All of a sudden I'm receiving 20+ emails within 2 hours from [email protected] with Subject Undelivered Mail Returned each email has 2 attachments (Undelivered Message & Delivery Report) i pasted content of those below. I replaced my original email with [email protected] for privacy reasons as well as domain to mydomain.com Anyone has similar issue or know what;s the problem? Any suggestion how to block these? Undelivered Mail Returned to Sender This is the mail system at host qproxy3.mail.unifiedlayer.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: host mx.yandex.ru[87.250.250.89] said: 552 5.2.2 Mailbox size limit exceeded 1515597138-2PJ1FcNYjT-C1o04CO2 (in reply to end of DATA command) Reporting-MTA: dns; qproxy3.mail.unifiedlayer.com X-Postfix-Queue-ID: 4FFD0D59DE X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Wed, 10 Jan 2018 08:11:59 -0700 (MST) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 5.2.2 Remote-MTA: dns; mx.yandex.ru Diagnostic-Code: smtp; 552 5.2.2 Mailbox size limit exceeded 1515597138-2PJ1FcNYjT-C1o04CO2 Subject Copy of: На ваш кошелек *7718 поступил перевод со счета *8417 From Taza Chicago To [email protected] Date Today 09:11 This is a copy of the following message you sent to Stay in Touch via Taza Chicago This is an enquiry email via http://tazachicago.com/ from: a-kamelevsky2012 <[email protected]> YD3I0TB Vxo0BSe6KGUyfrpZU - https://vhpc3.drive.google.com/open?id=1P_QS8s6Uzql4wXM192rjbrrHNKIPSrxR Delivery Report Reporting-MTA: dns; qproxy3.mail.unifiedlayer.com X-Postfix-Queue-ID: 4FFD0D59DE X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Wed, 10 Jan 2018 08:11:59 -0700 (MST) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 5.2.2 Remote-MTA: dns; mx.yandex.ru Diagnostic-Code: smtp; 552 5.2.2 Mailbox size limit exceeded 1515597138-2PJ1FcNYjT-C1o04CO2 Undelivered Message Return-Path: <[email protected]> Received: from cmgw3 (unknown [10.0.90.84]) by qproxy3.mail.unifiedlayer.com (Postfix) with ESMTP id 4FFD0D59DE for <[email protected]>; Wed, 10 Jan 2018 08:11:59 -0700 (MST) Received: from host239.hostmonster.com ([74.220.215.239]) by cmgw3 with id wfBw1w0035AVALy01fBz32; Wed, 10 Jan 2018 08:11:59 -0700 X-Authority-Analysis: v=2.2 cv=XM9AcUpE c=1 sm=1 tr=0 a=LQjYtly7ac8CmsQ3xCnGWA==:117 a=LQjYtly7ac8CmsQ3xCnGWA==:17 a=0Eae7Co3zJwA:10 a=IkcTkHD0fZMA:10 a=x7bEGLp0ZPQA:10 a=MuaeFusq_UQA:10 a=RgaUWeydRksA:10 a=L_px057dAAAA:8 a=vaJtXVxTAAAA:8 a=gLS3VCt6AAAA:20 a=Nn3xLg3nE_9GEWRCF7YA:9 a=QEXdDO2ut3YA:10 a=FjmRgscJn_SHEiaqWpyg:22 Received: from tazachic by host239.hostmonster.com with local (Exim 4.89) (envelope-from <[email protected]>) id 1eZI2l-000p1B-Ua for [email protected]; Wed, 10 Jan 2018 08:11:55 -0700 To: [email protected] Subject: =?utf-8?B?Q29weSBvZjog0J3QsCDQstCw0Ygg0LrQvtGI0LXQu9C10LogKjc3MTgg?= =?utf-8?B?0L/QvtGB0YLRg9C/0LjQuyDQv9C10YDQtdCy0L7QtCDRgdC+INGB0YfQtdGC?= =?utf-8?B?0LAgKjg0MTc=?= X-PHP-Originating-Script: 544:class.phpmailer.php Date: Wed, 10 Jan 2018 08:11:55 -0700 From: Taza Chicago <[email protected]> Reply-To: a-kamelevsky2012 <[email protected]> Message-ID: <[email protected]> X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host239.hostmonster.com X-AntiAbuse: Original Domain - yandex.ru X-AntiAbuse: Originator/Caller UID/GID - [544 553] / [47 12] X-AntiAbuse: Sender Address Domain - mydomain.com X-BWhitelist: no X-Source-IP: X-Exim-ID: 1eZI2l-000p1B-Ua X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: X-Source-Auth: tazachic X-Email-Count: 14 X-Source-Cap: dGF6YWNoaWM7dGF6YWNoaWM7aG9zdDIzOS5ob3N0bW9uc3Rlci5jb20= X-Local-Domain: no This is a copy of the following message you sent to Stay in Touch via Taza Chicago This is an enquiry email via http://tazachicago.com/ from: a-kamelevsky2012 <[email protected]> YD3I0TB Vxo0BSe6KGUyfrpZU - https://vhpc3.drive.google.com/open?id=1P_QS8s6Uzql4wXM192rjbrrHNKIPSrxR
Basically, there are two possibilities, either your server sends spam or someone uses your email address as 'from' address in his spam emails without sending through your server. Is the hostname of your server in the mail output, if yes, which one is it? do you have a lot of emails in your mailqueue, use 'postqueue -p' command to check that.
Thanks Till! I created a website tazachicago.com (URL is listed in each spam email) using Joomla CMS for a client (he hosted with hostmonster not my server) for administrator account I used email in question [email protected]. I ran postqueue -p and Mail Queue is empty. I don't think my server is sending spam. My feeling is someone is using my email address under FROM in his spam emails. Is it possible to block it?
Sounds like the joomla site is being abused, so likely just need to fix that. My guess from the wording of the message is that it's just a contact form being abused, though also make sure everything on the site is up to date, not running any known vulnerable versions.
If that's the case, then you can't block that. The only thing you can do is to setup spf and enable dkim on your server for your domain to make it easier for other servers to find out if an email is really send by you or if it has been send by someone elso over a different server.
Till / Jesse, thanks much for answers, they helped to troubleshoot the issue. I already have SPF & DKIM installed. The issue was in Joomla Administrator: under System > Global Configuration > Server (tab), under Mail Settings, my email address was still there, after I removed it SPAM stopped. Thanks again!
