Server sending spam!

Discussion in 'Installation/Configuration' started by mattltm, Jan 14, 2016.

  1. mattltm

    mattltm Member

    5 days ago my ISPConfig server started to send spam.
    Here's an extract from the log:

    Jan 14 22:21:09 viking postfix/smtpd[8352]: connect from[]
    Jan 14 22:21:12 viking postfix/smtpd[8352]: warning:[]: SASL Login authentication failed: UGFzc3dvcmQ6
    Jan 14 22:21:12 viking postfix/smtpd[8352]: lost connection after AUTH from[]
    Jan 14 22:21:12 viking postfix/smtpd[8352]: disconnect from[]
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 32946EA5A: from=<[email protected]>, size=2178, nrcpt=1 (queue active)
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 79B69EA0E: from=<[email protected]>, size=2232, nrcpt=1 (queue active)
    Jan 14 22:21:14 viking postfix/qmgr[5750]: 802B3E8FE: from=<[email protected]>, size=2214, nrcpt=1 (queue active)
    Jan 14 22:21:14 viking postfix/smtp[11764]: 79B69EA0E: host[] refused to talk to me: 554 Your email was Rejected. IP Address: has a NEGATIVE SenderBase Reputation. We do not accept email from any MTA with a negative reputation. Contact your ISP and have them visit to learn how to resolve this issue.

    I've taken a look at the mail queue and ran:

    postcat /var/spool/postfix/deferred/X/XXXXXXXXXXXX

    on one of the messages. This is the returned message:

    *** ENVELOPE RECORDS /var/spool/postfix/deferred/5/56083E9FE ***
    message_size: 2191 680 1 0 2191
    message_arrival_time: Tue Jan 12 06:58:21 2016
    create_time: Tue Jan 12 06:58:21 2016
    named_attribute: log_ident=56083E9FE
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost.localdomain
    named_attribute: log_client_address=
    named_attribute: log_client_port=45790
    named_attribute: log_message_origin=localhost.localdomain[]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost.localdomain
    named_attribute: reverse_client_name=localhost.localdomain
    named_attribute: client_address=
    named_attribute: client_port=45790
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS /var/spool/postfix/deferred/5/56083E9FE ***
    Received: from localhost (localhost.localdomain [])
    by (Postfix) with ESMTP id 56083E9FE
    for <[email protected]>; Tue, 12 Jan 2016 06:58:21 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
    s=default; t=1452581901; x=1454396302; bh=XQLLnRAO+1CKmSQOaUFyk
    OfyFkTN8iR6ltukE12kU38=; b=7qRpvSF94YCuD27L76P1vE5XsNe4jqeX7WRxf
    X-Virus-Scanned: Debian amavisd-new at
    Received: from ([])
    by localhost ( []) (amavisd-new, port 10026)
    with ESMTP id bsclRkCG0W69 for <[email protected]>;
    Tue, 12 Jan 2016 06:58:21 +0000 (UTC)
    Received: from (unknown [])
    (Authenticated sender: [email protected])
    by (Postfix) with ESMTPA id 83742E9FC
    for <[email protected]>; Tue, 12 Jan 2016 06:58:19 +0000 (UTC)
    From: "Tammie Calingasan" <[email protected]>
    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable
    Mime-Version: 1.0 (1.0)
    Subject: hi Anthony
    Message-Id: <[email protected]>
    Date: Tue, 12 Jan 2016 07:58:18 +0100
    To: "Anthony" <[email protected]>
    X-Mailer: iPhone Mail (10A525)

    Salutations Anthony

    Tammie Calingasan
    *** HEADER EXTRACTED /var/spool/postfix/deferred/5/56083E9FE ***
    named_attribute: encoding=7bit
    *** MESSAGE FILE END /var/spool/postfix/deferred/5/56083E9FE ***

    So it looks like someone/thing is authenticating with the [email protected] account and sending email from spoofed non existant user accounts.

    I've disabled SMTP for and changes the mail account passwords but the emails just keep on comming!

    Where should I look next to hunt this down?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The emails are indeed send by [email protected]) according to the mail headers. Try to restart postfix, dovecot, courier-authdeameon, saslauthd (only the ones that exist on your server after you changed the password of this account. it might be that the old password is cached when the server is under a high load. and delete the spam mails in mailqueue.
  3. mattltm

    mattltm Member

    Thanks Till.

    I restarted the server and it's been fine for 24 hours.

    Am I correct in thinking that a users iPhone has been comprmised? Or could the X-Mailer be forged? Would be good if I can narrow down to the device.
  4. P.Habdak

    P.Habdak New Member

    User iPhone seems to be very unsafe for username ..
  5. mattltm

    mattltm Member

    There is no username called "iPhone". It's the X-Mailer header that is claiming the email is being sent via iPhone Mail.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    It is unlikely that the device of a user is used to send the spam. Normally they just steal the mail account password from the device (mobile phone, windows pc or whatever) and then hand it over to a botnet that uses the login details to send spam. So in my opinioon it's just a faked header and nothing that can be used to track down the device.
  7. nicram0

    nicram0 New Member

    I had similar issue. Some users were sending thousands mail and my server was banned by many rbl servers :/

Share This Page