Relayed Internal but from outside IP

Discussion in 'Server Operation' started by rbartz, Feb 23, 2023.

  1. rbartz

    rbartz Member HowtoForge Supporter

    I am trying to understand how these messages are getting though our system. CENTOS 7, postfix, dovecot, amivis (Perfect server setup with ispconfig3). It appears that spammers somehow are able to use the email account to send spam through our system. The mail does NOT originate from a logged in user as far as I can tell. The IP address following the MYNETS LOCAL [127.0.0.1] is used and the emailing stops for a day or two if that address is blocked using iptables.

    Here is a sample from the maillog.
    Feb 23 13:21:06 server postfix/smtpd[310]: connect from unknown[45.13.189.105]
    Feb 23 13:21:07 server postfix/smtpd[310]: NOQUEUE: filter: RCPT from unknown[45.13.189.105]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.growing-ntx.click>
    Feb 23 13:21:07 server postfix/smtpd[310]: NOQUEUE: filter: RCPT from unknown[45.13.189.105]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.growing-ntx.click>
    Feb 23 13:21:07 server postfix/smtpd[310]: 4097E4093431: client=unknown[45.13.189.105]
    Feb 23 13:21:08 server postfix/smtpd[310]: disconnect from unknown[45.13.189.105]
    Feb 23 13:21:09 server amavis[30893]: (30893-13) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [127.0.0.1] [45.13.189.105] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 6AzbtcAtyqPg, Hits: 2.4, size: 8131, queued_as: F02D44014B88, dkim_sd=dkim:growing-ntx.click, 774 ms
    Feb 23 13:21:11 server postfix/smtp[1948]: connect to mail.growing-ntx.click[45.13.189.105]:25: Connection refused
    Feb 23 13:21:11 server postfix/smtp[1948]: F268C40C4580: to=<[email protected]>, relay=none, delay=0.25, delays=0.02/0/0.23/0, dsn=4.4.1, status=deferred (connect to mail.growing-ntx.click[45.13.189.105]:25: Connection refused)

    AND THEN in postqueue:
    F268C40C4580 12350 Thu Feb 23 13:21:10 MAILER-DAEMON
    (connect to mail.growing-ntx.click[45.13.189.105]:25: Connection refused)
    [email protected]

    Does anyone have any ideas how this is done or how to stop it?

    Thank you in acvance,

    Richard
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    In that case my first guess is some website has malware and sends e-mail. Try to detect the infected files, for example with https://ispprotect.com/
    If you are running ISPConfig, start with https://forum.howtoforge.com/threads/please-read-before-posting.58408/
    I did not undestand the maillog sample, which of the e-mails there is the spam message? My signature has link to e-mail tutorial, it has a bit of info on troubleshooting e-mail.
    Is that not the localhost IP, which all hosts must have?
     
  3. rbartz

    rbartz Member HowtoForge Supporter

    ALL of the lines in the example are from a SINGLE email message sent into the system from an outside connection ("connect from unknown[45.13.189.105]") through the final disposition of the email in outgoing queue.

    No, it is a IP address from Ukraine. That is the problem, somehow email originating outside is finding its way in and out of the my server. The email seems to connect to a real account on the server, eg: [email protected] references david=coloradoriverrealty.com, a real email address.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Are they really sending through your server, or are they just sending emails to your server? You say that they use one of your existing accounts, but the question is, is the target email address on your server or is it e.g. an address of an external provider like gmail.com
    so that your server is delivering this email to that external provider gmail.com. Because your server must accept emails that are directed to accounts on your system, the from address does not matter for that in the first place, and this is not sending emails through your server. E.g. if someone sends an email from [email protected] to [email protected] even if he is not customer1, then this is not sending emails through your server, it's just the delivery of emails to your system using a faked from address.
     
    ahrasis likes this.
  5. remkoh

    remkoh Active Member

    Looking at the log you posted I see nothing wrong with it.
    Your server hosts domain coloradoriverrealty.com, so mail to whatever mailaddress under that domain will initially always be accepted by your server without any authentication or access rules or things like that.

    You say david @ coloradoriverrealty.com is an existing address.
    The sender address looks like some sort of SRS address. Nothing special about that and of no importance at all.
    So far everything is working as it should.

    The only thing that can't be explained by the information in the log is why your server sends a NDR back to the sender.
    This normally only happens when the mail can't be delivered to the user mailbox.
    There seems to be something missing in the log which should hold the explanation.

    Last but not least is the originating server not accepting your connection to deliver the NDR.

    So to summarize:
    Your server accepts mail as it's supposed to do.
    There might be an issue with the user mailbox and that generates a NDR.
    The originating server doesn't play nice when you try to send that NDR.
     
  6. rbartz

    rbartz Member HowtoForge Supporter

    Thank you Remkoh. As I investigate these, the accounts are set up to forward all incoming email to a gmail account. Apparently the email is not filtered by amavis BEFORE forwarding. I will sort that out. Spam filtering on the accounts are set for both user and domain. The forwarding is set up as a COPY to the external email and that is the source of the problems. Of course the REAL problem is SPAM but that is not for this thread.
    Richard
     

Share This Page