Locating Spambot
My mail server (IP, not domains) was recently flagged as a spam source by Spamhaus and I'm looking for help at tracking down the source.
First, I verified the forward and reverse DNS records, SPF records, and the SMTP service HELO. Next I looked through the mail log(s), but found nothing other than what I expected and that's when it dawned on me. Maybe the spam is not being sent by my SMTP service itself.
As a part of isolating to troubleshoot the source I cut off user access from sending and set up several firewall rules on the mail host. The firewall rules quickly revealed 25/tcp, of course, and 443/http traffic, neither of which should have been originating (TCP SYN) from the mail host. Next, I ran a ClamAV scan which didn't reveal anything. After, I ran rkhunter. From those scans I gave more attention to looking through /dev/shm.
I found the file /dev/shm/rhm.<redacted> (<redacted> is 20 hexadecimal characters) which contains nothing but a list of 500 URLs which - several picked at random - all came back as Phishing. The owner and group of this file are both _rspamd which in interesting in that that is one of the Postfix milters I run. In particular the Rspamd web interface is exposed to the Internet though it requires authentication (password only, no username). I wonder if there's a vulnerability in the web interface that is the root of this. Or maybe even the password was compromised and from there something was exploited.
I've started looking through ps output but nothing stands out to me. The same with cron and netstat. Linux Malware Detect doesn't find anything except an EICAR test sample.
How do I go about finding what is doing the emailing? Is the 443/tcp traffic the malicious software trying to check in to get updates?
- Ubuntu 20.04
- Postfix 3.4.13
- Dovecot 2.3
- Rspamd 1.9.4
- Apache 2.4.41
Thanks for your guidance.
