Where is this email spam coming from?


#1

I have a freshly installed ubuntu vps installed and I installed easyengine. I just created a wordpress site and left it idling. The next day I check my mail log and found it that the vps is sending spam emails! This is what my mail log says:

Oct 28 23:39:25 server postfix/master[18950]: daemon started -- version 2.11.0, configuration /etc/postfix
Oct 28 23:40:01 server postfix/master[18950]: reload -- version 2.11.0, configuration /etc/postfix
Oct 28 23:40:34 server postfix/pickup[19961]: 932F93700DAC: uid=0 from=<root>
Oct 28 23:40:34 server postfix/cleanup[20086]: 932F93700DAC: message-id=<3f2504be67de723302e357ddfd76185a@incredibleanime.com>
Oct 28 23:40:34 server postfix/qmgr[19962]: 932F93700DAC: from=<root@server.deliciousanime.com>, size=932, nrcpt=1 (queue active)
Oct 28 23:41:05 server postfix/smtp[20090]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1a]:25: Connection timed out
Oct 28 23:41:05 server postfix/smtp[20090]: 932F93700DAC: to=<******>, relay=gmail-smtp-in.l.google.com[74.125.206.26]:25, delay=31, delays=0.13/0.01/31/0.33, dsn=2.0.0, status=sent (250 2.0.0 OK 1477712465 k198si13315538wmd.83 - gsmtp)
Oct 28 23:41:05 server postfix/qmgr[19962]: 932F93700DAC: removed
Oct 29 00:58:32 server postfix/pickup[19961]: EA54C370005E: uid=33 from=<www-data>
Oct 29 00:58:32 server postfix/cleanup[21406]: EA54C370005E: message-id=<eee29aba6328743291fc867c708f122a@incredibleanime.com>
Oct 29 00:58:33 server postfix/qmgr[19962]: EA54C370005E: from=<www-data@server.deliciousanime.com>, size=884, nrcpt=1 (queue active)
Oct 29 00:59:03 server postfix/smtp[21408]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1b]:25: Connection timed out
Oct 29 00:59:04 server postfix/smtp[21408]: EA54C370005E: to=<******>, relay=gmail-smtp-in.l.google.com[74.125.206.27]:25, delay=31, delays=0.16/0.01/31/0.35, dsn=2.0.0, status=sent (250 2.0.0 OK 1477717144 f7si14185087wmg.2 - gsmtp)
Oct 29 00:59:04 server postfix/qmgr[19962]: EA54C370005E: removed
Oct 29 14:49:14 server postfix/smtpd[2672]: connect from researchscan431.eecs.umich.edu[141.212.122.176]
Oct 29 14:49:15 server postfix/smtpd[2672]: lost connection after STARTTLS from researchscan431.eecs.umich.edu[141.212.122.176]
Oct 29 14:49:15 server postfix/smtpd[2672]: disconnect from researchscan431.eecs.umich.edu[141.212.122.176]
Oct 29 14:52:35 server postfix/anvil[2675]: statistics: max connection rate 1/60s for (smtp:141.212.122.176) at Oct 29 14:49:14
Oct 29 14:52:35 server postfix/anvil[2675]: statistics: max connection count 1 for (smtp:141.212.122.176) at Oct 29 14:49:14
Oct 29 14:52:35 server postfix/anvil[2675]: statistics: max cache size 1 at Oct 29 14:49:14
Oct 29 16:05:17 server postfix/smtpd[3792]: connect from unknown[202.62.224.78]
Oct 29 16:05:19 server postfix/smtpd[3792]: NOQUEUE: reject: RCPT from unknown[202.62.224.78]: 454 4.7.1 <eax_64@yahoo.com>: Relay access denied; from=<xo@ore.net> to=<eax_64@yahoo.com> proto=ESMTP helo=<192.168.0.123>
Oct 29 16:05:19 server postfix/smtpd[3792]: lost connection after RCPT from unknown[202.62.224.78]
Oct 29 16:05:19 server postfix/smtpd[3792]: disconnect from unknown[202.62.224.78]
Oct 29 16:05:35 server postfix/smtpd[3792]: connect from unknown[202.62.224.78]
Oct 29 16:05:35 server postfix/smtpd[3792]: lost connection after CONNECT from unknown[202.62.224.78]
Oct 29 16:05:35 server postfix/smtpd[3792]: disconnect from unknown[202.62.224.78]
Oct 29 16:05:45 server postfix/smtpd[3792]: connect from unknown[202.62.224.78]
Oct 29 16:05:47 server postfix/smtpd[3792]: lost connection after AUTH from unknown[202.62.224.78]
Oct 29 16:05:47 server postfix/smtpd[3792]: disconnect from unknown[202.62.224.78]
Oct 29 16:09:07 server postfix/anvil[3794]: statistics: max connection rate 3/60s for (smtp:202.62.224.78) at Oct 29 16:05:45
Oct 29 16:09:07 server postfix/anvil[3794]: statistics: max connection count 1 for (smtp:202.62.224.78) at Oct 29 16:05:17
Oct 29 16:09:07 server postfix/anvil[3794]: statistics: max cache size 1 at Oct 29 16:05:17

If you’re wondering what ****** is that’s just me censoring my email. Does anyone know how they’re using my vps to send spam when the vps is freshly installed. Anyway to block this?


#2

@Ruriko

Hi checkout the following tutorial. You will be able to find how the mails are generated. It seems to be origination from “root” and www-data.

https://easyengine.io/tutorials/mail/postfix-queue/ Checkout the mail content you will be able to find the solution.


#3