[BlueOnyx:21170] Re: Spammer

Michael Stauber mstauber at blueonyx.it
Sun Jul 16 13:36:21 -05 2017 

Hi Colin,

> Looking for ideas.
> 
> We suspect we have a compromised website on one of our servers – being
> used for spam.
> 
> What is the easiest way to track this down? Can see spam being sent via
> localhost but can’t pin it down.

Do you have a half way recent AV-SPAM installed on it? Version 6.1.0 or
better? The most recent one is 6.2.1.

Under "Network Settings" / "AV-SPAM" / "Services" see if "Milter-GeoIP"
is enabled. If not, turn it on.

Then in the "GeoIP" tab tick the boxes for "Suspend Accounts" and
"Enforce Email Limits".

Set the limits for "Service Accounts", "Virtual Sites" and "Users" as
per your liking. You can still change them to different settings for
each individual Vsite and User, but these will be the initial (default)
values that will be used once this feature is enabled.

Milter-GeoIP will now track the email volume (outgoing) of your server
and will help you to pinpoint who sends how much. As this ties into
Sendmail it'll give you the actual user names under which the outgoing
emails are created.

Under "Usage Information" / "Email" you will see "Email Traffic as
reported by Milter-GeoIP".

If the culprit is a certain User of a Vsite, then you can directly see
this there once some activity has been recorded by Milter-GeoIP.
Additionally: Once a user is close to sending more emails than allowed
(>75% of allowed usage), both you and the user will get a warning. If he
reaches his hard daily limit for outgoing emails, then no further email
can be sent by him and another warning is generated.

Lastly: If a user with valid login details tries to send email from
blacklisted a country, then Milter-GeoIP can either block that or even
suspend the account automatically if you configure this. But it at least
generates a warning if valid login details are used from suspicious
countries.

Now if the culprit is a system account such as "apache"? Milter-GeoIP
will tell you as well and also enforces limits and cutoffs on that. If
all Vsites run their PHP scripts as a siteAdmin of a Vsite and one of
their PHP scripts creates the SPAM? In that case the offender will be
the name of the siteAdmin account of that Vsite, which makes it easy to
find.

Most of this doesn't outright stop the sending of SPAM, but it raises
the yellow and red flag early and lets you know if something fishy
happens. Additionally it aids in identifying the culprit and limiting
the volume of SPAM that he might get out.

As some mentioned already: There are sneaky ways of sending outgoing
emails. But if it runs through Sendmail, then Milter-GeoIP will see this
and will report it. It doesn't catch those cases where a compromise
brought its own SMTP-mechanism aboard which bypasses Sendmail, though.
But these are sufficiently rare anyway.

And as always: If you need a hand, send me the login details offlist and
I'll take the shotgun and shovel to this case. ;-)

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list