Outgoing spam

Discussion in 'General' started by Typhon, Feb 1, 2014.

  1. Typhon

    Typhon New Member

    One of my users is usig his account to send spam, but the problem is that I do not how to spot him.
    When I pass this command "mailq | grep ^ [A-F0-9] | cut-c 42-80 | sort | uniq-c | sort-n | tail" it gives me:
    ****** MAILER-DAEMON 2
    ***** 35 [email protected]
    But none of my users possess [email protected].
    Thank you for helping !
  2. Typhon

    Typhon New Member

    Please help, my ISP blocked the 25 port :s
    How to spot the spammer please ?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look into the email in your queue with postcat command, either you see trough which smtp account the emails have been send so that you can change the password or you see which php script in which website has sent the email.
  4. Typhon

    Typhon New Member

    Thanks Till, i tried and and it's give me a huge list :
    "[email protected]" none of my users possess "[email protected]" :(
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You must use postcat, not postqueue. Postcat is a command to inspect the content of a email that is in the queue. example:

    your first email in the queue has the ID 520CB1B4C422, so you can see its content with:

    postcat /var/spool/postfix/deferred/5/520CB1B4C422

    when the email is already in the deferred queue.
  6. Typhon

    Typhon New Member

    I got this :
    Last edited by a moderator: Feb 1, 2014
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The email has been sent by the account:

    (Authenticated sender: [email protected])

    with correct username and password. so all you have to do is to change the password of that account and then restart postfix, dovecot, courer-authdaemon and saslauthd (only the software that are installed on your server).
  8. Typhon

    Typhon New Member

    Thank you !
    Do you have any suggestions to avoid this kind of problems?
    How to change / block the 25 port ?
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You can not avoid this problem without shutting down your mailserver. The spam has been sent trough a legetimite account e.g. because the user of this account has a virus or trojan on his desktop.

    Another possibility is that the user of that account used his mail account in a internet cafe or open wlan without encryption. If this was the case, then you should tell the user to use smtps and pop3s/imaps instead of the unencrypted protocols to connect to your server.
  10. sjau

    sjau Local Meanie Moderator

    one option would be to relay your outgoing email through a different server.
  11. ysmark

    ysmark New Member

    how we can prevent a spam from authenticated users?
    Thank you

Share This Page