Spam Problem on ISPConfig 3

Discussion in 'Installation/Configuration' started by icemaker, Dec 13, 2016.

  1. icemaker

    icemaker New Member

    We are facing spam problem.
    we are receiving emails from our domain.
    email addresses that we never created example: [email protected].
    these addresses are being sent to our users.

    i check the mail queue it shows the following:

    Mail Queue:
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    0BC3D403FE 1663 Mon Dec 12 16:55:20 [email protected]
    (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    030F440374 1663 Mon Dec 12 16:57:04 [email protected]
    (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    [email protected]
    [email protected]
    [email protected]
    [email protected]alltel.com
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]



    Mail Log
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27760]: CE408403EE: to=<[email protected]>, relay=none, delay=2390, delays=2389/0.15/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)
    Dec 12 17:34:58 server1 postfix/error[27759]: 87F4D40400: to=<[email protected]>, relay=none, delay=2370, delays=2370/0.18/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to message.alltel.com[72.52.10.14]:25: Connection refused)



    Mail Warn Log
    Dec 12 13:20:50 server1 postfix/smtpd[24495]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:20:53 server1 postfix/smtpd[24495]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:28:06 server1 postfix/smtpd[25145]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:29:20 server1 postfix/smtpd[25145]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:29:22 server1 postfix/smtpd[25145]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:37:48 server1 postfix/smtpd[25911]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:37:51 server1 postfix/smtpd[25911]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:46:12 server1 postfix/smtpd[26630]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:46:15 server1 postfix/smtpd[26630]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 13:54:34 server1 postfix/smtpd[27252]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 13:54:37 server1 postfix/smtpd[27252]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 14:03:02 server1 postfix/smtpd[30463]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:03:03 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:03:04 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:03:09 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:03:13 server1 postfix/smtpd[30463]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: Connection lost to authentication server
    Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:03:34 server1 dovecot: auth-worker(30484): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:04:03 server1 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out
    Dec 12 14:04:03 server1 dovecot: auth-worker(30484): Error: sql(test2,91.200.12.140): Password query failed: Not connected to database
    Dec 12 14:04:03 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 1 seconds before retry
    Dec 12 14:04:04 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 5 seconds before retry
    Dec 12 14:04:09 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 25 seconds before retry
    Dec 12 14:04:34 server1 dovecot: auth-worker(32476): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) - waiting for 125 seconds before retry
    Dec 12 14:11:26 server1 postfix/smtpd[9351]: warning: hostname vps863.hidehost.net does not resolve to address 91.200.12.140: Name or service not known
    Dec 12 14:11:29 server1 postfix/smtpd[9351]: warning: unknown[91.200.12.140]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 12 14:12:47 server1 postfix/smtpd[9351]: warning: rrcs-147-0-242-154.central.biz.rr.com[147.0.242.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
  2. Mjwienold

    Mjwienold New Member

  3. icemaker

    icemaker New Member

    ok thx,

    i am using the ISPconfig DNS Manager
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the headers of one of these mails in the queue with postcat to see how they are sent. If they were sent by a hacked account or website, then you have to fix that to stop the problem.
     
  5. icemaker

    icemaker New Member

    Here are the headers of the received spam email:

    [email protected] is the receiver on the server (this is an actual email on the server)
    [email protected] is the spam email address that we are receiving from
    1.52.102.223 is NOT our Server IP

    Code:
    Current Folder: INBOX     Sign Out
    Compose   Addresses   Folders   Options   Search   Help 
    
    
    Viewing Full Header - View message
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id 045B71806D
            for <[email protected]>; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
    X-Spam-Flag: YES
    X-Spam-Score: 10.81
    X-Spam-Level: **********
    X-Spam-Status: Yes, score=10.81 tagged_above=3 required=10
            tests=[BAYES_50=0.8, RCVD_IN_BL_SPAMCOP_NET=1.347,
            RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RCVD_IN_PSBL=2.7,
            RCVD_IN_XBL=0.375, RDNS_NONE=0.793, TVD_SPACE_RATIO=0.001,
            T_MIME_NO_TEXT=0.01] autolearn=no
    Received: from server1.YYYYYY.com.lb ([127.0.0.1])
            by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id 0dbY4rCLsCKN for <[email protected]>;
            Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    Received: by server1.YYYYYY.com.lb (Postfix, from userid 5000)
            id 6EF5E180AF; Wed, 14 Dec 2016 11:27:46 -0600 (CST)
    X-Sieve: Pigeonhole Sieve 0.3.1
    X-Sieve-Redirected-From: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id AED1218077
            for <[email protected]>; Wed, 14 Dec 2016 11:27:45 -0600 (CST)
    X-Virus-Scanned: Debian amavisd-new at server1.YYYYYY.com.lb
    Received: from server1.YYYYYY.com.lb ([127.0.0.1])
            by localhost (server1.YYYYYY.com.lb [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id iokwacCDwDUZ for <[email protected]>;
            Wed, 14 Dec 2016 11:27:44 -0600 (CST)
    Received: from [1.52.102.223] (unknown [1.52.102.223])
            by server1.YYYYYY.com.lb (Postfix) with ESMTP id F34901806D
            for <[email protected]>; Wed, 14 Dec 2016 11:27:42 -0600 (CST)
    From: [email protected]
    To: "admin"
         <[email protected]>
    Subject: ***SPAM*** ***SPAM***Attached document
    Date: Thu, 15 Dec 2016 00:27:35 +0700
    Message-Id: <[email protected]>
    Mime-Version: 1.0
    Content-Type: multipart/mixed;
         boundary="3F69BB737D7201848BE57476D2F2"
            
     
  6. sjau

    sjau Local Meanie Moderator

    So, you receive spam that seems to come from your own server or at least use a domain name that's on your server?
     
  7. icemaker

    icemaker New Member

    yes 100%, but it seems we are receiving it from a different IP from our server
     
  8. sjau

    sjau Local Meanie Moderator

Share This Page