1]:56890

Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: connect from localhost[127.0.0.1]

Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <print@pitstopprint.com>: Relay access denied; from=<opal_murray@mydomain1.net> to=<print@pitstopprint.com> proto=ESMTP helo=<mydomain1.net>

Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: disconnect from localhost[127.0.0.1]

I disabled webmail. So I don't understand how 127.0.0.1 can attempt to send out email from a non-existing email address @ mydomain1. net

I couldn't find manual for Server Admin command line commands like (sudo serveradmin settings mail:postfix). Can you please give me a link to where I can find the manual. I tried man serveradmin which didn't list options that can be used for mail.

Appreciate your help.

Reply

Answer 5

UptimeJeff

Level 4

3,479 points

Feb 5, 2016 7:57 PM in response to Chakravarthy Cuddapah

HI Chakravarthy Cuddapah

You should have sasl entries in your mail.log even when not having a spammer issue.

DId you adjust the postfix log level as Pterobyte suggested?

sudo serveradmin settings mail:postfix:log_level = "info"

What do you get with this command:

mailq

The output of mailq looks something like this

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

3C496225B169 14533 Fri Feb 5 16:50:17 spammer@mydomain.com

bob@spamvictim.com

If you have alot of mysterious messages listed, lets gather the details on a few.

Each message has a Queue ID, run the following command on a few of the suspicious messages.

# assuming a Queue ID of: 3C496225B169

/Applications/Server.app//Contents/ServerRoot/usr/sbin/postcat -q 3C496225B169

The output should reveal clues.

Jeff

Reply

Answer 6

Feb 6, 2016 5:27 AM in response to UptimeJeff

Hi Jeff,

Here's what I did:

bash-3.2# sudo serveradmin settings mail:postfix:log_level = "info"

mail:postfix:log_level = "info"

bash-3.2# /Applications/Server.app/Contents/ServerRoot/usr/sbin//postfix reload

postfix/postfix-script: refreshing the Postfix mail system

bash-3.2# mailq

Mail queue is empty

I guess since the queue is empty now, we can do much to debug. I will leave log_level at info and check again. I noticed that emails start going out from localhost in the evening. I will post back here.

BTW, Apple's support section for manuals doesn't have command line manual anymore. Can you please point me to where I can find manual for command line administration. Thanks !

Reply