OK, the short version is I'm generating lots of spam which is apparently being sent from web 1 (perfect server - Apache, etc Ubuntu 18.04) I have done a search and cannot locate any file in the up to date Joomla installation that may be causing the issue. I just cleared over 10,000 messages from the mail queue, I have Disable SMTP (sending) checked. attached is the returned email, but I can't see anything in the header which points to what is triggering the sending of the spam. So I am really grasping at straws here - any assistance appreciated. IP Address removed for security Code: Return-Path: <MAILER-DAEMON> Delivered-To: [email protected] Received: by server1.polyoz.net.au (Postfix) id E91803863C0; Fri, 27 Dec 2019 06:04:25 +1100 (AEDT) Date: Fri, 27 Dec 2019 06:04:25 +1100 (AEDT) From: [email protected] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [email protected] Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="4CF6038645B.1577387065/server1.polyoz.net.au" Content-Transfer-Encoding: 8bit Message-Id: <[email protected]> This is a MIME-encapsulated message. --4CF6038645B.1577387065/server1.polyoz.net.au Content-Description: Notification Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit This is the mail system at host server1.polyoz.net.au. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421 4.7.0 [TSS04] Messages from 110.141.196.223 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command) --4CF6038645B.1577387065/server1.polyoz.net.au Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; server1.polyoz.net.au X-Postfix-Queue-ID: 4CF6038645B X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Sun, 22 Dec 2019 05:49:25 +1100 (AEDT) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 4.7.0 Remote-MTA: dns; mx-aol.mail.gm0.yahoodns.net Diagnostic-Code: smtp; 421 4.7.0 [TSS04] Messages from temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html --4CF6038645B.1577387065/server1.polyoz.net.au Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Return-Path: <[email protected]> Received: from localhost (localhost [127.0.0.1]) by server1.polyoz.net.au (Postfix) with ESMTP id 4CF6038645B for <[email protected]>; Sun, 22 Dec 2019 05:49:25 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= polyfidelity.org.au; h=x-mailer:content-transfer-encoding :content-type:content-type:mime-version:date:date:subject :subject:from:from:message-id; s=default; t=1576954164; x= 1578768565; bh=X5eMczd08JJbUcLPs3vhIyBU1LHt/4q7CfInX4GMXIM=; b=Z wn5UeQyBOsuo3ecq/PNYMSq9FBZGz6YW8/ueXVMamIU/T3CgYB2oxAzhCQo7YCi1 UNzU/01WEVXDfXMzBQkG2ldMTuq27SLH9xYdwTcaJD9wY1oKXZFsmf/gny9VSyFm 9XHORA3OEsXk7W1PghzyAyfF+v9GR1oo98cFwjKFUs= X-Virus-Scanned: Debian amavisd-new at server1.polyoz.net.au Received: from server1.polyoz.net.au ([127.0.0.1]) by localhost (server1.polyoz.net.au [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SEJ64BSHiekH for <[email protected]>; Sun, 22 Dec 2019 05:49:24 +1100 (AEDT) Received: from 178.63.17.173 (unknown [114.143.230.186]) (Authenticated sender: [email protected]) by server1.polyoz.net.au (Postfix) with ESMTPSA id C0DD5386C37 for <[email protected]>; Sun, 22 Dec 2019 05:31:30 +1100 (AEDT) Message-ID: <[email protected]> From: Julieann <[email protected]> To: [email protected] Subject: Good day How are you my dear Date: Sat, 21 Dec 2019 21:31:25 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 Hi customer What is the secret of never-ending sexual health and 100 per cent sexual performance? https://tgraph.io/Cwvx8Z-03-12 --4CF6038645B.1577387065/server1.polyoz.net.au--
Is this a mailbpx on your system? (Authenticated sender: [email protected]) If yes, change the password of that mailbox as it sends the spam. Then restart postfix and dovecot.
Thanks till I did change the password and used one generated by ISPConfig and it seemed to cure the problem for a while. However in the interests of making sure, I have changed it again using one generated by ISPConfig and rebooted the server. I will see what happens and report back if it seems they have cracked the password again.
All good now, thanks I hate to admit my flaws but I think that when I first changed the password I neglected to restart the mail servers. Just as extra security, I changed the passwords on all the email accounts. Best wishes to all for the coming year.....
The reason why the mail service restart is required in such a case is that when there is a high sending pressure, means either the sending client keeps the authenticated connection option or re-connects very fast, then the backend database is not queried for the new password by postfix which means the old one will still work for the attacker for some time.