Spam problem from non-existent addresses

Discussion in 'General' started by etruel, Jun 27, 2016.

  1. etruel

    etruel Member HowtoForge Supporter

    Hi,
    I'm seeing this addresses and emails sent from the server. There are many boxes accounts that don't exists like I've blocked few other spam issues before, but I don't know how or where to search about this.
    I also have a phpmail log and has nothing of these addresses.
    I'm very novice with email or spam issues, can anyone pointing me in a right direction ?

    I'm pasting below some info from the server.
    I have Debian wheezy up to date

    mail log from ISPConfig
    Code:
    Jun 27 09:20:32 ns1 amavis[23147]: (23147-19) Passed CLEAN {RelayedOpenRelay}, [74.125.82.68]:34811 [74.125.82.68] <> -> <[email protected]>, Queue-ID: 5B6A11A828BC, Message-ID: <[email protected]>, mail_id: PwPIY4lCgsyU, Hits: -1.578, size: 4116, queued_as: B75441A82A01, 17065 ms
    Jun 27 09:20:32 ns1 postfix/smtp[17831]: 5B6A11A828BC: to=<[B][email protected][/B]>, relay=127.0.0.1[127.0.0.1]:10024, delay=38, delays=21/0.02/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B75441A82A01)
    
    in /var/log grep -r -i -I --exclude="*.zip" 'Henderson.3215'
    Code:
    ./mail.info:Jun 26 12:07:21 ns1 amavis[15804]: (15804-10) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:36523 [209.85.223.194] <> -> <[email protected]>, Queue-ID: B8F7B1A82CDF, Message-ID: <[email protected]>, mail_id: jqLdpPU7EhH9, Hits: -1.578, size: 5959, queued_as: B6A1A1A82CF8, 16871 ms
    ./mail.info:Jun 26 12:07:21 ns1 postfix/smtp[32625]: B8F7B1A82CDF: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=37, delays=21/0.01/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6A1A1A82CF8)
    ./mail.info:Jun 26 12:07:22 ns1 postfix/pipe[32631]: B6A1A1A82CF8: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.39, delays=0.12/0.01/0/0.26, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.info.1:Jun 23 08:37:44 ns1 amavis[14877]: (14877-15) Passed CLEAN {RelayedOpenRelay}, [209.85.223.196]:35439 [209.85.223.196] <> -> <[email protected]>, Queue-ID: B87701A80A93, Message-ID: <[email protected]>, mail_id: HEbfPkR3UotP, Hits: -1.578, size: 5957, queued_as: BD7FD1A82C9F, 16945 ms
    ./mail.info.1:Jun 23 08:37:44 ns1 postfix/smtp[6766]: B87701A80A93: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=38, delays=21/0.02/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BD7FD1A82C9F)
    ./mail.info.1:Jun 23 08:37:45 ns1 postfix/pipe[6787]: BD7FD1A82C9F: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.32, delays=0.11/0.01/0/0.21, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.info.1:Jun 24 07:35:34 ns1 amavis[10352]: (10352-18) Passed CLEAN {RelayedOpenRelay}, [209.85.223.195]:35257 [209.85.223.195] <> -> <[email protected]>, Queue-ID: 6B74F1A81F17, Message-ID: <[email protected]>, mail_id: BpyJBc3_ibb8, Hits: -1.578, size: 5957, queued_as: A941A1A818EE, 17137 ms
    ./mail.info.1:Jun 24 07:35:34 ns1 postfix/smtp[6492]: 6B74F1A81F17: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=38, delays=21/0.01/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A941A1A818EE)
    ./mail.info.1:Jun 24 07:35:35 ns1 postfix/pipe[6499]: A941A1A818EE: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.1/0.01/0/0.24, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.info.1:Jun 25 11:57:02 ns1 amavis[14104]: (14104-15) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:34849 [209.85.223.194] <> -> <[email protected]>, Queue-ID: AA7EE1A80C2E, Message-ID: <[email protected]>, mail_id: gewKPaIB0sJL, Hits: -1.578, size: 5959, queued_as: 453841A82D05, 18497 ms
    ./mail.info.1:Jun 25 11:57:02 ns1 postfix/smtp[21853]: AA7EE1A80C2E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=39, delays=20/0.02/0/18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 453841A82D05)
    ./mail.info.1:Jun 25 11:57:02 ns1 postfix/pipe[21880]: 453841A82D05: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.11/0.01/0/0.23, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.log:Jun 26 12:07:21 ns1 amavis[15804]: (15804-10) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:36523 [209.85.223.194] <> -> <[email protected]>, Queue-ID: B8F7B1A82CDF, Message-ID: <[email protected]>, mail_id: jqLdpPU7EhH9, Hits: -1.578, size: 5959, queued_as: B6A1A1A82CF8, 16871 ms
    ./mail.log:Jun 26 12:07:21 ns1 postfix/smtp[32625]: B8F7B1A82CDF: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=37, delays=21/0.01/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6A1A1A82CF8)
