Spam Problem on ISPConfig 3

Discussion in 'Installation/Configuration' started by icemaker, Dec 13, 2016.

  1. icemaker

    icemaker New Member

    We are facing spam problem.
    we are receiving emails from our domain.
    email addresses that we never created example: sophia38@example.com.
    these addresses are being sent to our users.

    i check the mail queue it shows the following:

    Mail Queue:
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    0BC3D403FE 1663 Mon Dec 12 16:55:20 15073836421@server1.mimosa.com.lb
    (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    12605855056@message.alltel.com
    14192045146@message.alltel.com
    14193444509@message.alltel.com
    14193767030@message.alltel.com
    14194963004@message.alltel.com
    14195526218@message.alltel.com
    14195743457@message.alltel.com
    14197999870@message.alltel.com
    14199664200@message.alltel.com
    15172581371@message.alltel.com
    15673226694@message.alltel.com
    15673773770@message.alltel.com
    17156100011@message.alltel.com
    17342248096@message.alltel.com
    17342433382@message.alltel.com

    030F440374 1663 Mon Dec 12 16:57:04 15073836421@server1.mimosa.com.lb
    (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    14063213371@message.alltel.com
    14063638106@message.alltel.com
    14063990188@message.alltel.com
    14064592903@message.alltel.com
    14065397961@message.alltel.com
    14065794862@message.alltel.com
    14066706551@message.alltel.com
    14066718498@message.alltel.com
    14066722686@message.alltel.com
    14067995256@message.alltel.com
    14069420039@message.alltel.com



    Mail Log
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<15186100758@message.alltel.com>, relay=none, delay=2370, delays=2370/0.18/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<15594174753@message.alltel.com>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<15188133941@message.alltel.com>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<15594738364@message.alltel.com>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<15854906214@message.alltel.com>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<15595560123@message.alltel.com>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<17328998594@message.alltel.com>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<15596822568@message.alltel.com>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<18454921985@message.alltel.com>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)



    Mail Warn Log
    Dec 12 13:20:50 server1 postfix/smtpd[24495]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:20:53 server1 postfix/smtpd[24495]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:28:06 server1 postfix/smtpd[25145]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:29:20 server1 postfix/smtpd[25145]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:29:22 server1 postfix/smtpd[25145]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:37:48 server1 postfix/smtpd[25911]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:37:51 server1 postfix/smtpd[25911]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:46:12 server1 postfix/smtpd[26630]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:46:15 server1 postfix/smtpd[26630]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:54:34 server1 postfix/smtpd[27252]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:54:37 server1 postfix/smtpd[27252]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 14:03:02 server1 postfix/smtpd[30463]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:03:13 server1 postfix/smtpd[30463]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: Connection lost to authentication server
    Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:04:03 server1 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out
    Dec 12 14:04:03 server1 dovecot: auth-worker(30484): Error: sql(test2,91.200.12.140): Password query failed: Not connected to database
    Dec 12 14:04:03 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:04:04 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:04:09 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:04:34 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:11:26 server1 postfix/smtpd[9351]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 14:11:29 server1 postfix/smtpd[9351]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 14:12:47 server1 postfix/smtpd[9351]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
  2. Mjwienold

    Mjwienold New Member

  3. icemaker

    icemaker New Member

    ok thx,

    i am using the ISPconfig DNS Manager
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the headers of one of these mails in the queue with postcat to see how they are sent. If they were sent by a hacked account or website, then you have to fix that to stop the problem.
     
  5. icemaker

    icemaker New Member

    Here are the headers of the received spam email:

    XXXX@YYYYYY.com.lb is the receiver on the server (this is an actual email on the server)
    canon@YYYYYY.com.lb is the spam email address that we are receiving from
    1.52.102.223 is NOT our Server IP

    Code:
    Current Folder: INBOX     Sign Out
    Compose   Addresses   Folders   Options   Search   Help 
    
    
    Viewing Full Header - View message
    Return-Path: <canon@YYYYYY.com.lb>
    Delivered-To: XXXX@YYYYYY.com.lb
    Received: from localhost (localhost [127.0.0.1])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id 045B71806D
            for <XXX@YYYYYY.com.lb>; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
    X-Spam-Flag: YES
    X-Spam-Score: 10.81
    X-Spam-Level: **********
    X-Spam-Status: Yes, score=10.81 tagged_above=3 required=10
            tests=[BAYES_50=0.8, RCVD_IN_BL_SPAMCOP_NET=1.347,
            RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RCVD_IN_PSBL=2.7,
            RCVD_IN_XBL=0.375, RDNS_NONE=0.793, TVD_SPACE_RATIO=0.001,
            T_MIME_NO_TEXT=0.01] autolearn=no
    Received: from server1.YYYYYY.com.lb ([127.0.0.1])
            by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id 0dbY4rCLsCKN for <XXX@YYYYYY.com.lb>;
            Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    Received: by server1.YYYYYY.com.lb (Postfix, from userid 5000)
            id 6EF5E180AF; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    X-Sieve: Pigeonhole Sieve 0.3.1
    X-Sieve-Redirected-From: admin@YYYYYY.com.lb
    Delivered-To: admin@YYYYYY.com.lb
    Received: from localhost (localhost [127.0.0.1])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id AED1218077
            for <admin@YYYYYY.com.lb>; Wed, 14 Dec 2016 11:27:45 -0600 (CST)
    X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
    Received: from server1.YYYYYY.com.lb ([127.0.0.1])
            by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id iokwacCDwDUZ for <admin@YYYYYY.com.lb>;
            Wed, 14 Dec 2016 11:27:44 -0600 (CST)
    Received: from [1.52.102.223] (unknown [1.52.102.223])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id F34901806D
            for <admin@YYYYYY.com.lb>; Wed, 14 Dec 2016 11:27:42 -0600 (CST)
    From: canon@YYYYYY.com.lb
    To: "admin"
         <admin@YYYYYY.com.lb>
    Subject: ***SPAM*** ***SPAM***Attached document
    Date: Thu, 15 Dec 2016 00:27:35 +0700
    Message-Id: <20161215002735.0001.CanonTxNo.1262@Canon063B59.YYYYYY.com.lb>
    Mime-Version: 1.0
    Content-Type: multipart/mixed;
         boundary="3F69BB737D7201848BE57476D2F2"
            
     
  6. sjau

    sjau Local Meanie Moderator

    So, you receive spam that seems to come from your own server or at least use a domain name that's on your server?
     
  7. icemaker

    icemaker New Member

    yes 100%, but it seems we are receiving it from a different IP from our server
     
  8. sjau

    sjau Local Meanie Moderator

Share This Page