Hello, I have a problem with spams outgoing from my server with fake email adresse. my domain is esthetique-tunisie.net, and spams are sent with [email protected] < i never created this email adresse. here my mail.log : Expand: mail.log Mar 15 01:18:50 vps135384 amavis[11985]: (11985-01-11) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: BGLXKH-W56aA, Hits: 2.438, size: 2785, queued_as: 6AAB31E49430, 24623 ms Mar 15 01:18:50 vps135384 postfix/smtp[10329]: 8D9531E497F7: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=11, delay=10775, delays=0.02/10750/0/25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6AAB31E49430) Mar 15 01:18:50 vps135384 postfix/qmgr[3745]: 8D9531E497F7: removed Mar 15 01:18:50 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused Mar 15 01:18:51 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused Mar 15 01:18:51 vps135384 amavis[11985]: (11985-01-12) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2) Mar 15 01:18:52 vps135384 postfix/smtp[11723]: 6AAB31E49430: to=<[email protected]>, relay=mta7.am0.yahoodns.net[66.196.118.35]:25, delay=1.9, delays=0.02/0/0.78/1.1, dsn=2.0.0, status=sent (250 ok dirdel) Mar 15 01:18:52 vps135384 postfix/qmgr[3745]: 6AAB31E49430: removed Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n Mar 15 01:18:54 vps135384 amavis[12123]: (12123-01-9) (!)WARN: all primary virus scanners failed, considering backups Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n Mar 15 01:18:57 vps135384 amavis[11985]: (11985-01-12) (!)WARN: all primary virus scanners failed, considering backups Mar 15 01:19:13 vps135384 postfix/smtpd[5705]: D42361E49430: client=localhost[127.0.0.1] Mar 15 01:19:13 vps135384 postfix/cleanup[12087]: D42361E49430: message-id=<[email protected]> Mar 15 01:19:13 vps135384 postfix/qmgr[3745]: D42361E49430: from=<[email protected]>, size=3238, nrcpt=1 (queue active) Mar 15 01:19:13 vps135384 amavis[12123]: (12123-01-9) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: ZIp39-F_IEUj, Hits: 2.438, size: 2782, queued_as: D42361E49430, 26876 ms Mar 15 01:19:13 vps135384 postfix/smtp[10353]: 9DD711E497F8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=9, delay=10798, delays=0.03/10771/0/27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D42361E49430) Mar 15 01:19:13 vps135384 postfix/qmgr[3745]: 9DD711E497F8: removed and here my mail queue Expand: mail queue -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 2F6FD1E495CD* 2789 Sat Mar 14 21:02:34 [email protected] [email protected] 4A47A1E49661* 2177 Sun Mar 15 00:21:26 [email protected] [email protected] 182DF1E49718* 2337 Sat Mar 14 23:53:54 [email protected] [email protected] 476A21E49B2E* 2184 Sun Mar 15 01:23:21 [email protected] [email protected] 299161E4964A* 2174 Sun Mar 15 00:21:26 [email protected] [email protected] 926CB1E498CE* 2790 Sat Mar 14 23:16:10 [email protected] [email protected] A62FD1E49930* 1712 Sat Mar 14 23:22:07 [email protected] [email protected] 728841E49912* 2791 Sat Mar 14 23:19:09 [email protected] [email protected] 4C46B1E49896* 2808 Sat Mar 14 22:58:04 [email protected] [email protected] 4A5E31E49873* 2190 Sat Mar 14 22:46:37 [email protected] [email protected] EC70B1E4986D* 2185 Sat Mar 14 22:46:36 [email protected] [email protected] 924E61E49AF0* 1637 Sun Mar 15 01:12:06 [email protected] [email protected] E2D0E1E49A0D* 2336 Sat Mar 14 23:53:53 [email protected] [email protected] 4CCFB1E496C3* 1623 Sat Mar 14 23:36:36 [email protected] [email protected] 605561E49492* 1645 Sun Mar 15 01:17:14 [email protected] [email protected] DFC321E4993E* 1728 Sat Mar 14 23:22:19 [email protected] [email protected] 0E8DC1E496FD* 3055 Sun Mar 15 00:06:05 [email protected] [email protected] 585B81E497D5* 2833 Sun Mar 15 01:08:13 [email protected] [email protected] B62CC1E4951D* 1639 Sun Mar 15 01:12:05 [email protected] [email protected] E44B61E497A3* 1870 Sun Mar 15 00:47:35 [email protected] [email protected] 5B98C1E496C4* 1617 Sat Mar 14 23:36:36 [email protected] [email protected] 5F1041E49B4E* 2162 Sun Mar 15 01:29:01 [email protected] [email protected] 374291E4935A* 1633 Sun Mar 15 01:15:06 [email protected] [email protected] 81A921E49914* 2799 Sat Mar 14 23:19:09 [email protected] [email protected] 148A01E494C6* 2182 Sat Mar 14 22:42:51 [email protected] [email protected] 277151E49412* 3053 Sat Mar 14 22:28:23 [email protected] [email protected] 943AF1E496E9* 1870 Sat Mar 14 23:39:10 [email protected] [email protected] 886AB1E4995D* 1731 Sat Mar 14 23:24:48 [email protected] [email protected] CC06B1E498F3* 1887 Sat Mar 14 23:06:52 [email protected] [email protected] 86E351E4992C* 1748 Sat Mar 14 23:22:07 [email protected] [email protected] 4196B1E4997E* 1718 Sat Mar 14 23:27:53 [email protected] [email protected] I'm using Debian wheezy + ispconfig3 + postfix
Check one of those mails with poscat -q ID Mabe a mail-account was hacked or you have an injection in one of your websites.