Server sending spam on new ispconfig install

Discussion in 'General' started by betafer, Jul 12, 2017.

  1. betafer

    betafer Member

    We have just moved in to a new server, so a clean install of ispconfig 3.1.5 was made
    but postqueue is full of spam
    How can we stop them ?

    Thanks a lot !
     
  2. betafer

    betafer Member

    ul 12 14:48:05 srv postfix/error[1818]: warning: 8832915A4A6A: flush service failure
    Jul 12 14:48:05 srv postfix/smtp[30450]: connect to sun1.ukl.uni-freiburg.de[193.196.199.1]:25: Connection refused
    Jul 12 14:48:05 srv postfix/smtp[30450]: 6FCA815A2A6D: to=<andre@sun1.ukl.uni-freiburg.de>, relay=none, delay=9308, delays=8701/608/0.04/0, dsn=4.4.1, status=deferred (connect to sun1.ukl.uni-freiburg.de[193.196.199.1]:25: Connection refused)
    Jul 12 14:48:05 srv postfix/smtp[26643]: 236F715A29C9: to=<kaufhalle-rumpel@spender.mausraub.de>, relay=smtp.rzone.de[81.169.145.98]:25, delay=3410, delays=0.03/3409/0.17/0.07, dsn=5.7.1, status=bounced (host smtp.rzone.de[81.169.145.98] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[26643]: connect to spam.over.port25.me[217.11.54.111]:25: Connection refused
    Jul 12 14:48:05 srv postfix/smtp[28363]: 8832915A4A6A: to=<kaufhalle-totschlag@gruen.heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.06/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[31082]: 236F715A29C9: to=<kaufhalle.wohlstand@trick.mausraub.de>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3410, delays=0.03/3409/0.09/0.07, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhalle-uhr@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhalle-wolfgang@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhaus-fahrschule@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhausgeneral@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[1703]: 6FCA815A2A6D: lost connection with correo.iservicesmail.com[217.130.24.40] while receiving the initial server greeting
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhauskompass@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhauszulieferer@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufmann.bahnhof@heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.05/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[31082]: connect to spam.over.port25.me[217.11.54.111]:25: Connection refused
    Jul 12 14:48:05 srv postfix/smtp[26643]: 8832915A4A6A: to=<kaufhaus.heidelberg@last.heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.07/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[31082]: 8832915A4A6A: to=<kaufhaus.hydraulik@schmutz.heldengedenktag.info>, relay=spam.over.port25.me[2a00:1828:2000:23::111]:25, delay=3409, delays=0.03/3409/0.06/0.03, dsn=5.7.1, status=bounced (host spam.over.port25.me[2a00:1828:2000:23::111] said: 554 5.7.1 The recipient definitively does not want your mail. It will not be delivered but analyzed again. We may feed it to a spam blacklist. (in reply to end of DATA command))
    Jul 12 14:48:05 srv postfix/smtp[1703]: 6FCA815A2A6D: to=<andre@intercom.es>, relay=mail.iservicesmail.com[217.130.24.40]:25, delay=9308, delays=8701/608/0.23/0, dsn=4.4.2, status=deferred (lost connection with mail.iservicesmail.com[217.130.24.40] while receiving the initial server greeting)
    Jul 12 14:48:05 srv postfix/smtp[1703]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem
    Jul 12 14:48:05 srv postfix/smtp[1703]: warning: 6FCA815A2A6D: flush service failure
    Jul 12 14:48:05 srv postfix/smtp[30149]: 5F8EF15A288C: to=<kathie.shadrick@goallinesolutions.com>, relay=goallinesolutions-com.mail.protection.outlook.com[23.103.157.10]:25, delay=3412, delays=0.03/3405/1.1/5.2, dsn=5.7.606, status=bounced (host goallinesolutions-com.mail.protection.outlook.com[23.103.157.10] said: 550 5.7.606 Access denied, banned sending IP [94.130.16.118]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [QB1CAN01FT008.eop-CAN01.prod.protection.outlook.com] (in reply to RCPT TO command))
    Jul 12 14:48:05 srv postfix/smtp[30133]: 8832915A4A6A: to=<kaufhaus-radius@bank.geldbube.de>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.1/0.05, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command))
    Jul 12 14:48:06 srv postfix/smtp[1610]: 5F8EF15A288C: to=<kathi.warren@lockerbiehole.com>, relay=lockerbiehole-com.mail.protection.outlook.com[23.103.157.42]:25, delay=3412, delays=0.03/3406/0.87/5.1, dsn=5.7.606, status=bounced (host lockerbiehole-com.mail.protection.outlook.com[23.103.157.42] said: 550 5.7.606 Access denied, banned sending IP [94.130.16.118]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [TO1CAN01FT003.eop-CAN01.prod.protection.outlook.com] (in reply to RCPT TO command))
    Jul 12 14:48:06 srv postfix/smtp[26643]: 8832915A4A6A: to=<kaufhausedgar.katherine@beinpixel.de>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.09/0.08, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command))
    Jul 12 14:48:06 srv pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 12 14:48:06 srv pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 12 14:48:06 srv postfix/smtpd[20881]: connect from localhost.localdomain[127.0.0.1]
    Jul 12 14:48:06 srv postfix/smtpd[20881]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Jul 12 14:48:06 srv postfix/smtpd[20881]: disconnect from localhost.localdomain[127.0.0.1]
    Jul 12 14:48:06 srv postfix/smtp[26643]: 8832915A4A6A: to=<kaufmann.gesang@beinpixel.de>, relay=smtp.rzone.de[2a01:238:20a:202:50f0::2097]:25, delay=3409, delays=0.03/3409/0.09/0.08, dsn=5.7.1, status=bounced (host smtp.rzone.de[2a01:238:20a:202:50f0::2097] said: 550 5.7.1 Recipients have complained about included content (B-TEXT) (in reply to end of DATA command))
    Jul 12 14:48:06 srv dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): use
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Look into the emails in the outgoing mailqueue with the postcat command to find out what spam it is and how it is sent.
     
