I have a problem with outgoing spam in my ISPConfig 3.2 server. These are the headers of one of the spam messages that appear to come from my server: --------------------------------------------------------------------------- Return-Path: <info@d*****P.it> Delivered-To: info@d*****P.it Received: from discovery.d*****P.it by discovery.d*****P.it with LMTP id sNekN5V9JGBSEgAAC5px1g for <info@d*****P.it>; Thu, 11 Feb 2021 01:43:01 +0100 Received: from localhost (localhost [127.0.0.1]) by discovery.d*****P.it (Postfix) with ESMTP id E21693E99A for <info@d*****P.it>; Thu, 11 Feb 2021 01:43:01 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at discovery.d*****P.it Received: from discovery.d*****P.it ([127.0.0.1]) by localhost (discovery.d*****P.it [127.0.0.1]) (amavisd-new, port 10024) with LMTP id uSPzjcq-utP5 for <info@d*****P.it>; Thu, 11 Feb 2021 01:43:00 +0100 (CET) Received: from d*****P.it (hml09.calorstai.info [103.153.183.233]) by discovery.d*****P.it (Postfix) with ESMTP id F09B83EA55 for <info@d*****P.it>; Thu, 11 Feb 2021 01:42:58 +0100 (CET) From: info@d*****P.it To: info@d*****P.it Subject: FW: Account Upgrade Date: 10 Feb 2021 16:42:57 -0800 Message-ID: <20210210164257.81642647EA95149B@d*****P.it> MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable ------------------------------------------------------------------------------------ How can i prevent these spam emails from being sent? What other information can I provide to help you understand and solve the problem? Thanks for the help
Could it be that this email account is hacked? Start with changing the password of the account, and letting the owner know what's going on. See posts like https://www.howtoforge.com/community/threads/spam-flood.83990/ aswell.
I immediately thought about this and i have changed password. I will try to follow the thread you linked to me. I noticed that the sender's ip (103.153.183.233) appears to be located in california. All my clients are Italian. Is it possible to set up a geoblocking to prevent the sending of emails from non-European IPs?
It is possible, but I would not do that. For example, if one of your clients uses a VPN or goes on holiday, they need to access the server aswell. You can set up a Fail2Ban jail to block failed attempts for X minutes, and ofcourse, enforce a strong password policy.
That doesn't list an authenticated user in the Received header, and appears to be to your own user, not sending externally? Looks like simple spam/phishing claiming to be from your domain. Updating to 3.2.2 with 'reject sender login mismatch' enabled will stop that.
