I'm sending Spam

Discussion in 'Server Operation' started by Tastiger, Dec 26, 2019.

  1. Tastiger

    Tastiger Member HowtoForge Supporter

    OK, the short version is I'm generating lots of spam which is apparently being sent from web 1 (perfect server - Apache, etc Ubuntu 18.04)
    I have done a search and cannot locate any file in the up to date Joomla installation that may be causing the issue.
    I just cleared over 10,000 messages from the mail queue, I have Disable SMTP (sending) checked.
    attached is the returned email, but I can't see anything in the header which points to what is triggering the sending of the spam.
    So I am really grasping at straws here - any assistance appreciated.
    IP Address removed for security
    Code:
    Return-Path: <MAILER-DAEMON>
    Delivered-To: [email protected]
    Received: by server1.polyoz.net.au (Postfix)
        id E91803863C0; Fri, 27 Dec 2019 06:04:25 +1100 (AEDT)
    Date: Fri, 27 Dec 2019 06:04:25 +1100 (AEDT)
    From: [email protected] (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    To: [email protected]
    Auto-Submitted: auto-replied
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
        boundary="4CF6038645B.1577387065/server1.polyoz.net.au"
    Content-Transfer-Encoding: 8bit
    Message-Id: <[email protected]>
    
    This is a MIME-encapsulated message.
    
    --4CF6038645B.1577387065/server1.polyoz.net.au
    Content-Description: Notification
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 8bit
    
    This is the mail system at host server1.polyoz.net.au.
    
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    
    For further assistance, please send mail to postmaster.
    
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    
                       The mail system
    
    <[email protected]>: host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421
        4.7.0 [TSS04] Messages from 110.141.196.223 temporarily deferred due to
        user complaints - 4.16.55.1; see
        https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM
        command)
    
    --4CF6038645B.1577387065/server1.polyoz.net.au
    Content-Description: Delivery report
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns; server1.polyoz.net.au
    X-Postfix-Queue-ID: 4CF6038645B
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Sun, 22 Dec 2019 05:49:25 +1100 (AEDT)
    
    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]
    Action: failed
    Status: 4.7.0
    Remote-MTA: dns; mx-aol.mail.gm0.yahoodns.net
    Diagnostic-Code: smtp; 421 4.7.0 [TSS04] Messages from
        temporarily deferred due to user complaints - 4.16.55.1; see
        https://help.yahoo.com/kb/postmaster/SLN3434.html
    
    --4CF6038645B.1577387065/server1.polyoz.net.au
    Content-Description: Undelivered Message
    Content-Type: message/rfc822
    Content-Transfer-Encoding: 8bit
    
    Return-Path: <[email protected]>
    Received: from localhost (localhost [127.0.0.1])
        by server1.polyoz.net.au (Postfix) with ESMTP id 4CF6038645B
        for <[email protected]>; Sun, 22 Dec 2019 05:49:25 +1100 (AEDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
        polyfidelity.org.au; h=x-mailer:content-transfer-encoding
        :content-type:content-type:mime-version:date:date:subject
        :subject:from:from:message-id; s=default; t=1576954164; x=
        1578768565; bh=X5eMczd08JJbUcLPs3vhIyBU1LHt/4q7CfInX4GMXIM=; b=Z
        wn5UeQyBOsuo3ecq/PNYMSq9FBZGz6YW8/ueXVMamIU/T3CgYB2oxAzhCQo7YCi1
        UNzU/01WEVXDfXMzBQkG2ldMTuq27SLH9xYdwTcaJD9wY1oKXZFsmf/gny9VSyFm
        9XHORA3OEsXk7W1PghzyAyfF+v9GR1oo98cFwjKFUs=
    X-Virus-Scanned: Debian amavisd-new at server1.polyoz.net.au
    Received: from server1.polyoz.net.au ([127.0.0.1])
        by localhost (server1.polyoz.net.au [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id SEJ64BSHiekH for <[email protected]>;
        Sun, 22 Dec 2019 05:49:24 +1100 (AEDT)
    Received: from 178.63.17.173 (unknown [114.143.230.186])
        (Authenticated sender: [email protected])
        by server1.polyoz.net.au (Postfix) with ESMTPSA id C0DD5386C37
        for <[email protected]>; Sun, 22 Dec 2019 05:31:30 +1100 (AEDT)
    Message-ID: <[email protected]>
    From: Julieann <[email protected]>
    To: [email protected]
    Subject: Good day How are you my dear
    Date: Sat, 21 Dec 2019 21:31:25 +0300
    MIME-Version: 1.0
    Content-Type: text/plain;
        format=flowed;
        charset="windows-1251";
        reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
    X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
    
    Hi customer
    What is the secret of never-ending sexual health and 100 per cent sexual performance?
    
    https://tgraph.io/Cwvx8Z-03-12
    
    --4CF6038645B.1577387065/server1.polyoz.net.au--
    
     
  2. Tastiger

    Tastiger Member HowtoForge Supporter

    Last 200 entries from var/log/mail.log
     

    Attached Files:

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a mailbpx on your system?

    (Authenticated sender: [email protected])

    If yes, change the password of that mailbox as it sends the spam. Then restart postfix and dovecot.
     
  4. Tastiger

    Tastiger Member HowtoForge Supporter

    Thanks till
    I did change the password and used one generated by ISPConfig and it seemed to cure the problem for a while.
    However in the interests of making sure, I have changed it again using one generated by ISPConfig and rebooted the server.
    I will see what happens and report back if it seems they have cracked the password again.
     
  5. Tastiger

    Tastiger Member HowtoForge Supporter

    All good now, thanks
    I hate to admit my flaws but I think that when I first changed the password I neglected to restart the mail servers.
    Just as extra security, I changed the passwords on all the email accounts.

    Best wishes to all for the coming year.....
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The reason why the mail service restart is required in such a case is that when there is a high sending pressure, means either the sending client keeps the authenticated connection option or re-connects very fast, then the backend database is not queried for the new password by postfix which means the old one will still work for the attacker for some time.
     
  7. Tastiger

    Tastiger Member HowtoForge Supporter

    Great information,
    Thanks once again..
     

Share This Page