You have been compromised - Send From [email protected]

Discussion in 'ISPConfig 3 Priority Support' started by Siridion M. Cabudlan, Jun 27, 2020.

  1. Good Day to all,
    I really need your help, guys!
    Some bud guys, retrieve all the email address from our email server.
    And send email message to every email users with the subject: “You have been compromised”

    full headers from an e-mail message.
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [])
        by (Postfix) with ESMTP id 21337C8242F
        for <[email protected]>; Fri, 26 Jun 2020 17:06:41 +0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: 2.274
    X-Spam-Level: **
    X-Spam-Status: No, score=2.274 tagged_above=1 required=4.5
        tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
        DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
        RCVD_IN_MSPIKE_H2=-0.001, SORTED_RECIPS=2.474, SPF_PASS=-0.001]
        autolearn=no autolearn_force=no
    Authentication-Results: (amavisd-new);
        dkim=pass (2048-bit key)
    Received: from ([])
        by localhost ( []) (amavisd-new, port 10024)
        with ESMTP id c8IMfS8SfwNZ for <[email protected]>;
        Fri, 26 Jun 2020 17:06:40 +0800 (PST)
    Received: from ( [])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by (Postfix) with ESMTPS id BF92DC825DF
        for <[email protected]>; Fri, 26 Jun 2020 17:06:28 +0800 (PST)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1593162385; bh=sZ6sp2VMy/ORQ5+uF7AJ57o+lenDg/SUsL7P1h9o/lg=; h=Date:From:To:Subject:References:From:Subject; b=nYxeqEC5vnMPPeKjqpFN+TwO5rUnDGkkJqURIhfaQdSGBnXR6DKzWZfbZDnrMWgHOtcR/4S2+W8ye2YkJIdquelvAkg0ciI76ulsGof4L3AYudgAbT/2+Ij5D/ewJ3ydLLTWydYDOnsEdmam0JF/U7TblvYHOXmDuNa17Y7ffyfKrStZrXNvafRwdfYl5DbPmwT7QlIKSLxzALIOSdrJakrtGWgLax7Z7E1W0FY1BJF1fGFx4pofcsk3nMHC0fl+V0F90CQuCXZJBcpD2lIsz2/H8JYNjNomGBnRUkx1UkbyQvyPSerJEZkwFHEKxyEQWtIMlEvxIQNdjeMquCrekA==
    X-YMail-OSG: PdnP55gVM1lo78DsQLMd9eJOegMjr_NOuIrU.3MejQVdPboPv4iOiK9HR0KXoaM
    Received: from by with HTTP; Fri, 26 Jun 2020 09:06:25 +0000
    Date: Fri, 26 Jun 2020 08:54:22 +0000 (UTC)
    From: Hatters Grey <[email protected]>
    To: "[email protected]" <[email protected]>,
        ... ,
        "[email protected]" <[email protected]>
    Message-ID: <[email protected]>
    Subject: You have been compromised
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    References: <[email protected]>
    X-Mailer: WebService/1.1.16138 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

    Please help me, how to fix this problem.
    Last edited: Jun 27, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That does not look like e-mail log. It is full headers from an e-mail message.
    The headers show your e-mail server received the message from Yahoo server. If the culprits had compromised your server or e-mail accounts, they could have proved that by sending their nefarious messages using your e-mail server.
    What problem are you fixing?
    You can complain to Yahoo that their email user sends SPAM or ransom messages.
    Siridion M. Cabudlan likes this.
  3. Hi @Taleman, thank you for the reply.
    I have some questions
    1.) It is safe to remove the spam email messages from vmail directory?
    2.) And how to check if our server has been compromised?
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    1. If you just remove the file, the e-mail index is wrong. You should re-index then. Or use admin commands of the e-mail system to remove the messages, that should preserve index or re-index afterwards
    2. I don't know a simple way to make sure server has not been compromised. Do you have a reason to believe it is compromised?
    That grayhatter sending to all your e-mail addresses does not indicate compromise. They may have purchased a list of e-mail addresses.
    If you are worried, there are ways to try to find compromises. ISPConfig has for example.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Siridion M. Cabudlan likes this.
  6. Hi @till
    I have already purchase ISPProtect - 5 scans license, and scan /var/www directory, and the ISPProtect found nothing.

    It is possible that back-up email was intercept through the network.
    Because the back-up email was forwarded to goggle-drive using google-drive-ocamlfuse.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The most likely reason for your issue is that there is no issue at all. Receiving this kind of emails is normal, that's the usual spam, the emails are no indication that a system is compromised. If you don't want to contact yahoo that they close that account, then add a global mail filter in ISPConfig instead to delete these emails automatically when they arrive. So unless the text of these emails reveal anything that only someone could know that compromised your system, like the cleartext root password or something similar, then you should assume that your system has not been compromised.
    Th0m and Siridion M. Cabudlan like this.

Share This Page