1 Topic by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Topic: Postfix sending SPAM - PLEASE HELP

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 PGSQL edition.
- Deployed with iRedMail Easy or the downloadable installer? I don't remember
- Linux/BSD distribution name and version:  Ubuntu 16.04.5 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Jun 25 13:19:13 mail postfix/master[27449]: daemon started -- version 3.1.0, configuration /etc/postfix
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3726244A4C: from=<natalia.amarilla@eme.com.py>, size=395582, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3D18543760: from=<natalia.amarilla@eme.com.py>, size=395562, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 0EC9244A36: from=<natalia.amarilla@eme.com.py>, size=395582, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: E550744A31: from=<natalia.amarilla@eme.com.py>, size=395574, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 39AA744885: from=<>, size=396913, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3750E44096: from=<natalia.amarilla@eme.com.py>, size=395578, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: C8CA1449C8: from=<postmaster@ezmail6.bizmeka.com>, size=397157, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 2743544A10: from=<natalia.amarilla@eme.com.py>, size=395586, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 5182140358: from=<>, size=404239, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 9901844A43: from=<natalia.amarilla@eme.com.py>, size=395578, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: EA66E44860: from=<>, size=407021, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 0A1DF43E99: from=<>, size=11173, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 34CD54457E: from=<natalia.amarilla@eme.com.py>, size=395570, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 121FA449D6: from=<marangatu@set.gov.py>, size=16875, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 142A94C7EA: from=<natalia.amarilla@eme.com.py>, size=394533, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3B1324D6F8: from=<natalia.amarilla@eme.com.py>, size=394535, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3496C43FE7: from=<natalia.amarilla@eme.com.py>, size=395558, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 810214CA79: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 32EEE44101: from=<natalia.amarilla@eme.com.py>, size=395566, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: E60F24CD70: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: CBEA04DC52: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: AA44B498E9: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 692594A818: from=<natalia.amarilla@eme.com.py>, size=394541, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 3E46B401DC: from=<natalia.amarilla@eme.com.py>, size=395574, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: B3AC34C39E: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 654A64DDF9: from=<natalia.amarilla@eme.com.py>, size=394537, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 6943C4DA21: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 67FB74CC61: from=<natalia.amarilla@eme.com.py>, size=394543, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 34F114464F: from=<natalia.amarilla@eme.com.py>, size=395566, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: EE4154B58E: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: A917E4B2F3: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: EC6744A096: from=<natalia.amarilla@eme.com.py>, size=394549, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 0D6234BFBC: from=<natalia.amarilla@eme.com.py>, size=394533, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: B33674A8D4: from=<natalia.amarilla@eme.com.py>, size=394541, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: B18C34C116: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 92B8E4D0B1: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 14B114B76B: from=<natalia.amarilla@eme.com.py>, size=394535, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 527A44AC9D: from=<natalia.amarilla@eme.com.py>, size=394545, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 68139499B1: from=<natalia.amarilla@eme.com.py>, size=394533, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: E2E964D081: from=<natalia.amarilla@eme.com.py>, size=394539, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: 771094CE8D: from=<natalia.amarilla@eme.com.py>, size=394541, nrcpt=1 (queue active)
Jun 25 13:19:13 mail postfix/qmgr[27451]: A68A54C178: from=<natalia.amarilla@eme.com.py>, size=394529, nrcpt=1 (queue active)

(...)

