Possible email hack and spam

Discussion in 'ISPConfig 3 Priority Support' started by Gaston Girardi, Jul 31, 2020.

  1. Gaston Girardi

    Gaston Girardi Member HowtoForge Supporter

    Hi all, I'm desperate, hope anybody can help me, i log into the panel went to monitor to check email log and i see this:

    Code:
    Jul 31 00:24:59 server1 postfix/smtp[20327]: 411EA6711B: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=165491, delays=165317/173/1.6/0.11, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.74] said: 421 4.7.0 [TSS04] Messages from 70.35.204.220 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 31 00:24:59 server1 postfix/smtp[19755]: connect to ebd.be[2a05:d014:9da:8c10:306e:3e07:a16f:a552]:25: No route to host
    Jul 31 00:24:59 server1 postfix/smtp[20327]: 411EA6711B: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=165491, delays=165317/173/1.6/0.11, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.74] said: 421 4.7.0 [TSS04] Messages from 70.35.204.220 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 31 00:24:59 server1 postfix/smtp[20101]: 4255D65D4B: to=<[email protected]>, relay=mta5.am0.yahoodns.net[98.136.96.77]:25, delay=162874, delays=162700/174/0.42/0.03, dsn=4.7.0, status=deferred (host mta5.am0.yahoodns.net[98.136.96.77] said: 421 4.7.0 [TSS04] Messages from 70.35.204.220 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    Jul 31 00:24:59 server1 postfix/smtp[19469]: 4739D662E1: host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 70.35.204.220 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)
    Jul 31 00:24:59 server1 postfix/smtp[19469]: 4739D662E1: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.72.73] while sending RCPT TO
    Jul 31 00:24:59 server1 postfix/smtp[20101]: 4255D65D4B: to=<[email protected].com>, relay=mta5.am0.yahoodns.net[98.136.96.77]:25, delay=162874, delays=162700/174/0.42/0.03, dsn=4.7.0, status=deferred (host mta5.am0.yahoodns.net[98.136.96.77] said: 421 4.7.0 [TSS04] Messages from 70.35.204.220 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
    
    This is a small extract of the log, but it is all like this.

    If i understand right those are all outgoing mail, right?, and checking for the email address and the time between each registry those are SPAM.

    what can i do to stop it?, i'm desperate, i was trying to limit things with postfwd now i can't send email from outlook or any other software, email only go out from webmail, and all email reach the SPAM folder, my clients are upset, i've been beheind this for the last 10 hours i can't even think clearly.
     
    Last edited: Jul 31, 2020
  2. Gaston Girardi

    Gaston Girardi Member HowtoForge Supporter

    This is also a extract from mail Queue:

    Code:
    4AE1966985* 1746 Wed Jul 29 08:12:54 [email protected]
    (delivery temporarily suspended: host smtp-in.orange.fr[000.000.000.000] refused to talk to me: 550 mwinf5c29 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=000.000.000.000 [102])
    [email protected]
    (delivery temporarily suspended: lost connection with mx.glb.proximus.be[000.000.000.000] while receiving the initial server greeting)
    [email protected]
    (delivery temporarily suspended: host smtp-in.orange.fr[000.000.000.000] refused to talk to me: 550 mwinf5c29 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=000.000.000.000 [102])
    [email protected]
    (delivery temporarily suspended: host mx1.comcast.net[000.000.000.000] refused to talk to me: 554 resimta-po-05v.sys.comcast.net resimta-po-05v.sys.comcast.net 000.000.000.000 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-error-codes.php#BL000010)
    [email protected]
    (delivery temporarily suspended: lost connection with mx.glb.proximus.be[000.000.000.000] while receiving the initial server greeting)
    [email protected]
    (delivery temporarily suspended: host smtp-in.orange.fr[000.000.000.000] refused to talk to me: 550 mwinf5c29 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=000.000.000.000 [102])
    [email protected]
    [email protected]
    (delivery temporarily suspended: host etb-4.mail.tiscali.it[000.000.000.000] refused to talk to me: 554 cmgw-3.mail.tiscali.it 9hre2300V4lpqXa01 IP: 000.000.000.000, You are not allowed to send mail. Listed in Abusix Mail Intelligence, see http://abusix.ai/search?q=000.000.000.000)
    [email protected]
    (reason unavailable)
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    
    1BE706255C* 1746 Tue Jul 28 21:07:38 [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    
     
    Last edited: Jul 31, 2020
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the postcat command to see what's in the email headers to find out how they were sent to stop that.

