Spam being sent via postfix

Discussion in 'ISPConfig 3 Priority Support' started by rickbyronit, Dec 29, 2016.

  1. rickbyronit

    rickbyronit New Member HowtoForge Supporter

    Header from a deferred email follows, I can't see in my mail logs or my apache2 logs where these are being generated from.
    The sender domain myclient.com exists on my server but the info522@ (in this email) is not a valid email address on my server all sent emails have been in the format info[0-9][0-9][0-9]@myclient.com.
    I'm looking for clues, this started a couple of days ago, I'm running out of hair to pull.
    The server has been faultless for well over a year.
    I question whether my postfix conf could be an issue?


    *** ENVELOPE RECORDS deferred/0/004291940792 ***
    message_size: 1707 704 1 0 1707
    message_arrival_time: Thu Dec 29 19:07:21 2016
    create_time: Thu Dec 29 19:07:21 2016
    named_attribute: log_ident=004291940792
    named_attribute: rewrite_context=local
    sender: info522@myclient.com
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost.localdomain
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=56312
    named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost.localdomain
    named_attribute: reverse_client_name=localhost.localdomain
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=56312
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;zabihullahkarim@yahoo.com.au
    original_recipient: zabihullahkarim@yahoo.com.au
    recipient: zabihullahkarim@yahoo.com.au
    *** MESSAGE CONTENTS deferred/0/004291940792 ***
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by server1.myclient.com (Postfix) with ESMTP id 004291940792
    for <zabihullahkarim@yahoo.com.au>; Thu, 29 Dec 2016 19:07:21 +1100 (AEDT)
    X-Virus-Scanned: Debian amavisd-new at server1.myclient.com
    Received: from server1.myclient.com ([127.0.0.1])
    by localhost (server1.myclient.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id zRUyANlrGrdN for <zabihullahkarim@yahoo.com.au>;
    Thu, 29 Dec 2016 19:07:21 +1100 (AEDT)
    Received: from myclient.com (localhost.localdomain [127.0.0.1])
    by server1.myclient.com (Postfix) with ESMTP id 9C21919404FE
    for <zabihullahkarim@yahoo.com.au>; Thu, 29 Dec 2016 19:07:20 +1100 (AEDT)
    Date: Thu, 29 Dec 2016 08:07:19 +0000 (UTC)
    From: info522@myclient.com
    To: zabihullahkarim@yahoo.com.au
    Message-ID: <260291959.19858809.1482998839470@bangalow.com>
    Subject: Hey
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_Part_19858808_291664055.1482998839470"

    ------=_Part_19858808_291664055.1482998839470
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The mails seem to be sent from localhost. Is this server a mail and webserver? if yes, then most likely the website of this client has been hacked. Check the access.log of that website for unusual POST requests and scan the website for malware.
     
  3. rickbyronit

    rickbyronit New Member HowtoForge Supporter

    Thanks Till,
    The server does host sites and does email. I have scanned with maldet and amavis but found nothing. The spam is coming in small amounts sometimes hours apart. I think it may be through some old phpmailer.php's that a few clients are using, looking further into it.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Maldet does not find that many malware, try to use the free scan from ispprotect to scan the server: https://ispprotect.com/
     
  5. rickbyronit

    rickbyronit New Member HowtoForge Supporter

    Hi Till,
    Thank you for the link, however, after I downloaded the file I started to run it for about a 30 seconds, and the I decided to stop it and read the docs first. Now it won't let me scan:
    Could not run scan with key TRIAL because of error: No more trials for this server left.
    I was so looking forward to it, as for the moment, I am 'discarding' the spam via 'blacklisting' and 'content filtering'
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I've sent you a PM with a new trial key.
     
    Zed likes this.
  7. rickbyronit

    rickbyronit New Member HowtoForge Supporter

    Many thanks Till,
    I will update this thread with the results.
    Kind regards
     
  8. rickbyronit

    rickbyronit New Member HowtoForge Supporter

    Thank you Till,

    I had success with ISPProtect, thank you.
    I have purchased 10 scan license, but will look at extending to a 12 month licence in the future.

    Again many thanks, for your great products and support.
     
    till likes this.

Share This Page