Hello there. Today we got a problem with our mailserver. Installed Debian 6, up to date, ispconfig with perfect server tutorial from howtoforge. It does not seem there is any php script sending mails, no php-x header in the mails. Here are some anonymised logs and the corresponding emails: Code: A101954025D4 1060 Tue Jun 10 13:57:16 pedin@**n-**elberg.de (host mx.vgs.untd.com[64.136.52.37] refused to talk to me: 550 Access denied...48711c65216509715df98d2c1d3c1da52c812ce135a998755858cd99cd0505cdad75317cad5c...) **[email protected] Code: mail:~# postcat -q A101954025D4 *** ENVELOPE RECORDS deferred/A/A101954025D4 *** message_size: 1060 1026 5 0 1060 message_arrival_time: Tue Jun 10 13:57:16 2014 create_time: Tue Jun 10 13:57:16 2014 named_attribute: rewrite_context=local sender: pedin@**n-**elberg.de named_attribute: encoding=7bit named_attribute: log_client_name=localhost.localdomain named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=40951 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost.localdomain named_attribute: reverse_client_name=localhost.localdomain named_attribute: client_address=127.0.0.1 named_attribute: client_port=40951 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] done_recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] done_recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] done_recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] done_recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] *** MESSAGE CONTENTS deferred/A/A101954025D4 *** Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.**u-**aum.de (Postfix) with ESMTP id A101954025D4; Tue, 10 Jun 2014 13:57:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail.**u-**aum.de Received: from mail.**u-**aum.de ([127.0.0.1]) by localhost (mail.**u-**aum.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPlqdCg+QoeV; Tue, 10 Jun 2014 13:57:07 +0200 (CEST) Received: from oibxjrbmtmpn (unknown [178.123.155.131]) (Authenticated sender: **libor.**sic@**n-**elberg.de) by mail.**u-**aum.de (Postfix) with ESMTPA id 2AF17541D651; Tue, 10 Jun 2014 13:29:28 +0200 (CEST) Subject: From: "Pedin" <pedin@**n-**elberg.de> Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (11B651) Message-Id: <TBTJCOVK-SEQ8-LSN3-8DOC-IAOLGHULY50V@**n-**elberg.de> Date: Tue, 10 Jun 2014 12:11:06 -0700 To: "**[email protected]" <**[email protected]> Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) towards http://kovru.ru/movie.htm outer Sent from my iPhone= *** HEADER EXTRACTED deferred/A/A101954025D4 *** named_attribute: encoding=7bit *** MESSAGE FILE END deferred/A/A101954025D4 *** Another one: Code: 73FDA54025E1* 690 Tue Jun 10 15:21:59 runog@**n-**elberg.de **[email protected] **[email protected] **[email protected] **[email protected] **[email protected] Code: mail:~# postcat -q 73FDA54025E1 *** ENVELOPE RECORDS active/73FDA54025E1 *** message_size: 690 1078 5 0 690 message_arrival_time: Tue Jun 10 15:21:59 2014 create_time: Tue Jun 10 15:21:59 2014 content_filter: amavis:[127.0.0.1]:10024 named_attribute: rewrite_context=remote named_attribute: sasl_method=LOGIN named_attribute: sasl_username=**libor.**sic@**n-**elberg.de sender: runog@**n-**elberg.de named_attribute: log_client_name=unknown named_attribute: log_client_address=109.161.19.62 named_attribute: log_client_port=57091 named_attribute: log_message_origin=unknown[109.161.19.62] named_attribute: log_helo_name=okuqzwiqc named_attribute: log_protocol_name=ESMTP named_attribute: client_name=unknown named_attribute: reverse_client_name=pppoe-dyn-109-161-19-62.kosnet.ru named_attribute: client_address=109.161.19.62 named_attribute: client_port=57091 named_attribute: helo_name=okuqzwiqc named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] named_attribute: dsn_orig_rcpt=rfc822;**[email protected] original_recipient: **[email protected] recipient: **[email protected] *** MESSAGE CONTENTS active/73FDA54025E1 *** Received: from okuqzwiqc (unknown [109.161.19.62]) (Authenticated sender: **libor.**sic@**n-**elberg.de) by mail.**u-**aum.de (Postfix) with ESMTPA id 73FDA54025E1; Tue, 10 Jun 2014 15:21:59 +0200 (CEST) Subject: From: "Runog" <runog@**n-**elberg.de> Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (11D167) Message-Id: <IUKS4PYK-J7JO-K55Z-KLNF-5ATIOQIO2XIZ@**n-**elberg.de> Date: Tue, 10 Jun 2014 14:03:37 -0700 To: "**ltan-502-502-@**tmail.com" <**[email protected]> Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) wanderer fowls preserve http://investethiopia.se/movies.htm anthony hive Sent from my iPhone= *** HEADER EXTRACTED active/73FDA54025E1 *** *** MESSAGE FILE END active/73FDA54025E1 *** /etc/postfix/main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.**u-**aum.de alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = mail.**u-**aum.de, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 209715200 smtpd_client_message_rate_limit = 100 owner_request_special = no inet_protocols = all smtp_tls_security_level = may The point is that pedin@**n-**elberg.de does not exist but the authenticated user **libor.**sic@**n-**elberg.de exists (I disabled SMTP, IMAP and POP3 over ISPConfig without success).
The spam si sent over the authenticated user that is listed in the line "Authenticated sender:". Change the password of that user in ispconfig. If the user is currently sending masses of spam, then it might be nescessary to restart postfix, saslauthd and dovecot to clear their caches.
I had exactly the same problem last week and the problem was one an email account of my server that has been surely compromised for that. I think you've got it on the line : I blocked this account on my ispconfig, changed the password, and now it seems fine.
Thank you for your fast reply guys, it is awesome. Currently I stopped postfix and it will be deactivated until tomorrow. Already changed password for the user but think the customers PC is compromised. Will check that tomorrow. Didn't restart saslauthd and courier, maybe that was my fault. Will reply the status after I made the changes. UPDATE: After changing all passwords and restarting postfix, saslauthd and courier no new spam appeared. A lot of russian failed logins in logfile Thank you again and have a nice day.
I had the same problem today on another account of my server (without any relation with the first one)... I can see 2 more threads about the same problem. Is it something that is happening nowadays especially ?
Yes. There is a huge botnet active at the moment and each of these spam messages contains an attachmet with a trojan, so if a user opens it, this trojan will grap his email account details and starts to send itself over the smtp login of that user. So the problem is on the client side and there is not that much that you can do on your server except of changing the password of the account if you notice that spam and then inform the user to clean his pc.