Jun 25 13:15:09 mail postfix/qmgr[23359]: 59DD344981: from=<natalia.amarilla@eme.com.py>, size=395566, nrcpt=1 (queue active)
Jun 25 13:15:09 mail postfix/error[25798]: 59DD344981: to=<bin0346@hanmail.net>, relay=none, delay=0.07, delays=0.06/0.01/0/0, dsn=4.4.5, status=deferred (delivery temporarily suspended: host mx2.hanmail.net[211.231.108.175] refused to talk to me: 421 4.4.5 CCRC 198.211.96.33: Connection refused. Server is busy(RC))
Jun 25 13:15:09 mail amavis[26041]: (26041-07) Passed UNCHECKED {RelayedInternal}, ORIGINATING LOCAL [188.209.49.125]:52773 [188.209.49.125] <natalia.amarilla@eme.com.py> -> <bin0346@hanmail.net>, Queue-ID: 87D744978A, Message-ID: <20190624221353.AA447E3F446A0377@eme.com.py>, mail_id: Vt5pHaeqDidR, Hits: 1.603, size: 394533, queued_as: 59DD344981, dkim_new=dkim:eme.com.py, 578 ms, Tests: [ALL_TRUSTED=-1,FROM_MISSP_EH_MATCH=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,TO_NO_BRKTS_FROM_MSSP=2.5,URIBL_BLOCKED=0.001]
Jun 25 13:15:09 mail postfix/amavis/smtp[25986]: 87D744978A: to=<bin0346@hanmail.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=43275, delays=42934/340/0.01/0.58, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 59DD344981)
Jun 25 13:15:09 mail postfix/qmgr[23359]: 87D744978A: removed
Jun 25 13:15:09 mail postfix/qmgr[23359]: 62E114474B: from=<natalia.amarilla@eme.com.py>, size=395566, nrcpt=1 (queue active)
Jun 25 13:15:09 mail amavis[26022]: (26022-11) Passed UNCHECKED {RelayedInternal}, ORIGINATING LOCAL [188.209.49.125]:55159 [188.209.49.125] <natalia.amarilla@eme.com.py> -> <jbpark@hansil.co.kr>, Queue-ID: 9DC1E4D1A7, Message-ID: <20190625011321.19451DC06C92EDB8@eme.com.py>, mail_id: Cs_CzmHwyilw, Hits: 1.603, size: 394533, queued_as: 62E114474B, dkim_new=dkim:eme.com.py, 608 ms, Tests: [ALL_TRUSTED=-1,FROM_MISSP_EH_MATCH=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,TO_NO_BRKTS_FROM_MSSP=2.5,URIBL_BLOCKED=0.001]
Jun 25 13:15:09 mail postfix/amavis/smtp[26069]: 9DC1E4D1A7: to=<jbpark@hansil.co.kr>, relay=127.0.0.1[127.0.0.1]:10026, delay=32508, delays=32167/340/0.01/0.61, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 62E114474B)
Jun 25 13:15:09 mail postfix/qmgr[23359]: 9DC1E4D1A7: removed
Jun 25 13:15:09 mail postfix/smtp[23877]: E515844972: to=<jason@kompass.co.kr>, relay=ASPMX.daum.net[211.231.108.174]:25, delay=2.8, delays=0.06/0.01/2.3/0.42, dsn=5.1.1, status=bounced (host ASPMX.daum.net[211.231.108.174] said: 550 5.1.1 RUSR 198.211.96.33: No such user: <jason@kompass.co.kr> (in reply to RCPT TO command))
Jun 25 13:15:09 mail postfix/10025/smtpd[23555]: EBAB84498D: client=mail.eme.com.py[127.0.0.1]
Jun 25 13:15:09 mail postfix/cleanup[25704]: EBAB84498D: message-id=<20190624223835.173C39675193DFF3@eme.com.py>
Jun 25 13:15:09 mail postfix/10025/smtpd[23498]: EFF214498F: client=mail.eme.com.py[127.0.0.1]
