Postfix sending Spam

Discussion in 'Server Operation' started by an_schall, Jan 20, 2021.

Tags:
  1. an_schall

    an_schall New Member

    Hi,
    I am not an expert on postfix so I am asking here: The server of a client of mine is sending spam. Here are some details from one of the spam emails:

    Code:
    *** ENVELOPE RECORDS active/27E70B3B1 ***
    message_size:            3001            2450              20               0            3001               0
    message_arrival_time: Fri Jan 15 10:06:00 2021
    create_time: Fri Jan 15 10:06:01 2021
    named_attribute: log_ident=27E70B3B1
    named_attribute: rewrite_context=remote
    named_attribute: sasl_method=LOGIN
    named_attribute: sasl_username=bounce
    sender: [email protected]
    named_attribute: log_client_name=unknown
    named_attribute: log_client_address=91.224.92.168
    named_attribute: log_client_port=52564
    named_attribute: log_message_origin=unknown[91.224.92.168]
    named_attribute: log_helo_name=[91.224.92.168]
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=unknown
    named_attribute: reverse_client_name=srv-91-224-92-168.serveroffer.net
    named_attribute: client_address=91.224.92.168
    named_attribute: client_port=52564
    named_attribute: server_address=foo.bar.baz.xxx
    named_attribute: server_port=25
    named_attribute: helo_name=[91.224.92.168]
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;grl[email protected]
    Does it mean that the spammer has valid credentials for user "bounce" or is the spam coming from another server and my client's server is relaying the mails?

    Thanks!
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, that looks to be authenticated as the "bounce" user, and came from client_address=91.224.92.168. Change the "bounce" password, or delete the account entirely if appropriate (fwiw, postfix does not use a "bounce" user for anything internally, so safe to delete from postfix's perspective).
     

Share This Page