We have just moved in to a new server, so a clean install of ispconfig 3.1.5 was made but postqueue is full of spam How can we stop them ? Thanks a lot !
ul 12 14:48:05 srv postfix/error[1818]: warning: 8832915A4A6A: flush service failure Jul 12 14:48:05 srv postfix/smtp[30450]: connect to sun1.ukl.uni-freiburg.de[193.196.199.1]:25: Connection refused Jul 12 14:48:05 srv postfix/smtp[30450]: 6FCA815A2A6D: to=<[email protected]-freiburg.de>, relay=none, delay=9308, delays=8701/608/0.04/0, dsn=4.4.1, status=deferred (connect to sun1.ukl.uni-freiburg.de[193.196.199.1]:25: Connection refused) Jul 12 14:48:05 srv postfix/smtp[26643]: 236F715A29C9: to=<[email protected]>, relay=smtp.rzone.de[81.169.145.98]:25, delay=3410, delays=0.03/3409/0.17/0.07, dsn=5.7.1, status=bounced (host smtp.rzone.de[81.169.145.98] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[26643]: connect to spam.over.port25.me[217.11.54.111]:25: Connection refused Jul 12 14:48:05 srv postfix/smtp[28363]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.06/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[31082]: 236F715A29C9: to=<[email protected]>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3410, delays=0.03/3409/0.09/0.07, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[1703]: 6FCA815A2A6D: lost connection with correo.iservicesmail.com[217.130.24.40] while receiving the initial server greeting Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[31082]: connect to spam.over.port25.me[217.11.54.111]:25: Connection refused Jul 12 14:48:05 srv postfix/smtp[26643]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.07/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[31082]: 8832915A4A6A: to=<[email protected]>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.06/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command)) Jul 12 14:48:05 srv postfix/smtp[1703]: 6FCA815A2A6D: to=<[email protected]>, relay=mail.iservicesmail.com[217.130.24.40]:25, delay=9308, delays=8701/608/0.23/0, dsn=4.4.2, status=deferred (lost connection with mail.iservicesmail.com[217.130.24.40] while receiving the initial server greeting) Jul 12 14:48:05 srv postfix/smtp[1703]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem Jul 12 14:48:05 srv postfix/smtp[1703]: warning: 6FCA815A2A6D: flush service failure Jul 12 14:48:05 srv postfix/smtp[30149]: 5F8EF15A288C: to=<[email protected]>, relay=goallinesolutions-com.mail.protection.outlook.com[23.103.157.10]:25, delay=3412, delays=0.03/3405/1.1/5.2, dsn=5.7.606, status=bounced (host goallinesolutions-com.mail.protection.outlook.com[23.103.157.10] said: 550 5.7.606 Access denied, banned sending IP [94.130.16.118]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [QB1CAN01FT008.eop-CAN01.prod.protection.outlook.com] (in reply to RCPT TO command)) Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<[email protected]>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.1/0.05, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command)) Jul 12 14:48:06 srv postfix/smtp[1610]: 5F8EF15A288C: to=<[email protected]>, relay=lockerbiehole-com.mail.protection.outlook.com[23.103.157.42]:25, delay=3412, delays=0.03/3406/0.87/5.1, dsn=5.7.606, status=bounced (host lockerbiehole-com.mail.protection.outlook.com[23.103.157.42] said: 550 5.7.606 Access denied, banned sending IP [94.130.16.118]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [TO1CAN01FT003.eop-CAN01.prod.protection.outlook.com] (in reply to RCPT TO command)) Jul 12 14:48:06 srv postfix/smtp[26643]: 8832915A4A6A: to=<[email protected]>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.09/0.08, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command)) Jul 12 14:48:06 srv pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1 Jul 12 14:48:06 srv pure-ftpd: ([email protected]) [INFO] Logout. Jul 12 14:48:06 srv postfix/smtpd[20881]: connect from localhost.localdomain[127.0.0.1] Jul 12 14:48:06 srv postfix/smtpd[20881]: lost connection after CONNECT from localhost.localdomain[127.0.0.1] Jul 12 14:48:06 srv postfix/smtpd[20881]: disconnect from localhost.localdomain[127.0.0.1] Jul 12 14:48:06 srv postfix/smtp[26643]: 8832915A4A6A: to=<[email protected]>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.09/0.08, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command)) Jul 12 14:48:06 srv dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): use
Look into the emails in the outgoing mailqueue with the postcat command to find out what spam it is and how it is sent.
