Spam outgoing from my vps with fake email ispconfig3 debian

Discussion in 'Server Operation' started by maynodev, Mar 15, 2015.

  1. maynodev

    maynodev New Member

    Hello,
    I have a problem with spams outgoing from my server with fake email adresse. my domain is esthetique-tunisie.net, and spams are sent with [email protected] < i never created this email adresse.
    here my mail.log :
    Mar 15 01:18:50 vps135384 amavis[11985]: (11985-01-11) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: BGLXKH-W56aA, Hits: 2.438, size: 2785, queued_as: 6AAB31E49430, 24623 ms
    Mar 15 01:18:50 vps135384 postfix/smtp[10329]: 8D9531E497F7: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=11, delay=10775, delays=0.02/10750/0/25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6AAB31E49430)
    Mar 15 01:18:50 vps135384 postfix/qmgr[3745]: 8D9531E497F7: removed
    Mar 15 01:18:50 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Mar 15 01:18:51 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Mar 15 01:18:51 vps135384 amavis[11985]: (11985-01-12) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
    Mar 15 01:18:52 vps135384 postfix/smtp[11723]: 6AAB31E49430: to=<[email protected]>, relay=mta7.am0.yahoodns.net[66.196.118.35]:25, delay=1.9, delays=0.02/0/0.78/1.1, dsn=2.0.0, status=sent (250 ok dirdel)
    Mar 15 01:18:52 vps135384 postfix/qmgr[3745]: 6AAB31E49430: removed
    Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n
    Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)WARN: all primary virus scanners failed, considering backups
    Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n
    Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)WARN: all primary virus scanners failed, considering backups
    Mar 15 01:19:13 vps135384 postfix/smtpd[5705]: D42361E49430: client=localhost[127.0.0.1]
    Mar 15 01:19:13 vps135384 postfix/cleanup[12087]: D42361E49430: message-id=<[email protected]>
    Mar 15 01:19:13 vps135384 postfix/qmgr[3745]: D42361E49430: from=<[email protected]>, size=3238, nrcpt=1 (queue active)
    Mar 15 01:19:13 vps135384 amavis[12123]: (12123-01-9) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: ZIp39-F_IEUj, Hits: 2.438, size: 2782, queued_as: D42361E49430, 26876 ms
    Mar 15 01:19:13 vps135384 postfix/smtp[10353]: 9DD711E497F8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=9, delay=10798, delays=0.03/10771/0/27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D42361E49430)
    Mar 15 01:19:13 vps135384 postfix/qmgr[3745]: 9DD711E497F8: removed
    and here my mail queue
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    2F6FD1E495CD* 2789 Sat Mar 14 21:02:34 [email protected]
    [email protected]

    4A47A1E49661* 2177 Sun Mar 15 00:21:26 [email protected]
    [email protected]

    182DF1E49718* 2337 Sat Mar 14 23:53:54 [email protected]
    [email protected]

    476A21E49B2E* 2184 Sun Mar 15 01:23:21 [email protected]
    [email protected]

    299161E4964A* 2174 Sun Mar 15 00:21:26 [email protected]
    [email protected]

    926CB1E498CE* 2790 Sat Mar 14 23:16:10 [email protected]
    [email protected]

    A62FD1E49930* 1712 Sat Mar 14 23:22:07 [email protected]
    [email protected]

    728841E49912* 2791 Sat Mar 14 23:19:09 [email protected]
    [email protected]

    4C46B1E49896* 2808 Sat Mar 14 22:58:04 [email protected]
    [email protected]

    4A5E31E49873* 2190 Sat Mar 14 22:46:37 [email protected]
    [email protected]

    EC70B1E4986D* 2185 Sat Mar 14 22:46:36 [email protected]
    [email protected]

    924E61E49AF0* 1637 Sun Mar 15 01:12:06 [email protected]
    [email protected]

    E2D0E1E49A0D* 2336 Sat Mar 14 23:53:53 [email protected]
    [email protected]

    4CCFB1E496C3* 1623 Sat Mar 14 23:36:36 [email protected]
    [email protected]

    605561E49492* 1645 Sun Mar 15 01:17:14 [email protected]
    [email protected]

    DFC321E4993E* 1728 Sat Mar 14 23:22:19 [email protected]
    [email protected]

    0E8DC1E496FD* 3055 Sun Mar 15 00:06:05 [email protected]
    [email protected]

    585B81E497D5* 2833 Sun Mar 15 01:08:13 [email protected]
    [email protected]

    B62CC1E4951D* 1639 Sun Mar 15 01:12:05 [email protected]
    [email protected]

    E44B61E497A3* 1870 Sun Mar 15 00:47:35 [email protected]
    [email protected]

    5B98C1E496C4* 1617 Sat Mar 14 23:36:36 [email protected]
    [email protected]

    5F1041E49B4E* 2162 Sun Mar 15 01:29:01 [email protected]
    [email protected]

    374291E4935A* 1633 Sun Mar 15 01:15:06 [email protected]
    [email protected]

    81A921E49914* 2799 Sat Mar 14 23:19:09 [email protected]
    [email protected]

    148A01E494C6* 2182 Sat Mar 14 22:42:51 [email protected]
    [email protected]

    277151E49412* 3053 Sat Mar 14 22:28:23 [email protected]
    [email protected]

    943AF1E496E9* 1870 Sat Mar 14 23:39:10 [email protected]
    [email protected]

    886AB1E4995D* 1731 Sat Mar 14 23:24:48 [email protected]
    [email protected]

    CC06B1E498F3* 1887 Sat Mar 14 23:06:52 [email protected]
    [email protected]

    86E351E4992C* 1748 Sat Mar 14 23:22:07 [email protected]
    [email protected]

    4196B1E4997E* 1718 Sat Mar 14 23:27:53 [email protected]
    [email protected]

    I'm using Debian wheezy + ispconfig3 + postfix
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Check one of those mails with poscat -q ID
    Mabe a mail-account was hacked or you have an injection in one of your websites.
     

Share This Page