disbale a local domain from sending emails

Discussion in 'Installation/Configuration' started by florix.net, Dec 21, 2012.

  1. florix.net

    florix.net Member


    I am using ispconfig 3, latest version.

    I have a domain mcfcomp.in (name changed)

    Somehow this domain trying to send spam emails using local server using id webmaster@mcfcomp.in

    I disabled the domain in controlpanel, blacklisted the email id .. still it is able to access the postfix and add bunch of emails to mailq

    2012-12-21T08:58:48.012716+05:18 linode postfix/smtpd[21202]: 030F922800C: client=unknown[]
    2012-12-21T08:58:48.017287+05:18 linode postfix/cleanup[21506]: 030F922800C: message-id=<20121221032746.50CBF2AF3F@linode.frix.net>
    2012-12-21T08:58:48.017662+05:18 linode postfix/smtpd[20754]: 0440E22800E: client=unknown[]
    2012-12-21T08:58:48.018802+05:18 linode postfix/qmgr[13424]: 030F922800C: from=<webmaster@mcfcomp.in>, size=5744, nrcpt=1 (queue active)
    2012-12-21T08:58:48.022308+05:18 linode postfix/cleanup[21440]: 0440E22800E: message-id=<20121221032746.4ADA62AF3E@linode.frix.net>
    2012-12-21T08:58:48.023032+05:18 linode postfix/qmgr[13424]: 0440E22800E: from=<webmaster@mcfcomp.in>, size=5714, nrcpt=1 (queue active)
    2012-12-21T08:58:48.027995+05:18 linode amavis[18855]: (18855-09-27) Passed BAD-HEADER, <webmaster@mcfcomp.in> -> <dmccandless@agoc.com>, Message-ID: <20121221032746.50CBF2AF3F@linode.frix.net>, mail_id: CZVJF7YaJvMP, Hits: 2.017, size: 5268, queued_as: 030F922800C, 1336 ms

    How can I fix this?

  2. till

    till Super Moderator

    These emails are most likely inserted trough a website script e.g. like a vulnerable contact form or cms system, so blocking on postfix level will not work if you dont want to block all emails from localhost. Check the email content of one of the mails in the queue with postcat, it should contain additional info like the user which send the email so you can find the site which contains the script.
  3. florix.net

    florix.net Member

    Dear Admin,

    Thank you for the reply.

    I have installed phpsendmail script which logs all php sendmail attempts. This does not fall in this area.

    I have disabled the domain mccomplex.in completely in ISPConfig. What can I do to force postfix to accept any emails from mccomplex.in domain?

  4. till

    till Super Moderator

    When you disable a domain then you instruct postfix that you dont want tto receive emails for this domain, this is not disabling sending as the sending can be done even trogh a completely different domain when the user is authenticated with correct username and password. To stop it you just have to disable the account that is used for sending or change the password of that account. Find out which email account is being used to send these emails and then disable this account. You can see this in the mail log file as there must be a smtp login right before the sending starts.
  5. florix.net

    florix.net Member


    The account which is used webmaster@mcfcomplex.in is not configured at all.
    here is the details from mail log. I also do not see any authenticated user logged before this.


    2012-12-16T20:22:53.192803+05:18 linode postfix/pickup[32607]: 2F08B2AE81: uid=48 from=<webmaster@mcfcomplex.in>
    2012-12-16T20:22:53.193682+05:18 linode postfix/cleanup[32670]: 2F08B2AE81: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
    2012-12-16T20:22:53.194670+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: from=<webmaster@mcfcomplex.in>, size=654, nrcpt=1 (queue active)
    2012-12-16T20:22:53.683559+05:18 linode postfix/smtpd[32412]: connect from unknown[]
    2012-12-16T20:22:53.690177+05:18 linode postfix/smtpd[32412]: A874D2AE5B: client=unknown[]
    2012-12-16T20:22:53.692991+05:18 linode postfix/cleanup[32670]: A874D2AE5B: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
    2012-12-16T20:22:53.694136+05:18 linode postfix/smtpd[32412]: disconnect from unknown[]
    2012-12-16T20:22:53.694167+05:18 linode postfix/qmgr[3150]: A874D2AE5B: from=<webmaster@mcfcomplex.in>, size=1201, nrcpt=1 (queue active)
    2012-12-16T20:22:53.702627+05:18 linode amavis[24900]: (24900-13) Passed BAD-HEADER, <webmaster@mcfcomplex.in> -> <Timofeiene351@yahoo.com>, Message-ID: <20121216145253.2F08B2AE81@linode.florix.net>, mail_id: 3NgtUp3w8hJt, Hits: -0.799, size: 654, queued_as: A874D2AE5B, 505 ms
    2012-12-16T20:22:53.705182+05:18 linode postfix/smtp[32673]: 2F08B2AE81: to=<Timofeiene351@yahoo.com>, relay=[]:10024, delay=0.51, delays=0/0/0/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=24900-13, from MTA([]:10025): 250 2.0.0 Ok: queued as A874D2AE5B)
    2012-12-16T20:22:53.705501+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: removed
    2012-12-16T20:22:54.313849+05:18 linode postfix/smtp[32747]: A874D2AE5B: to=<Timofeiene351@yahoo.com>, relay=mta5.am0.yahoodns.net[]:25, delay=0.63, delays=0.01/0/0.17/0.45, dsn=2.0.0, status=sent (250 ok Sun Dec 16 06:52:54 2012: ql 229824655, qr 0)
    2012-12-16T20:22:54.314276+05:18 linode postfix/qmgr[3150]: A874D2AE5B: removed
  6. till

