[BlueOnyx:26109] Re: Surge of spam

Matthew Komar mkomar at serverrack.net
Tue Apr 11 20:01:59 -05 2023 

Thanks SO MUCH.

The script check was basically empty ... a few hits but they were legitimate.

The AUTH check returned a whole lot of a single account from a TON of
different IP addresses.

Problem solved.

With the formatting of that email, I feel like that was copy/pasted
from a FAQ somewhere? Is there a place I could have found that? It'd
be nice to have for future reference.

On Tue, Apr 11, 2023 at 7:19 PM Michael Stauber <mstauber at blueonyx.it> wrote:
>
> Hi Matthew,
>
> > I've got a sudden surge of spam originating from my BlueOnyx host.
> > What's the quickest way to determine which user account was
> > compromised, and/or if the origin is a compromised script running on a
> > website?
>
> There are two common causes:
>
> - Compromised user account
> - Compromised PHP script in a Vsite
>
>
> Let's start with the easy one:
>
>
> Compromised PHP script:
> =======================
>
> We actually use PHP-prepend on BlueOnyx to force anything originating
> from PHP's mail() function through a wrapper-script, which does some
> extra logging. Like which script, which user, which client IP sent the
> email.
>
> You can check the maillog this way to see the results:
>
> cat /var/log/maillog|grep sendmail-wrapper-php
>
> That tells you which PHP scripts sent emails and see if something sticks
> out.
>
>
> Now let us look at the other possibility:
>
>
> Compromised user account:
> =========================
>
> Now this requires more effort and there are different way to tackle this.
>
> For starters you could check who used SMTP-Auth to authenticate to your
> SMTP-server. This is usually done prior to sending emails:
>
> cat /var/log/maillog|grep AUTH=server
>
> That will tell you the IP and username of those who did so. See if
> someone sticks out.
>
> This will show you all emails that were sent through you server:
>
> cat /var/log/maillog|grep stat=Sent
>
> The ctladdr= is the sender address. See if something sticks out. If it
> does, grep for the message ID to get more info about who sent it.
>
> Or you could use the "mailq" command to see which emails are still in
> the mail queue for outgoing delivery. If that reports a lot of stuff
> that you can't make out if its legit or not, check /var/spool/mqueue/,
> which contains the header and body files of all yet undelivered outgoing
> emails.
>
> Poke around in them and see if you can identify the SPAM. The header
> files of such email should shed some light on at least the originating
> IP and/or the user-name of the sender, if he used SMTP-auth. And with
> that info you can grep for more details in /var/log/maillog
>
> And there is the old fashioned "caught in the act" of running a "tail -f
> /var/log/maillog" and watching what goes on. If the attacker is still
> actively sending emails through your server, you should see him.
>
>
> If you need any further help with this, let me know.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list