mail bouncing in the account which were never sent.

Discussion in 'Installation/Configuration' started by pawan, Nov 18, 2012.

  1. pawan

    pawan Member HowtoForge Supporter

    Today I have received many bounced mails in my account, which I never sent.

    It appears that my system is compromised and mail are being sent from my account.

    please suggest a appropriate solution to overcome this.

    here is a copy of the bounced mail.

    This is the mail system at host
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    For further assistance, please send mail to postmaster.
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
                       The mail system
    <[email protected]>: host[] said: 554
        delivery error: dd This user doesn't have a account
        ([email protected]) [0] - (in reply to end of
        DATA command)
    Reporting-MTA: dns;
    X-Postfix-Queue-ID: 9E0EB2101C6C
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Sun, 18 Nov 2012 16:35:54 +0530 (IST)
    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.0.0
    Remote-MTA: dns;
    Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't have a account ([email protected]) [0] -
    Return-Path: <[email protected]>
    Received: from localhost (localhost.localdomain [])
    	by (Postfix) with ESMTP id 9E0EB2101C6C
    	for <[email protected]>; Sun, 18 Nov 2012 16:35:54 +0530 (IST)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h=
    	:mime-version:received:received; s=mail; t=1353236753; x=
    	1355051153; bh=tql5hx8+TtPY6Up7FZKa82B2NIa3/LRZI5lS673xuFU=; b=S
    X-Virus-Scanned: Debian amavisd-new at
    Received: from ([])
    	by localhost ( []) (amavisd-new, port 10024)
    	with ESMTP id Nqrq6J9OM3NU for <[email protected]>;
    	Sun, 18 Nov 2012 16:35:53 +0530 (IST)
    Received: from hannes (unknown [])
    	(Authenticated sender: [email protected])
    	by (Postfix) with ESMTPA id 886922101C2F
    	for <[email protected]>; Sun, 18 Nov 2012 16:35:52 +0530 (IST)
    MIME-Version: 1.0
    Date: Sun, 18 Nov 2012 14:05:50 +0300
    X-Priority: 3 (Normal)
    X-Mailer: Mailman v3.3.3
    Subject: Change your way of life
    From: [email protected]
    Reply-To: [email protected]
    To: "jdabulan" <[email protected]>
    Content-Type: text/plain
    Content-Transfer-Encoding: quoted-printable
    Message-ID: <[email protected]>
    Greetings,=0A=0AMy dear fellow gay citizens! I salute you, and would lik=
    e to welcome you to my web site. Using this simple tool we can arrange a=
     meeting to execute all kinds of sex dreams you can imagine starting fro=
    m anal to BDSM and simple oral and urinal joys! We're promoting gay way =
    of life to the masses and want to invite you to our web site=0A=0Ahttps:=
    **********************************=0AThis message was sent according to =
    Google's Terms of Service. If you find this message abusing or would lik=
    e to file a complaint or submit a legal request please contact us at htt=
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This does not nescessarily mean that the server is compromised, most likely someone got just a password of a email account on your server e.g. when the user authenticated without encryption over a open wlan and someone sniffed the password. Is this a email account on your server?

    [email protected]

    If yes, then you should change the password of this account to stop the mail sending.
  3. pawan

    pawan Member HowtoForge Supporter

    Yes, this mail account is on the server.
    I have changed the password and that appears to have solved the problem, but how can I prevent the same in the future.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can not prevent it. If you give somone a password for a service on your server like amil, ftp, ssh, mysql, etc. then it can happen that he looses the password or someone steals or guesses the password etc. So all you can do is to monotor your system and when you recognice any unusual activity, investigate it and shutdown the account or change the password.

Share This Page