Spam Problem on ISPConfig 3

We are facing spam problem.
we are receiving emails from our domain.
email addresses that we never created example: [email protected].
these addresses are being sent to our users.

i check the mail queue it shows the following:

Mail Queue:
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
0BC3D403FE 1663 Mon Dec 12 16:55:20 [email protected]
(delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

030F440374 1663 Mon Dec 12 16:57:04 [email protected]
(delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]



Mail Log
Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)



Mail Warn Log
Dec 12 13:20:50 server1 postfix/smtpd[24495]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 13:20:53 server1 postfix/smtpd[24495]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 13:28:06 server1 postfix/smtpd[25145]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 13:29:20 server1 postfix/smtpd[25145]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 13:29:22 server1 postfix/smtpd[25145]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 13:37:48 server1 postfix/smtpd[25911]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 13:37:51 server1 postfix/smtpd[25911]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 13:46:12 server1 postfix/smtpd[26630]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 13:46:15 server1 postfix/smtpd[26630]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 13:54:34 server1 postfix/smtpd[27252]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 13:54:37 server1 postfix/smtpd[27252]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 14:03:02 server1 postfix/smtpd[30463]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
Dec 12 14:03:13 server1 postfix/smtpd[30463]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: Connection lost to authentication server
Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
Dec 12 14:04:03 server1 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out
Dec 12 14:04:03 server1 dovecot: auth-worker(30484): Error: sql(test2,91.200.12.140): Password query failed: Not connected to database
Dec 12 14:04:03 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
Dec 12 14:04:04 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
Dec 12 14:04:09 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
Dec 12 14:04:34 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
Dec 12 14:11:26 server1 postfix/smtpd[9351]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
Dec 12 14:11:29 server1 postfix/smtpd[9351]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 12 14:12:47 server1 postfix/smtpd[9351]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

 

I would suggest following this guide https://www.howtoforge.com/hardening-postfix-for-ispconfig-3
it will add several rules for verifying and rejecting nonexistent accounts.
You should also make sure DMARC is setup correctly in your DNS especially if you are using an external DNS provision.

 

ok thx,

i am using the ISPconfig DNS Manager

 

Here are the headers of the received spam email:

[email protected] is the receiver on the server (this is an actual email on the server)
[email protected] is the spam email address that we are receiving from
1.52.102.223 is NOT our Server IP

Code:

Current Folder: INBOX     Sign Out
Compose   Addresses   Folders   Options   Search   Help 


Viewing Full Header - View message
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
        by server1.YYYYYY.com.lb (Postfix) with ESMTP id 045B71806D
        for <[email protected]>; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
X-Spam-Flag: YES
X-Spam-Score: 10.81
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.81 tagged_above=3 required=10
        tests=[BAYES_50=0.8, RCVD_IN_BL_SPAMCOP_NET=1.347,
        RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RCVD_IN_PSBL=2.7,
        RCVD_IN_XBL=0.375, RDNS_NONE=0.793, TVD_SPACE_RATIO=0.001,
        T_MIME_NO_TEXT=0.01] autolearn=no
Received: from server1.YYYYYY.com.lb ([127.0.0.1])
        by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 0dbY4rCLsCKN for <[email protected]>;
        Wed, 14 Dec 2016 11:27:46 -0600 (CST)
Received: by server1.YYYYYY.com.lb (Postfix, from userid 5000)
        id 6EF5E180AF; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
X-Sieve: Pigeonhole Sieve 0.3.1
X-Sieve-Redirected-From: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
        by server1.YYYYYY.com.lb (Postfix) with ESMTP id AED1218077
        for <[email protected]>; Wed, 14 Dec 2016 11:27:45 -0600 (CST)
X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
Received: from server1.YYYYYY.com.lb ([127.0.0.1])
        by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id iokwacCDwDUZ for <[email protected]>;
        Wed, 14 Dec 2016 11:27:44 -0600 (CST)
Received: from [1.52.102.223] (unknown [1.52.102.223])
        by server1.YYYYYY.com.lb (Postfix) with ESMTP id F34901806D
        for <[email protected]>; Wed, 14 Dec 2016 11:27:42 -0600 (CST)
From: [email protected]
To: "admin"
     <[email protected]>
Subject: ***SPAM*** ***SPAM***Attached document
Date: Thu, 15 Dec 2016 00:27:35 +0700
Message-Id: <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/mixed;
     boundary="3F69BB737D7201848BE57476D2F2"
        

 

So, you receive spam that seems to come from your own server or at least use a domain name that's on your server?

 

yes 100%, but it seems we are receiving it from a different IP from our server

 

then you could SPF to reject such mail. You might want to have a look here: https://www.howtoforge.com/hardening-postfix-for-ispconfig-3