Server sending spam

Discussion in 'Installation/Configuration' started by mattltm, Aug 7, 2015.

  1. mattltm

    mattltm Member

    My VPS provider has flagged one of my ISPConfig servers as sending spam. I have seen the spam report and it does appear that it has come from my server.

    I have checked the usual auth logs and there have been no unauthorised access to the server.

    I checked the mail.log and found the offending message:

    Aug 7 02:01:22 myhostname postfix/qmgr[6770]: EF8BEE890: from=<jcline26@mydomain.co.uk>, size=744, nrcpt=1 (queue active)
    Aug 7 02:01:22 myhostname postfix/qmgr[6770]: 5AF24E898: from=<jcline26@mydomain.co.uk>, size=1207, nrcpt=1 (queue active)
    Aug 7 02:01:22 myhostname amavis[27049]: (27049-09) Passed CLEAN {RelayedOpenRelay}, [xxx.xxx.xxx.xxx]:21729 [xxx.xxx.xxx.xxx] <jcline26@mydomain.co.uk> -> <another@theirdomain.net>, Queue-ID: EF8BEE890, Message-ID: <17EF986C-B0BD-49D3-DB64-A4759E340745@mydomain.co.uk>, mail_id: GfpdInFVAkoI, Hits: -1, size: 744, queued_as: 5AF24E898, 275 ms
    Aug 7 02:07:48 myhostname postfix/qmgr[6770]: 5AF24E898: from=<jcline26@mydomain.co.uk>, size=1207, nrcpt=1 (queue active)
    Aug 7 02:17:48 myhostname postfix/qmgr[6770]: 5AF24E898: from=<jcline26@mydomain.co.uk>, size=1207, nrcpt=1 (queue active)

    The email address of the sender does not exist on my system but the my domain.co.uk is an active domain with email accounts associated with it.

    The server passes the open relay tests and is not an open relay so I have no idea how this message managed to pass through.

    Any ideas on what I should do next?

    Thanks.
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Check one of those massages. Run mailq to get the id and then use postcat -q ID to view the mail. It seems, that a website is infected.
     
  3. mattltm

    mattltm Member

    Ahh.
    I just flushed the mail queue about 10 minutes before your reply!
    I'll wait a while and see if it fills up again. It had over 400 messages in it which seems to have started from the 04/08/15 so I don't think it will be long before it tops up again!
     

Share This Page