    ./mail.log:Jun 26 12:07:22 ns1 postfix/pipe[32631]: B6A1A1A82CF8: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.39, delays=0.12/0.01/0/0.26, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./syslog:Jun 26 12:07:21 ns1 amavis[15804]: (15804-10) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:36523 [209.85.223.194] <> -> <[email protected]>, Queue-ID: B8F7B1A82CDF, Message-ID: <[email protected]>, mail_id: jqLdpPU7EhH9, Hits: -1.578, size: 5959, queued_as: B6A1A1A82CF8, 16871 ms
    ./syslog:Jun 26 12:07:21 ns1 postfix/smtp[32625]: B8F7B1A82CDF: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=37, delays=21/0.01/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6A1A1A82CF8)
    ./syslog:Jun 26 12:07:22 ns1 postfix/pipe[32631]: B6A1A1A82CF8: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.39, delays=0.12/0.01/0/0.26, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./syslog.1:Jun 25 11:57:02 ns1 amavis[14104]: (14104-15) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:34849 [209.85.223.194] <> -> <[email protected]>, Queue-ID: AA7EE1A80C2E, Message-ID: <[email protected]>, mail_id: gewKPaIB0sJL, Hits: -1.578, size: 5959, queued_as: 453841A82D05, 18497 ms
    ./syslog.1:Jun 25 11:57:02 ns1 postfix/smtp[21853]: AA7EE1A80C2E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=39, delays=20/0.02/0/18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 453841A82D05)
    ./syslog.1:Jun 25 11:57:02 ns1 postfix/pipe[21880]: 453841A82D05: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.11/0.01/0/0.23, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.log.1:Jun 23 08:37:44 ns1 amavis[14877]: (14877-15) Passed CLEAN {RelayedOpenRelay}, [209.85.223.196]:35439 [209.85.223.196] <> -> <[email protected]>, Queue-ID: B87701A80A93, Message-ID: <[email protected]>, mail_id: HEbfPkR3UotP, Hits: -1.578, size: 5957, queued_as: BD7FD1A82C9F, 16945 ms
    ./mail.log.1:Jun 23 08:37:44 ns1 postfix/smtp[6766]: B87701A80A93: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=38, delays=21/0.02/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BD7FD1A82C9F)
    ./mail.log.1:Jun 23 08:37:45 ns1 postfix/pipe[6787]: BD7FD1A82C9F: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.32, delays=0.11/0.01/0/0.21, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.log.1:Jun 24 07:35:34 ns1 amavis[10352]: (10352-18) Passed CLEAN {RelayedOpenRelay}, [209.85.223.195]:35257 [209.85.223.195] <> -> <[email protected]>, Queue-ID: 6B74F1A81F17, Message-ID: <[email protected]>, mail_id: BpyJBc3_ibb8, Hits: -1.578, size: 5957, queued_as: A941A1A818EE, 17137 ms
    ./mail.log.1:Jun 24 07:35:34 ns1 postfix/smtp[6492]: 6B74F1A81F17: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=38, delays=21/0.01/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A941A1A818EE)
    ./mail.log.1:Jun 24 07:35:35 ns1 postfix/pipe[6499]: A941A1A818EE: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.1/0.01/0/0.24, dsn=2.0.0, status=sent (delivered via dovecot service)
    ./mail.log.1:Jun 25 11:57:02 ns1 amavis[14104]: (14104-15) Passed CLEAN {RelayedOpenRelay}, [209.85.223.194]:34849 [209.85.223.194] <> -> <[email protected]>, Queue-ID: AA7EE1A80C2E, Message-ID: <[email protected]>, mail_id: gewKPaIB0sJL, Hits: -1.578, size: 5959, queued_as: 453841A82D05, 18497 ms
    ./mail.log.1:Jun 25 11:57:02 ns1 postfix/smtp[21853]: AA7EE1A80C2E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=39, delays=20/0.02/0/18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 453841A82D05)
    ./mail.log.1:Jun 25 11:57:02 ns1 postfix/pipe[21880]: 453841A82D05: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.11/0.01/0/0.23, dsn=2.0.0, status=sent (delivered via dovecot service)
    
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Do you have a catch-all address set for etruel.com?
     
  3. etruel

    etruel Member HowtoForge Supporter

    Hi, Jesse, thanks for the answer.

    yes, the catch all account is set to and I'm using it to simulate all other accounts, like support, info, etc
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the headers of one of the spam emails in the mailqueue with the postcat command.
     
  5. etruel

    etruel Member HowtoForge Supporter

    Hi Till
    I saw other messages from you with instructions to use postcat but the mail queue is empty.
    I have configured to receive and send from gmail, then I get the messages rejected in gmail with the headers.
    This is one of them:
    (the .zip attachment enclosing a virus)


    Code:
    Delivery has failed to these recipients or groups:
    
    [email protected]
    The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.
    