Jun 25 13:15:09 mail postfix/cleanup[25904]: EFF214498F: message-id=<20190625002407.12680708E3CB3F01@eme.com.py>
Jun 25 13:15:10 mail postfix/qmgr[23359]: EBAB84498D: from=<natalia.amarilla@eme.com.py>, size=395574, nrcpt=1 (queue active)
Jun 25 13:15:10 mail amavis[26041]: (26041-08) Passed UNCHECKED {RelayedInternal}, ORIGINATING LOCAL [188.209.49.125]:53110 [188.209.49.125] <natalia.amarilla@eme.com.py> -> <chang9582@hanmail.net>, Queue-ID: E0A8549F14, Message-ID: <20190624223835.173C39675193DFF3@eme.com.py>, mail_id: eGtOjCBbqJzM, Hits: 1.603, size: 394537, queued_as: EBAB84498D, dkim_new=dkim:eme.com.py, 584 ms, Tests: [ALL_TRUSTED=-1,FROM_MISSP_EH_MATCH=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,TO_NO_BRKTS_FROM_MSSP=2.5,URIBL_BLOCKED=0.001]
Jun 25 13:15:10 mail postfix/error[25799]: EBAB84498D: to=<chang9582@hanmail.net>, relay=none, delay=0.07, delays=0.06/0.01/0/0, dsn=4.4.5, status=deferred (delivery temporarily suspended: host mx2.hanmail.net[211.231.108.175] refused to talk to me: 421 4.4.5 CCRC 198.211.96.33: Connection refused. Server is busy(RC))
Jun 25 13:15:10 mail postfix/qmgr[23359]: EFF214498F: from=<natalia.amarilla@eme.com.py>, size=395562, nrcpt=1 (queue active)
Jun 25 13:15:10 mail postfix/amavis/smtp[25986]: E0A8549F14: to=<chang9582@hanmail.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=41793, delays=41452/340/0.01/0.59, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EBAB84498D)
Jun 25 13:15:10 mail postfix/qmgr[23359]: E0A8549F14: removed
Jun 25 13:15:10 mail postfix/error[25798]: EFF214498F: to=<herojm@hanmail.net>, relay=none, delay=0.07, delays=0.06/0.01/0/0, dsn=4.4.5, status=deferred (delivery temporarily suspended: host mx2.hanmail.net[211.231.108.175] refused to talk to me: 421 4.4.5 CCRC 198.211.96.33: Connection refused. Server is busy(RC))
Jun 25 13:15:10 mail amavis[26022]: (26022-12) Passed UNCHECKED {RelayedInternal}, ORIGINATING LOCAL [188.209.49.125]:54454 [188.209.49.125] <natalia.amarilla@eme.com.py> -> <herojm@hanmail.net>, Queue-ID: 88FD34C187, Message-ID: <20190625002407.12680708E3CB3F01@eme.com.py>, mail_id: hxhS4VV_M-9I, Hits: 1.603, size: 394531, queued_as: EFF214498F, dkim_new=dkim:eme.com.py, 579 ms, Tests: [ALL_TRUSTED=-1,FROM_MISSP_EH_MATCH=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,TO_NO_BRKTS_FROM_MSSP=2.5,URIBL_BLOCKED=0.001]
Jun 25 13:15:10 mail postfix/amavis/smtp[26069]: 88FD34C187: to=<herojm@hanmail.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=35461, delays=35120/341/0.01/0.58, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EFF214498F)
Jun 25 13:15:10 mail postfix/qmgr[23359]: 88FD34C187: removed
Jun 25 13:15:10 mail postfix/cleanup[25704]: 2E5AC4498E: message-id=<20190625171510.2E5AC4498E@mail.eme.com.py>
Jun 25 13:15:10 mail postfix/bounce[25623]: E515844972: sender non-delivery notification: 2E5AC4498E