  4. betafer

    betafer Member

    this is the email:
    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px} span.s1 {font-variant-ligatures: no-common-ligatures} span.Apple-tab-span {white-space:pre}
    *** ENVELOPE RECORDS deferred/C/C180615A48EF ***

    message_size: 16283 5304 50 0 16283

    message_arrival_time: Wed Jul 12 14:05:22 2017

    create_time: Wed Jul 12 14:05:22 2017

    named_attribute: log_ident=C180615A48EF

    named_attribute: rewrite_context=local

    sender: compaq@ztabletpos.com

    named_attribute: log_client_name=localhost.localdomain

    named_attribute: log_client_address=127.0.0.1

    named_attribute: log_client_port=34437

    named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]

    named_attribute: log_helo_name=localhost

    named_attribute: log_protocol_name=ESMTP

    named_attribute: client_name=localhost.localdomain

    named_attribute: reverse_client_name=localhost.localdomain

    named_attribute: client_address=127.0.0.1

    named_attribute: client_port=34437

    named_attribute: helo_name=localhost

    named_attribute: protocol_name=ESMTP

    named_attribute: client_address_type=2

    named_attribute: dsn_orig_rcpt=rfc822;lecap@accesswave.ca

    original_recipient: lecap@accesswave.ca

    recipient: lecap@accesswave.ca

    named_attribute: dsn_orig_rcpt=rfc822;lecam@capmedia.fr

    original_recipient: lecam@capmedia.fr

    done_recipient: lecam@capmedia.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecaer@enitab.fr

    original_recipient: lecaer@enitab.fr

    done_recipient: lecaer@enitab.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecampio@enstb.enst-bretagne.fr

    original_recipient: lecampio@enstb.enst-bretagne.fr

    recipient: lecampio@enstb.enst-bretagne.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecafe@entrasite.fr

    original_recipient: lecafe@entrasite.fr

    done_recipient: lecafe@entrasite.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecadre@gmx.de

    original_recipient: lecadre@gmx.de

    recipient: lecadre@gmx.de

    named_attribute: dsn_orig_rcpt=rfc822;lecalve@isitv.univ-tln.fr

    original_recipient: lecalve@isitv.univ-tln.fr

    recipient: lecalve@isitv.univ-tln.fr

    named_attribute: dsn_orig_rcpt=rfc822;le-calumetdelapaix@lemel.fr

    original_recipient: le-calumetdelapaix@lemel.fr

    done_recipient: le-calumetdelapaix@lemel.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecadre@liberation.fr

    original_recipient: lecadre@liberation.fr

    done_recipient: lecadre@liberation.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecacheu@math.jussieu.fr

