You have been compromised - Send From [email protected]

Good Day to all,
I really need your help, guys!
Some bud guys, retrieve all the email address from our email server.
And send email message to every email users with the subject: “You have been compromised”

full headers from an e-mail message.

Code:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 21337C8242F
    for <[email protected]>; Fri, 26 Jun 2020 17:06:41 +0800 (PST)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 2.274
X-Spam-Level: **
X-Spam-Status: No, score=2.274 tagged_above=1 required=4.5
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
    RCVD_IN_MSPIKE_H2=-0.001, SORTED_RECIPS=2.474, SPF_PASS=-0.001]
    autolearn=no autolearn_force=no
Authentication-Results: mail.mydomain.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.mydomain.com ([127.0.0.1])
    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id c8IMfS8SfwNZ for <[email protected]>;
    Fri, 26 Jun 2020 17:06:40 +0800 (PST)
Received: from sonic308-35.consmr.mail.ne1.yahoo.com (sonic308-35.consmr.mail.ne1.yahoo.com [66.163.187.58])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail.mydomain.com (Postfix) with ESMTPS id BF92DC825DF
    for <[email protected]>; Fri, 26 Jun 2020 17:06:28 +0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1593162385; bh=sZ6sp2VMy/ORQ5+uF7AJ57o+lenDg/SUsL7P1h9o/lg=; h=Date:From:To:Subject:References:From:Subject; b=nYxeqEC5vnMPPeKjqpFN+TwO5rUnDGkkJqURIhfaQdSGBnXR6DKzWZfbZDnrMWgHOtcR/4S2+W8ye2YkJIdquelvAkg0ciI76ulsGof4L3AYudgAbT/2+Ij5D/ewJ3ydLLTWydYDOnsEdmam0JF/U7TblvYHOXmDuNa17Y7ffyfKrStZrXNvafRwdfYl5DbPmwT7QlIKSLxzALIOSdrJakrtGWgLax7Z7E1W0FY1BJF1fGFx4pofcsk3nMHC0fl+V0F90CQuCXZJBcpD2lIsz2/H8JYNjNomGBnRUkx1UkbyQvyPSerJEZkwFHEKxyEQWtIMlEvxIQNdjeMquCrekA==
X-YMail-OSG: PdnP55gVM1lo78DsQLMd9eJOegMjr_NOuIrU.3MejQVdPboPv4iOiK9HR0KXoaM
    e3NzZs_NMYup6RMgg54xRfOxN8.renkyWtRsXJL8NIKnQTikDntN7U8aWcKg_DfYayiRUDt6MrUS
    nWt7jsbWjWEvG0yycjI6mznmiPWaffeTAA8nzM9PQE8Qht0E18VzACkvDWlWyLYWW5G3anUu73pl
    QLOhVvGduzztay6FknGG.7Zf7Qhg3sljd9879JZlTD54mCTJ27HjPq3X8wE4.sdApPxtKJ.JlLrJ
    2t_Rx8ilGGtQNJL8g6Hqlkj_Xef0pc6WuuworBuf__zmLnliseIY08V_pfzLWBcufY4XlK86sq0s
    Iovlkfr1IGWlHrDiZ5oN2bGbp05xhEioZPcsr8BuykodtmCDPejigb7KGrc16YxlG7KrdZJf4WGG
    kH95LkI8Rq5HSV8gjfz96.vUuml2PsfWws7hQC.DW._0aenBFaKjdcnkHzJsAwJoUqbiRtjVzGl2
    K9Eihi0fgnSSPhZW3wGz5onSq4vSabXR1eusuWUd2OqQeLps_PkRQh11vW7Zf_GBmeLElnpw1jxb
    JBdfBRKMv4oVVAM.S4.zhHyHEjzUARznN5JQyrvQqo9SXer52FLZLs4mAIqCfG6Clr4VnhYFeZEm
    kUeisff01njWhP8kD.2jc0tjpCrtd.unV_GB64L854quJk7vPndn_vH0glPg9R9.ynIXlSm0QAO2
    0h8wIGACVTC5ESyaaToZcUH2w3ySUxo7pw6ezwRFG7d3zUVICUxyZIq3lWYqpjFX9IiXVJESrCEY
    MmR5C4IXoTq6ktGNfaRcA.NBylYyd8uqgbaBm9kBmeGSY6lC_uEKQnLzEChoEJ9jhwpUmA4Wh7qk
    IGqGas26C9izydncFSisker040rmvWF3U6JrR8hK.uZge.d.ENKhsFYz7dkVw7_SECRwNtxhfLk0
    r5cKKZkdAOCpfHDz5uNoRPOletBYyonMpeVuNcMcdareU8e6Op9RO2iYPL1auXEWb6.79XFi6y4I
    3QpkA9oPTySiG4UQx.dEq0UffxACj3nijZWi29cCXzSkc8RS_I.atTFxGDiAgVbZZuEDI0InVHqx
    cmiRDWD9ZJ0uJke3NcebWDsfhP8KJEbDvV6MAV9lLG.Rw3Qtap4m9RWozO0S_KlfV0Pt202EXQB5
    a8g0PYMmASLOzugIun5ZJ_7xKSJnfVI3XUSHjc_f7rj6_mk4naTA9ooIbF5mxcvsfk0wfGn2HkZk
    Q9sVzNEaFS0Wf0gSUYN3tm.bQ2z.JZhrkGB20OEa_PuLrAOrd
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 26 Jun 2020 09:06:25 +0000
Date: Fri, 26 Jun 2020 08:54:22 +0000 (UTC)
From: Hatters Grey <[email protected]>
To: "[email protected]" <[email protected]>,
    ... ,
    "[email protected]" <[email protected]>
Message-ID: <[email protected]>
Subject: You have been compromised
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_4027757_1188417035.1593161662968"
References: <[email protected]>
X-Mailer: WebService/1.1.16138 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Please help me, how to fix this problem.

 

That does not look like e-mail log. It is full headers from an e-mail message.
The headers show your e-mail server received the message from Yahoo server. If the culprits had compromised your server or e-mail accounts, they could have proved that by sending their nefarious messages using your e-mail server.

What problem are you fixing?
You can complain to Yahoo that their email user sends SPAM or ransom messages.

 

Hi @Taleman, thank you for the reply.
I have some questions
1.) It is safe to remove the spam email messages from vmail directory?
2.) And how to check if our server has been compromised?

 

1. If you just remove the file, the e-mail index is wrong. You should re-index then. Or use admin commands of the e-mail system to remove the messages, that should preserve index or re-index afterwards
2. I don't know a simple way to make sure server has not been compromised. Do you have a reason to believe it is compromised?

That grayhatter sending to all your e-mail addresses does not indicate compromise. They may have purchased a list of e-mail addresses.
If you are worried, there are ways to try to find compromises. ISPConfig has https://ispprotect.com/ for example.

 

Hi @till
I have already purchase ISPProtect - 5 scans license, and scan /var/www directory, and the ISPProtect found nothing.

It is possible that back-up email was intercept through the network.
Because the back-up email was forwarded to goggle-drive using google-drive-ocamlfuse.