hi all, I have been experiencing a strange issue: One of the client's a-g.com is hosted on my ISPConfig and has email + webhosting enabled. What I see is that someone from China is using their webmail service using a-g.com/webmail and sending spam emails across the world. below is a snapshot of headers from Code: postcat -vq MSG-ID # postcat -vq D344447286 postcat: name_mask: all postcat: inet_addr_local: configured 3 IPv4 addresses postcat: inet_addr_local: configured 2 IPv6 addresses *** ENVELOPE RECORDS deferred/D/D344447286 *** message_size: 3315 3129 30 0 3315 message_arrival_time: Fri Aug 16 15:04:50 2019 create_time: Fri Aug 16 15:04:50 2019 named_attribute: log_ident=D344447286 named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=50621 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=50621 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] *** MESSAGE CONTENTS deferred/D/D344447286 *** regular_text: Received: from localhost (localhost [127.0.0.1]) regular_text: by server1.ho.com (Postfix) with ESMTP id D344447286; regular_text: Fri, 16 Aug 2019 15:04:50 +0000 (UTC) regular_text: X-Virus-Scanned: Debian amavisd-new at server1.hol.com regular_text: Received: from server1.hol.com ([127.0.0.1]) regular_text: by localhost (server1.hol.com [127.0.0.1]) (amavisd-new, port 10026) regular_text: with ESMTP id NWXFlDHcH2VL; Fri, 16 Aug 2019 15:04:50 +0000 (UTC) regular_text: Received: from a-g.com (localhost [127.0.0.1]) regular_text: by server1.hol.com (Postfix) with ESMTP id 3CB1946E97; regular_text: Thu, 15 Aug 2019 20:41:46 +0000 (UTC) regular_text: MIME-Version: 1.0 regular_text: Content-Type: multipart/alternative; regular_text: boundary="=_9dc5c8c989e433ca87cccb823b6d0fc6" regular_text: Date: Thu, 15 Aug 2019 21:41:46 +0100 regular_text: From: WU CHANG <[email protected]> regular_text: To: undisclosed-recipients:; regular_text: Subject: Business Inquiry regular_text: Organization: QUANZHOU YING WANG TRADING regular_text: Reply-To: [email protected] regular_text: Mail-Reply-To: [email protected] regular_text: Message-ID: <[email protected]> regular_text: X-Sender: [email protected] regular_text: User-Agent: Roundcube Webmail/1.1.3 regular_text: regular_text: --=_9dc5c8c989e433ca87cccb823b6d0fc6 regular_text: Content-Transfer-Encoding: 7bit regular_text: Content-Type: text/plain; charset=US-ASCII If you take a look at the headers in last few lines, Its being sent using RoundCube Webmail/1.1.3 ( installed on the server ) This sender doesn't exist or belong to our server at any level. Code: sender: [email protected] Message-ID is from our client -- which means a-g.com/webmail was used to send email. Code: regular_text: Message-ID: <[email protected]> and roundcube used on the server for the domain a-g.com Code: regular_text: User-Agent: Roundcube Webmail/1.1.3 Can someone please suggest me how someone can send emails from the webmail, even when the domain is not hosted, and its not local domain at all.
Most likely he has a valid username and password of an email account on your server. Find out which account it is and change the password. If the sender is really roundcube is not sure, any application or script can claim to be roundcube, so it can be even a hacked website if you host sites on this server.