this is the email: p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px} span.s1 {font-variant-ligatures: no-common-ligatures} span.Apple-tab-span {white-spacere} *** ENVELOPE RECORDS deferred/C/C180615A48EF *** message_size: 16283 5304 50 0 16283 message_arrival_time: Wed Jul 12 14:05:22 2017 create_time: Wed Jul 12 14:05:22 2017 named_attribute: log_ident=C180615A48EF named_attribute: rewrite_context=local sender: [email protected] named_attribute: log_client_name=localhost.localdomain named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=34437 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost.localdomain named_attribute: reverse_client_name=localhost.localdomain named_attribute: client_address=127.0.0.1 named_attribute: client_port=34437 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected]-bretagne.fr original_recipient: [email protected]-bretagne.fr recipient: [email protected]-bretagne.fr named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected]-tln.fr original_recipient: [email protected]-tln.fr recipient: [email protected]-tln.fr named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected] named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] done_recipient: [email protected]
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.Apple-tab-span {white-spacere} *** MESSAGE CONTENTS deferred/C/C180615A48EF *** Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.betafer.it (Postfix) with ESMTP id C180615A48EF; Wed, 12 Jul 2017 14:05:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at srv.betafer.it Received: from mail.betafer.it ([127.0.0.1]) by localhost (srv.betafer.it [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 5EnNWcAEK-vG; Wed, 12 Jul 2017 14:05:22 +0200 (CEST) Received: from User (unknown [37.59.13.121]) by mail.betafer.it (Postfix) with SMTP id 92FEC15A398E; Wed, 12 Jul 2017 12:55:42 +0200 (CEST) Reply-To: <[email protected]> From: "James Harry (Mr)"<[email protected]> Subject: The Economic and Financial Crimes Commission (EFCC) Date: Wed, 12 Jul 2017 12:53:40 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <[email protected]>
We put in blacklist of ispconfig the address [email protected] and the problem Solved in part. Now we have to find where the real problem is.
The question is if your server is really sending these or if it is just receiving them or receiving and then forwarding them. Is any of the recipient addresses listed in the email hosted on your server?
You see the recipient addresses in the mail that you posted above and you should know, if these are local addresses of your own server.
No, this does not makes a difference. Check the mynetworks setting in postfix main.cf file to ensure that you do not have any foreign IP addresses or networks added there.
Yes, this value is ok. You should try to reach Florian and ask him to take a look at the issue directly. There are basically 3 scenarios for spam sending: 1) someone got a password of an account and uses it to send trough the server, but I don't see an authentication header in the mail you posted. 2) a program of your server is sending the spam, like a hacked script. But I don't see PHP headers there. The IP 37.59.13.121 is not your server IP, right? 3) The third option is that the system is an open relay, that's why I asked for the mynetworks settings. But you might want to run a open relay test to be sure: https://mxtoolbox.com/diagnostic.aspx
It's all afternoot that i hope Florian respond 37.59.13.121 is old server ip, i've notice this so i reboot old server in rescue mode To be sure that the problem was not given by that and ip of old server was also sets in postfix, i've replaced with new server ip and restart postfix hoping to have done well
Your server sends spam using malware on one of your websites. I was not in the office yesterday evening. I checked your server yesterday ~5pm and there was no spam in your mail-queue. The additional ip in mynetworks was set to allow the old server to send mails using the new server to pass mail-checks on remote servers.