    The command is:

    postcat -q ID

    where ID ist the alphanumeric ID that the postqueue command shows when you use it to view the content of the mailqueue.
     
    Gaston Girardi likes this.
  4. Gaston Girardi

    Gaston Girardi Member HowtoForge Supporter

    Ok I did that and i got the following:

    Code:
    postcat: warning: /etc/postfix/main.cf, line 97: overriding earlier entry: smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
    *** ENVELOPE RECORDS active/CD072632FD ***
    message_size:            1745            5429              50               0            1745               0
    message_arrival_time: Tue Jul 28 16:29:44 2020
    create_time: Tue Jul 28 16:29:44 2020
    named_attribute: log_ident=CD072632FD
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost.localdomain
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=33016
    named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost.localdomain
    named_attribute: reverse_client_name=localhost.localdomain
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=33016
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    done_recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    
    *** MESSAGE CONTENTS active/CD072632FD ***
    Received: from localhost (localhost.localdomain [127.0.0.1])
            by server1.xxxxxxxxxx.net (Postfix) with ESMTP id CD072632FD;
            Tue, 28 Jul 2020 16:29:44 -0500 (CDT)
    X-Virus-Scanned: Debian amavisd-new at server1.xxxxxxxx.net
    Received: from server1.xxxxxxx.net ([127.0.0.1])
            by localhost (server1.xxxxxxxx.net [127.0.0.1]) (amavisd-new, port 10026)
            with ESMTP id Eu23xyTYIXSc; Tue, 28 Jul 2020 16:29:44 -0500 (CDT)
    Received: from User (unknown [62.113.202.89])
            (Authenticated sender: [email protected])
            by server1.hostbaires.net (Postfix) with ESMTPA id A3A5B632FB;
            Tue, 28 Jul 2020 16:29:37 -0500 (CDT)
    Reply-To: <[email protected]>
    From: "Mr. X"<[email protected]>
    Subject: Investment Partnership
    Date: Tue, 28 Jul 2020 14:29:44 -0700
    MIME-Version: 1.0
    Content-Type: text/plain;
            charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-Id: <[email protected]>
    
    Hi,
    I am a broker linked with high profile investors who are interested and
    willing to fund you in any current project you are undergoing, as they
    are
    privately seeking
    means of expanding their investment portfolio globally.
    
    To this end, we seek to know the possibility of going into partnership
    discussion with your company within your present scope of business.
    Should you be interested to engage us for a more detailed discussion
    on the aforementioned proposal, we would be happy to do so in whatever
    medium you find much more appropriate for this engagement.
    
    I look forward to your favorable response
    
    
    
    Mr. x
    *** HEADER EXTRACTED active/CD072632FD ***
    named_attribute: encoding=7bit
    *** MESSAGE FILE END active/CD072632FD ***
    
    i cut some emails because it is too much characters.

    If I understand it has something to do with this:

    postcat: warning: /etc/postfix/main.cf, line 97: overriding earlier entry: smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
     
    Last edited: Aug 3, 2020
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The reason for the issue is that someone got the password of an email account and uses this pwassord to send spam now. Change the password of the account that is mentioned in the line "Authenticated sender:" of the email content you posted and restart postfix. And please remove the email content from above post when this thread is solved as it contains various email addresses.

    Finally you want to clean up your mailqueue, this can be done with the postsuper command.
     
    Gaston Girardi likes this.
  6. Gaston Girardi

    Gaston Girardi Member HowtoForge Supporter

    I know which email address is that, today i had a long conversation because as password they use correlative numbers, after that they change the password.

    The command you mention is this
    postsuper -d ALL
     
    Last edited: Jul 31, 2020
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    With hold you keep all spam emails, if the queue contains still valid emails, then this is probably the only option. Otherwise use it without hold. Or you delete them selectively like this, e.g. by sender. Example:

     
    Gaston Girardi likes this.
  8. Gaston Girardi

    Gaston Girardi Member HowtoForge Supporter

    Thank you so much Till, i realised that is was without the "hold", and edit my previous message. You save me today, i owe you a big one.

    Also i remove all the emails from the other post
     
    Th0m and till like this.

Share This Page