Jan 24, 2025: iRedMail-1.7.2 has been released.

**jackavin** · 2016-06-12 04:48:22

jackavin
Member
Offline

Registered: 2016-05-25
Posts: 109

Topic: URGENT : Mail Server have been attack

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.84
- Linux/BSD distribution name and version: debian 8 jessie
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue:
====

Jun 12 03:46:18 mx2 postfix/smtp[6930]: 8D0808532C: to=<kite0204520@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=25702, delays=24980/721/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8F67F126BC2)
Jun 12 03:46:18 mx2 postfix/smtp[6877]: 8D0808532C: to=<kiss_77325@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=25702, delays=24980/721/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 90298126BC7)
Jun 12 03:46:20 mx2 postfix/smtpd[3785]: 19252126BC4: client=mx2.2fishmail.com[127.0.0.1]
Jun 12 03:46:20 mx2 postfix/cleanup[6626]: 19252126BC4: message-id=<AJWHCJLPYSBZIXZZMRUTY@pcome.com.tw>
Jun 12 03:46:20 mx2 postfix/smtpd[3783]: 1A42E126BC9: client=mx2.2fishmail.com[127.0.0.1]
Jun 12 03:46:20 mx2 postfix/cleanup[6605]: 1A42E126BC9: message-id=<AJWHCJLPYSBZIXZZMRUTY@pcome.com.tw>
Jun 12 03:46:20 mx2 amavis[6857]: (06857-17) Passed SPAM {RelayedTaggedInternal}, MYNETS LOCAL [10.0.51.211]:21574 <qyuvwi@hotmail.com> -> <kuei64623@yahoo.com.tw>, Queue-ID: 8D0808532C, Message-ID: <AJWHCJLPYSBZIXZZMRUTY@pcome.com.tw>, mail_id: 7HWVkhLB6RbV, Hits: 10.211, size: 6103, queued_as: 19252126BC4, 1490 ms
Jun 12 03:46:20 mx2 amavis[6916]: (06916-08) Passed SPAM {RelayedTaggedInternal}, MYNETS LOCAL [10.0.51.211]:21574 <qyuvwi@hotmail.com> -> <kkcreamsoda@yahoo.com.tw>, Queue-ID: 8D0808532C, Message-ID: <AJWHCJLPYSBZIXZZMRUTY@pcome.com.tw>, mail_id: 4se1iYv-ejJt, Hits: 10.211, size: 6103, queued_as: 1A42E126BC9, 1499 ms
Jun 12 03:46:20 mx2 postfix/smtp[6877]: 8D0808532C: to=<kuei64623@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=25704, delays=24980/722/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 19252126BC4)
Jun 12 03:46:20 mx2 postfix/smtp[6930]: 8D0808532C: to=<kkcreamsoda@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=25704, delays=24980/722/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1A42E126BC9)

they relay myhost I have config but can not stop it.
I try ban ip but still.

Thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**jackavin** · 2016-06-12 08:25:33

jackavin
Member
Offline

Registered: 2016-05-25
Posts: 109

Re: URGENT : Mail Server have been attack

I have found out that port 25 have been attack.
I have disable relay host but spam stll flood my port.

How to fix this

**ZhangHuangbin** · 2016-06-12 08:38:19

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,170

Re: URGENT : Mail Server have been attack

Try this script:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

Run:

bash find_top_sasl_usernames.sh /var/log/mail.log

It will show you which users performed how many sasl authentications, any account sent the most emails? Try to reset its password and track log file.

**jackavin** · 2016-06-12 09:15:59

jackavin
Member
Offline

Registered: 2016-05-25
Posts: 109

Re: URGENT : Mail Server have been attack

After I change not open relay log is looklike this

Jun 12 07:52:02 mx2 postfix/smtpd[24143]: NOQUEUE: reject: RCPT from ip-10-0-51-211.ap-southeast-1.compute.internal[10.0.51.211]: 554 5.7.1 <ip-10-0-51-211.ap-southeast-1.compute.internal[10.0.51.211]>: Client host rejected: Access denied; from=<hjpvdfygjheep@ethome.com.tw> to=<7710aa@yahoo.com.tw> proto=SMTP helo=<54.169.196.192>

If I right it not sasl it another server try to relay my host.
have block with iptable not working.

Now I shutdown port 25 with firewall and try to use 2525.
Can I still use 25 with right security?

**jackavin** · 2016-06-13 04:51:58

jackavin
Member
Offline

Registered: 2016-05-25
Posts: 109

Re: URGENT : Mail Server have been attack

Thx ZhangHuangbin.

Very good service.

Jan 24, 2025: iRedMail-1.7.2 has been released.

[ Closed ] URGENT : Mail Server have been attack

Posts: 5

1 Topic by jackavin 2016-06-12 04:48:22

Topic: URGENT : Mail Server have been attack

2 Reply by jackavin 2016-06-12 08:25:33

Re: URGENT : Mail Server have been attack

3 Reply by ZhangHuangbin 2016-06-12 08:38:19

Re: URGENT : Mail Server have been attack

4 Reply by jackavin 2016-06-12 09:15:59

Re: URGENT : Mail Server have been attack

5 Reply by jackavin 2016-06-13 04:51:58

Re: URGENT : Mail Server have been attack

Posts: 5