I have had my mailq filled with lots of bogus spam emails like (one listed below) now they seem to be coming from a valid user ([email protected]) but the send/receiver is shown as [email protected] on ALL of them. its sending hundreds of receipts ! I have a script run every 5 minutes that deletes any messages with non-reply.com in them and its at least killing them! but I added [email protected] into postfix blacklist ispconfig - 3 times as sender receipient and client, but it did not stop them! I added just 'non-reply.com' into the blacklist, and this did not stop them either! I have resorted to changing the name on linda's account hopefully without a valid user they will not be accepted what am I missing? --contents of one of them --- CO 3504 2323 20 0 3504T^Q1538074718 343847A^Vcreate_time=1538074718A^Xlog_ident=547AE10CEEB768A ...... [email protected]^@N0Received: from localhost (localhost [127.0.0.1])N> by ns9.cdbsystems.com (Postfix) with ESMTP id 547AE10CEEB768;N& Thu, 27 Sep 2018 14:58:38 -0400 (EDT)N2X-Virus-Scanned: amavisd-new at ns9.cdbsystems.comN/Received: from ns9.cdbsystems.com ([127.0.0.1])NH by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10026)NB with ESMTP id c7uf6gT7wGas; Thu, 27 Sep 2018 14:58:34 -0400 (EDT)N8Received: from [192.168.8.102] (unknown [154.160.16.85])N2 (Authenticated sender: [email protected])N? by ns9.cdbsystems.com (Postfix) with ESMTPA id 2CF1D10CEEB6BD;N& Thu, 27 Sep 2018 14:58:26 -0400 (EDT)NKContent-Type: multipart/alternative; boundary="===============0160733830=="N^QMIME-Version: 1.0N^SSubject: .......
Hi, from first sight you should block the smtp account [email protected] which seems to be the account that is used to send out the spam. That might be the reason the blocking in postfix does not work.
I've axed the account - but still the blacklist SHOULD have worked and clearly did not. also - another question - the spam seems to be RCPT TO replies - is there a way to block ALL RCPT replies? or at least all that are marked spam? I have VERY spammy messages that have dozens of RCPT TO address - cant I say if its spam send NO receipts anywhere???
As far as I know, a Blacklist can not help in case that an account is hacked and used to send out spam with proper smtp authentication. So removing the account or altering its password was the right step to fix it. Incoming or outgoing email? Do you receive that messages or do you send them e.g. trough a hacked account like the one in the first post of this thread?
the spam is incoming. it is marked as spam (VERY spam!) - but all the RCPT to's go out onto the internet nonetheless! can I supress ALL receipts?
An incoming message which has other recipients that are non-local to your server will not receive an email from your server when the email is received by you and not sent by you. So either this message was sent by your server and not received by it, so the spam is not incoming (which has been fixed in the correct way already by closing the account / or changing the password already) or if it was incoming spam, then your server did not send out any messages to other recipients.