    till Super Moderator

    This is the sender address and not nescessarily the account which is used to send the emails. Dont mix that up, thsender address and sending account can be the same but dont have to be the same!

    You have to find the login when the first spam email of a session is sent, there is no new login for each message.

    There are 3 options:

    1) The emails are send trough a local script.
    3) The emails are sent trough a authenticated account.
    4) Your server is a open relay (check: http://mxtoolbox.com/diagnostic.aspx)

    If you want to find out more of the emails, then you can inspect their headers with postcat command in the queue.
  7. florix.net

    florix.net Member

    Hi Till,

    I think it's happening by an autheticated user machine, after pop3 login, the bunch of spam arrives.

    The sender is sending small bunch at random intervals, hence difficult to track. I have changed the password of one email id associated with that domain.

    I will keep you posted.
  8. florix.net

    florix.net Member

    One more burst ..

    The postcat shows this

    [root@linode log]# postcat -q EEE6E2AF15
    *** ENVELOPE RECORDS deferred/E/EEE6E2AF15 ***
    message_size: 6037 490 1 0
    message_arrival_time: Fri Dec 21 16:35:47 2012
    create_time: Fri Dec 21 16:35:47 2012
    named_attribute: rewrite_context=local
    sender: webmaster@mcfcomplex.in
    named_attribute: encoding=7bit
    named_attribute: log_client_address=
    named_attribute: log_message_origin=unknown[]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=unknown
    named_attribute: reverse_client_name=unknown
    named_attribute: client_address=
    named_attribute: helo_name=localhost
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;amicpht@yahoo.com
    original_recipient: amicpht@yahoo.com
    recipient: amicpht@yahoo.com
    *** MESSAGE CONTENTS deferred/E/EEE6E2AF15 ***
    Received: from localhost (unknown [])
    by linode.florix.net (Postfix) with ESMTP id EEE6E2AF15
    for <amicpht@yahoo.com>; Fri, 21 Dec 2012 11:05:47 +0000 (UTC)
    X-Virus-Scanned: amavisd-new at linode.florix.net
    X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
    expected boundary
    Received: from linode.florix.net ([])
    by localhost (linode.florix.net []) (amavisd-new, port 10024)
    with ESMTP id Pael-rtGiT-i for <amicpht@yahoo.com>;
    Fri, 21 Dec 2012 16:35:44 +0530 (IST)
    Received: by linode.florix.net (Postfix, from userid 48)
    id DF22322804A; Fri, 21 Dec 2012 16:30:51 +0530 (IST)
    To: amicpht@yahoo.com
    Subject: Tracking ID (961)73-961-961-9798-9798
    From: "Express Service" <user-zp@hialeah.com>
    X-Mailer: TWIG2.6.2
    Reply-To: "Express Service" <user-zp@hialeah.com>
    Mime-Version: 1.0
    Message-Id: <20121221110051.DF22322804A@linode.florix.net>
    Date: Fri, 21 Dec 2012 16:30:51 +0530 (IST)
  9. florix.net

    florix.net Member

    Hi Till,

    Please let me know .. I am unable to stop this junk.

    How can we simply disable a domain from sending any emails.


Share This Page