Spam being relayed through postfix

Discussion in 'Server Operation' started by BenDavis, Feb 11, 2016.

  1. BenDavis

    BenDavis New Member

    This issue is getting more annoying.
    I run a postfix server on centos.I opened my maillog 4-5 days ago and noticed my server was being flooded with relayed emails. I check for viruses and a hundred other things. I think I have relays disabled. but from what it looks like, These emails are coming in FROM a fake email address from my domain ie. my domain is gigreview.... and these fake emails are from [email protected].....

    This has lagged my server a little bit, and also noticed that my servers IP address has been banned from a few email server.
    I have tried a few other things such as using smtpd_sender_restrictions and smtpd_client_restrictions in my but anything that is spose to work, has "reject" in the line, when ever i have reject in the line, all proper incoming emails are rejected instead..
    Can some one help with this issue??
  2. Active Member

    Did you check if any of your hosted sites's beeing hacked? Did you enable mail()-logging in your php.ini for example to trace suspect behaviour?
    Test your config with
  3. bigmac_8

    bigmac_8 New Member

    I am having something similar happening. someone is relaying through my server using webmaster @ my.domain. I've run through the system and can't find any email account on my.domain that has an account, forward or alias with webmaster. I've tested with the open relay above and that's not it. I've even disabled all of the email accounts for this domain and that didn't help. This is ISPConfig and the only thing that stops the relaying is to disable the clients entire account.

    How can I block this account from relaying on my server?
  4. Active Member

    Disableing mail accounts won't help if there's something going on at his website - check his web/-folder, I highly recommend enableing mail()-logging or try grepping his web-folder for something like "eval(" or something like that.
    If you disable his account, his websites are disabled - so if that's the only way to stop spam ... it's kinda good, meaning the customer himself is not infected with malware and his password might also be unknown to someone.

    Check his web folder ( or look at the access-log, some infected scripts might be called using POST, unless u want to enable POST-data logging you might just check files using some guessing )
  5. Nap

    Nap Member

    Hi Ben,

    You may wish to look at this thread to compare your Postfix settings; and
    I had a similar problem once, so you might have a look at other threads (here, here, and here) I posted on setup my Postfix.
    I have mine setup such that you must autheticate for sending, in addition to receiving. This might help you solve your problem.

  6. bigmac_8

    bigmac_8 New Member


    I'm still getting a lot of spam relayed through my mailserver as webmaster I don't have a webmaster email account. Everything has been updated. I check also in Word Press and verified that it is up to date and that Word Press doesn't have a webmaster account. I don't currently have this problem with any of the other accounts on the ISPC server.

  7. Active Member

    did you implement SPF for that domain? does postfix check SPF rules?
  8. bigmac_8

    bigmac_8 New Member

    I can not implement SPF. Actually I don't know how SPF can work in a world like today where people are checking their emails from cell phones and other devices all over the world.

    As I have said, I'm using ISPConfig 3 and it is either a problem with ISPC or with Word Press. Email continues to be relayed even when I have the email disabled for

  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Mails send by WordPress (the PHP mail function) have the sender address webmaster@, so it is most likely a WordPress issue or hack). Please post the lines of such a relayed mail from mail.log.
  10. Active Member

    Check my post #4 especially mail()-logging - you can enable that in your php.ini.

    SPF has nothing todo with from where a end user reads his/her mail. As an owner of a domain you set a list of which servers are allowed to send mails in the name of that domain, so do others and you can easily check ( as a server ) wether IP xyz is allowed to use domain.tld in its FROM-part.

    For example: has its own mail server and add a TXT entry to their nameserver describing only is allowed to send send mail in name then other servers won't allow a hacked dialup-client/other server to send mail in their name, like potential locky viruses.

    It's not 100% fail save but it does block some sort of spam already.

Share This Page