    original_recipient: lecacheu@math.jussieu.fr

    done_recipient: lecacheu@math.jussieu.fr

    named_attribute: dsn_orig_rcpt=rfc822;lechell@amertume.ibp.fr

    original_recipient: lechell@amertume.ibp.fr

    recipient: lechell@amertume.ibp.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecapi@club-internet.fr

    original_recipient: lecapi@club-internet.fr

    done_recipient: lecapi@club-internet.fr

    named_attribute: dsn_orig_rcpt=rfc822;lecardo@club-internet.fr

    original_recipient: lecardo@club-internet.fr

    done_recipient: lecardo@club-internet.fr
     
  5. betafer

    betafer Member

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.Apple-tab-span {white-space:pre}
    *** MESSAGE CONTENTS deferred/C/C180615A48EF ***

    Received: from localhost (localhost.localdomain [127.0.0.1])

    by mail.betafer.it (Postfix) with ESMTP id C180615A48EF;

    Wed, 12 Jul 2017 14:05:22 +0200 (CEST)

    X-Virus-Scanned: Debian amavisd-new at srv.betafer.it

    Received: from mail.betafer.it ([127.0.0.1])

    by localhost (srv.betafer.it [127.0.0.1]) (amavisd-new, port 10026)

    with ESMTP id 5EnNWcAEK-vG; Wed, 12 Jul 2017 14:05:22 +0200 (CEST)

    Received: from User (unknown [37.59.13.121])

    by mail.betafer.it (Postfix) with SMTP id 92FEC15A398E;

    Wed, 12 Jul 2017 12:55:42 +0200 (CEST)

    Reply-To: <efccdepartment106@outlook.com>

    From: "James Harry (Mr)"<compaq@ztabletpos.com>

    Subject: The Economic and Financial Crimes Commission (EFCC)

    Date: Wed, 12 Jul 2017 12:53:40 -0700

    MIME-Version: 1.0

    Content-Type: text/html;

    charset="Windows-1251"

    Content-Transfer-Encoding: 7bit

    X-Priority: 3

    X-MSMail-Priority: Normal

    X-Mailer: Microsoft Outlook Express 6.00.2600.0000

    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    Message-Id: <20170712120522.C180615A48EF@mail.betafer.it>
     
  6. betafer

    betafer Member

    Ps: the server was installed few days ago by schaal-24.de
    but unfortunately now i can't contact him
     
  7. betafer

    betafer Member

    We put in blacklist of ispconfig the address compaq@ztabletpos.com and the problem Solved in part.
    Now we have to find where the real problem is.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The question is if your server is really sending these or if it is just receiving them or receiving and then forwarding them. Is any of the recipient addresses listed in the email hosted on your server?
     
  9. betafer

    betafer Member

    Where i check this ?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You see the recipient addresses in the mail that you posted above and you should know, if these are local addresses of your own server.
     
  11. betafer

    betafer Member

    I have only 4 local emails, And they are not the emails I've posted
     
  12. betafer

    betafer Member

    If i shut down pop3 email and i use only imap is better for spam ?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    No, this does not makes a difference.

    Check the mynetworks setting in postfix main.cf file to ensure that you do not have any foreign IP addresses or networks added there.
     
  14. betafer

    betafer Member

    This ?
    mynetworks = 127.0.0.0/8 [::1]/128
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, this value is ok. You should try to reach Florian and ask him to take a look at the issue directly.

    There are basically 3 scenarios for spam sending:

    1) someone got a password of an account and uses it to send trough the server, but I don't see an authentication header in the mail you posted.
    2) a program of your server is sending the spam, like a hacked script. But I don't see PHP headers there. The IP 37.59.13.121 is not your server IP, right?
    3) The third option is that the system is an open relay, that's why I asked for the mynetworks settings. But you might want to run a open relay test to be sure: https://mxtoolbox.com/diagnostic.aspx
     
  16. betafer

    betafer Member

    It's all afternoot that i hope Florian respond :)

    37.59.13.121 is old server ip, i've notice this so i reboot old server in rescue mode To be sure that the problem was not given by that

    and ip of old server was also sets in postfix, i've replaced with new server ip and restart postfix hoping to have done well
     
  17. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Your server sends spam using malware on one of your websites. I was not in the office yesterday evening. I checked your server yesterday ~5pm and there was no spam in your mail-queue. The additional ip in mynetworks was set to allow the old server to send mails using the new server to pass mail-checks on remote servers.
     
    till likes this.

Share This Page