    Diagnostic information for administrators:
    
    Generating server: allegronet.internal
    
    [email protected]
    #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##rfc822;[email protected]
    
    Original message headers:
    
    Received: from spam.allegronet.co.il (31.154.10.182) by mail.allegronet.co.il
    (213.57.26.6) with Microsoft SMTP Server (TLS) id 14.1.438.0; Tue, 28 Jun
    2016 13:25:37 +0300
    Received: from [123.23.168.246] (unknown [123.23.168.246]) by
    spam.allegronet.co.il (Postfix) with ESMTP id E45FB283ED for
    <[email protected]>; Tue, 28 Jun 2016 13:25:30 +0300 (IDT)
    Received: by localhost (Postfix, from userid 202) id EE12ED483C3; Tue, 28 Jun
    2016 03:25:27 -0700
    Date: Tue, 28 Jun 2016 03:25:27 -0700
    From: Chester Sweet <[email protected]>
    To: <[email protected]>
    Subject: report
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="/Wkhp/lXFOMaJTsF"
    Content-Disposition: inline
    User-Agent: Mutt/1.5.4i
    X-AllegroNET-MailScanner-ESVA-Information: Please contact for more information
    X-AllegroNET-MailScanner-ESVA-ID: E45FB283ED.2E45E
    X-AllegroNET-MailScanner-ESVA: Found to be clean
    X-AllegroNET-MailScanner-ESVA-From: [email protected]
    X-Spam-Status: No
    Return-Path: [email protected]
    
    
    Original-Recipient: rfc822;[email protected]
    Final-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.1.1
    Diagnostic-Code: smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found
    
    
    
    ---------- Mensaje reenviado ----------
    From: Chester Sweet <[email protected]>
    To: <[email protected]>
    Cc:
    Date: Tue, 28 Jun 2016 03:25:27 -0700
    Subject: report
    Hi andizenn,
    
    I’ve attached the report you asked me to send.
    
    
    Regards
    
    Chester Sweet
    Sales Director
    
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'm a little unclear; the problem you have is that you're receiving mail containing viruses in .zip, which forwards to gmail and gets rejected? And those emails also happen to claim they are from non-existent addresses at etruel.com?

    If that is correct, you can improve your clamav scanner by utilizing additional signature databases (see https://www.howtoforge.com/communit...-being-sent-from-my-server.72631/#post-341905), and you can block the forged messages by adding SPF records to etruel.com (either with a hard fail, or additionally utilize DKIM and DMARC).

    If that is not correct (and I'm not sure it is), please explain a little more, as I'm missing it. (In fact I'm wondering if you simply have an open relay, with anything claiming to be form @etruel.com being allowed?)
     
  7. etruel

    etruel Member HowtoForge Supporter

    someone sends emails from [email protected] to others, sending viruses or invoices with payment claims. (the rejected mails are sent to me from remote servers)

    I just test open relay with
    Code:
    http://www.mailradar.com/openrelay/
    and got: All tested completed! No relays accepted by remote host!

    I don't know what more data I can publish to be more clear.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Do they just use the email address (a) or do they use your server to send the emails (b)? Please check your mail.log file and the mailqueue to see if these emails are really sent by your server or if someone just used your email address in the from line of his emails but is not sending trough your server.

    a) You can't do much. in this case, just ensure to have proper spf and maybe dkim setup.
    b) When the mails are sent trough your server, then you should be able to see it in the headers of a mail in the mailqueue how they achieved that.
     
  9. etruel

    etruel Member HowtoForge Supporter

    Hi Till,
    This is exactly what I don't know. I pasted in the first post various results of the logs to see which is the case because actually I can't understand.
    But gmail began to say that ns1.etruel.com is sending too much mail trash so I think that it is (b).

    Whenever I look at the mail queue, it is empty or has a correct email, but never one of these.
    Also before I pasted the headers of a mail returned to the "sender". (supposedly I)

    Can you see inside CODE blocks above ?
    Thank you very much for your help.
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ok, that clarifies what's going on. In the example you posted it appears the spam message (to '[email protected]') actually came from 123.23.168.246, which is not yours, correct? (It's in Vietnam, your domain is Argentina). And you got the bounce for that, which is what you're wanting to stop from happening?

    If that's correct, start by getting rid of your catch-all email address, and just setup an Email Alias for each address you actually care to receive (support, info, etc.). That will help a lot by stopping all the bounces to non-existing addresses, and is quick and simple.

    To help even more, you can add SPF records for etruel.com specifying where mail from real etruel.com accounts is allowed to be sent from. Depending on how much you want to keep pursuing the issue, you can additionally look at setting up DKIM signing of your legitimate mail sent through your server(s), and specify a DMARC policy that requires your mail to either pass SPF or DKIM or it should be rejected. It's not perfect (not everyone uses/checks SPF/DKIM/DMARC), but it helps.
     

Share This Page