my Server is suddenly being used for unauthorised SPAM

Discussion in 'Installation/Configuration' started by pawan, Aug 19, 2010.

  1. pawan

    pawan Member HowtoForge Supporter

    Dear all,
    what step should I take to stop this as there are number of mails like this I received today all of a sudden. I donot have any such user like ebihoegac2233 on my server. but the returning mail shows X-postifix-Sender:rfc822; [email protected].

    How I can stop this? what measures should I take?

    Reporting-MTA: dns;
    X-Postfix-Queue-ID: 91A658C9C70
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Thu, 19 Aug 2010 10:19:07 -0400 (EDT)
    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.1.1
    Remote-MTA: dns;
    Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address
        rejected: User unknown in relay recipient table
  2. HyperAtom

    HyperAtom New Member

    I think its just spammers spoofing a mailbox which doesnt exist on your domain. Im not entirely sure, but have you tried setting up an SPF record in your DNS?
  3. pawan

    pawan Member HowtoForge Supporter

    Yes I am using SPF.

    LIKE - v=spf1 mx ~all

    can I make it more stringent.

    Here I am giving another contents of a returned mail, which even mentions my IP address i.e. 59.90144.48

    Hi. This is the qmail-send program at
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <[email protected]>:
    Sorry, no mailbox here by that name. (#5.1.1)

    --- Below this line is a copy of the message.

    Return-Path: <[email protected]>
    Received: (qmail 27607 invoked by uid 507); 19 Aug 2010 16:23:00 +0300
    Received: from (
    by with SMTP; 19 Aug 2010 16:23:00 +0300
    From: <[email protected]>
    To: [email protected]
    Date: Thu, 19 Aug 2010 18:53:02 +0530
    Subject: Don't be a killjoy when the lights go off
    Reply-To: <[email protected]>
    MIME-Version: 1.0
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 8bit

    Check out our latest packages on traditional medical cures
    Last edited: Aug 19, 2010
  4. HyperAtom

    HyperAtom New Member

    Im pretty sure its nothing to worry about, the fact your IP is listed in the header is just the recipients mailserver resolving your domain which has been spoofed anyway.

    I take it your receiving these failed delivery reports from the admin account of your mailserver?
  5. pawan

    pawan Member HowtoForge Supporter

    I am much worried and needs a solutions asap as my ip is also figured after these mails in PBL & CBL database as blacklist and there it is mentioned that

    This IP is infected (or NATting for a computer that is infected) with the rustock spambot.
    So Dear HyperAtom and all Senior Members please help me take some measures to resolve it.
  6. HyperAtom

    HyperAtom New Member

    This may be more serious than I thought, it seems the mail is really coming from your server. Best thing I can think of temporarily is to use OpenDNS servers which block botnets until some of the other members come up with something.

    Check your clamav logs + rkhunter for any warnings

Share This Page