5 days ago my ISPConfig server started to send spam. Here's an extract from the mail.info log: Jan 14 22:21:09 viking postfix/smtpd[8352]: connect from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54] Jan 14 22:21:12 viking postfix/smtpd[8352]: warning: LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54]: SASL Login authentication failed: UGFzc3dvcmQ6 Jan 14 22:21:12 viking postfix/smtpd[8352]: lost connection after AUTH from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54] Jan 14 22:21:12 viking postfix/smtpd[8352]: disconnect from LIDESTRI-FO.ear2.SanJose1.Level3.net[4.16.44.54] Jan 14 22:21:14 viking postfix/qmgr[5750]: 32946EA5A: from=<[email protected]>, size=2178, nrcpt=1 (queue active) Jan 14 22:21:14 viking postfix/qmgr[5750]: 79B69EA0E: from=<[email protected]>, size=2232, nrcpt=1 (queue active) <!--LOTS MORE LIKE THIS --> Jan 14 22:21:14 viking postfix/qmgr[5750]: 802B3E8FE: from=<[email protected]>, size=2214, nrcpt=1 (queue active) Jan 14 22:21:14 viking postfix/smtp[11764]: 79B69EA0E: host ip2in.temple.edu[155.247.166.38] refused to talk to me: 554-ip2in.temple.edu 554 Your email was Rejected. IP Address: xxx.xxx.xxx.xxx has a NEGATIVE SenderBase Reputation. We do not accept email from any MTA with a negative reputation. Contact your ISP and have them visit http://www.senderbase.org to learn how to resolve this issue. I've taken a look at the mail queue and ran: postcat /var/spool/postfix/deferred/X/XXXXXXXXXXXX on one of the messages. This is the returned message: *** ENVELOPE RECORDS /var/spool/postfix/deferred/5/56083E9FE *** message_size: 2191 680 1 0 2191 message_arrival_time: Tue Jan 12 06:58:21 2016 create_time: Tue Jan 12 06:58:21 2016 named_attribute: log_ident=56083E9FE named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost.localdomain named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=45790 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost.localdomain named_attribute: reverse_client_name=localhost.localdomain named_attribute: client_address=127.0.0.1 named_attribute: client_port=45790 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS /var/spool/postfix/deferred/5/56083E9FE *** Received: from localhost (localhost.localdomain [127.0.0.1]) by viking.serverdomin.com (Postfix) with ESMTP id 56083E9FE for <[email protected]>; Tue, 12 Jan 2016 06:58:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.co.uk; h=x-mailer:date:date:message-id:subject:subject:mime-version :content-transfer-encoding:content-type:content-type:from:from; s=default; t=1452581901; x=1454396302; bh=XQLLnRAO+1CKmSQOaUFyk OfyFkTN8iR6ltukE12kU38=; b=7qRpvSF94YCuD27L76P1vE5XsNe4jqeX7WRxf k16jYZD6b/k85gmuMEIxoU8eGkMOAYmianiL+nznMgK6ZoL1qp+wj+IZA32WMG2F oEZb12AoTawVwJtXv8aSksLXBzIk1aJfp4qXCYzsCN5qVnN23kzw0+JYvHHylP+X /pAbWHRS6/5ksA0myJsKaON1wjybdIC2s95uAKi0Gv1+0DuqYqPjQNC40Gma3pAf tdQPK8KHRs88iOzTAJ8Z8ber64U0MwlwwDJfXKmVGDmcNQcsaT1iOK81wovaERhN Ut6zLttaL7dHAEjQxUEOYv0eAt0ZaQdDF+9+3cENbTcIOpKo4tpSh2SN4k5FLAIs WBHYAzkbh3SOd/jf6Fn060ZAkRXViqi+TssZ/n0nHURn67Nnx+1iNbip4lLchazf 8tU5SeJEF+jU8QlsokkVYs8Dq2wErHcMwCs32F0krcWyGrxDtvRiQYFKi4DO2svB g771H9WioZcyXKablW+IGAbuUzYKpBG/iFsr3xNh21ILdnj1FqnR9bK+GU72WRui ZV2Q5wPVWVCSPt5elMHsvTwJ16J5nCC4zqQNGzh7ktxiKSGIMc12iBcceEs4yHck +dQ8Zk/lxSZTlP8F4/MziHJvZHyZl12qHCjjXvm8I/8ky5MJvrZUuaehh+iA0+lY pueo5I= X-Virus-Scanned: Debian amavisd-new at viking.serverdomain.com Received: from viking.serverdomain.com ([127.0.0.1]) by localhost (viking.serverdomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bsclRkCG0W69 for <[email protected]>; Tue, 12 Jan 2016 06:58:21 +0000 (UTC) Received: from mydomain.co.uk (unknown [117.193.118.161]) (Authenticated sender: [email protected]) by viking.serverdomain.com (Postfix) with ESMTPA id 83742E9FC for <[email protected]>; Tue, 12 Jan 2016 06:58:19 +0000 (UTC) From: "Tammie Calingasan" <[email protected]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: hi Anthony Message-Id: <[email protected]> Date: Tue, 12 Jan 2016 07:58:18 +0100 To: "Anthony" <[email protected]> X-Mailer: iPhone Mail (10A525) Salutations Anthony http://hinhgai.net/husband.php?hope=3D1qv0d4yu5pc9s Tammie Calingasan *** HEADER EXTRACTED /var/spool/postfix/deferred/5/56083E9FE *** named_attribute: encoding=7bit *** MESSAGE FILE END /var/spool/postfix/deferred/5/56083E9FE *** So it looks like someone/thing is authenticating with the [email protected] account and sending email from spoofed non existant user accounts. I've disabled SMTP for mydomain.co.uk and changes the mail account passwords but the emails just keep on comming! Where should I look next to hunt this down?
The emails are indeed send by [email protected]) according to the mail headers. Try to restart postfix, dovecot, courier-authdeameon, saslauthd (only the ones that exist on your server after you changed the password of this account. it might be that the old password is cached when the server is under a high load. and delete the spam mails in mailqueue.
Thanks Till. I restarted the server and it's been fine for 24 hours. Am I correct in thinking that a users iPhone has been comprmised? Or could the X-Mailer be forged? Would be good if I can narrow down to the device.
There is no username called "iPhone". It's the X-Mailer header that is claiming the email is being sent via iPhone Mail.
It is unlikely that the device of a user is used to send the spam. Normally they just steal the mail account password from the device (mobile phone, windows pc or whatever) and then hand it over to a botnet that uses the login details to send spam. So in my opinioon it's just a faked header and nothing that can be used to track down the device.
Hi I had similar issue. Some users were sending thousands mail and my server was banned by many rbl servers :/