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

Server stoped receiving and sending email in the last 12 hours so I logged and found that in mail.log

Some mails began to arrive with a delay of 3 hours.

Open relay turned ok.

Post's attachments

iredmail.png 28.61 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

3 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

Looks like all started at midnight

Jun 25 00:26:59 mail postfix/submission/smtpd[4299]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:26:59 mail postfix/submission/smtpd[4299]: connect from unknown[188.209.49.125]
Jun 25 00:26:59 mail postfix/submission/smtpd[4299]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:27:00 mail postfix/submission/smtpd[4299]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 quit=1 commands=5
Jun 25 00:28:55 mail postfix/submission/smtpd[4345]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:55 mail postfix/submission/smtpd[4345]: connect from unknown[188.209.49.125]
Jun 25 00:28:56 mail postfix/submission/smtpd[4345]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:56 mail postfix/submission/smtpd[4345]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 quit=1 commands=5
Jun 25 00:28:57 mail postfix/submission/smtpd[4345]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:57 mail postfix/submission/smtpd[4345]: connect from unknown[188.209.49.125]
Jun 25 00:28:57 mail postfix/submission/smtpd[4348]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:57 mail postfix/submission/smtpd[4348]: connect from unknown[188.209.49.125]
Jun 25 00:28:57 mail postfix/submission/smtpd[4349]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:57 mail postfix/submission/smtpd[4349]: connect from unknown[188.209.49.125]
Jun 25 00:28:57 mail postfix/submission/smtpd[4347]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:57 mail postfix/submission/smtpd[4347]: connect from unknown[188.209.49.125]
Jun 25 00:28:57 mail postfix/submission/smtpd[4345]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:57 mail postfix/submission/smtpd[4348]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:58 mail postfix/submission/smtpd[4349]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:58 mail postfix/submission/smtpd[4347]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:58 mail postfix/submission/smtpd[4345]: NOQUEUE: reject: RCPT from unknown[188.209.49.125]: 554 5.7.1 <007syj@hanmail.net>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<zulfiqor@radiant-utama.com> to=<007syj@hanmail.net> proto=ESMTP helo=<radiant-utama.com>
Jun 25 00:28:58 mail postfix/submission/smtpd[4348]: NOQUEUE: reject: RCPT from unknown[188.209.49.125]: 554 5.7.1 <007minho@hanmail.net>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<zulfiqor@radiant-utama.com> to=<007minho@hanmail.net> proto=ESMTP helo=<radiant-utama.com>
Jun 25 00:28:58 mail postfix/submission/smtpd[4349]: NOQUEUE: reject: RCPT from unknown[188.209.49.125]: 554 5.7.1 <007kkkjw@hanmail.net>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<zulfiqor@radiant-utama.com> to=<007kkkjw@hanmail.net> proto=ESMTP helo=<radiant-utama.com>
Jun 25 00:28:58 mail postfix/submission/smtpd[4347]: NOQUEUE: reject: RCPT from unknown[188.209.49.125]: 554 5.7.1 <007sso@hanmail.net>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<zulfiqor@radiant-utama.com> to=<007sso@hanmail.net> proto=ESMTP helo=<radiant-utama.com>
Jun 25 00:28:58 mail postfix/submission/smtpd[4348]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
Jun 25 00:28:58 mail postfix/submission/smtpd[4345]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
Jun 25 00:28:58 mail postfix/submission/smtpd[4349]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
Jun 25 00:28:58 mail postfix/submission/smtpd[4347]: disconnect from unknown[188.209.49.125] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
Jun 25 00:28:58 mail postfix/submission/smtpd[4348]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:58 mail postfix/submission/smtpd[4348]: connect from unknown[188.209.49.125]
Jun 25 00:28:58 mail postfix/submission/smtpd[4345]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:58 mail postfix/submission/smtpd[4345]: connect from unknown[188.209.49.125]
Jun 25 00:28:58 mail postfix/submission/smtpd[4347]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:58 mail postfix/submission/smtpd[4347]: connect from unknown[188.209.49.125]
Jun 25 00:28:58 mail postfix/submission/smtpd[4349]: warning: hostname hosted-by.blazingfast.io does not resolve to address 188.209.49.125
Jun 25 00:28:58 mail postfix/submission/smtpd[4349]: connect from unknown[188.209.49.125]
Jun 25 00:28:59 mail postfix/submission/smtpd[4348]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:59 mail postfix/submission/smtpd[4345]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:59 mail postfix/submission/smtpd[4347]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 25 00:28:59 mail postfix/submission/smtpd[4349]: Anonymous TLS connection established from unknown[188.209.49.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

4 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

After a couple of minutes it picked the address from the spam is being send right now

Jun 25 00:29:48 mail postfix/submission/smtpd[4348]: D839345678: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:48 mail postfix/submission/smtpd[4349]: DBB75468AE: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:48 mail postfix/submission/smtpd[4345]: EB74D468B1: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:49 mail postfix/submission/smtpd[4347]: 05809468B3: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:49 mail postfix/cleanup[4380]: D839345678: message-id=<20190624212947.A0F86BAEF0A6540E@eme.com.py>
Jun 25 00:29:49 mail postfix/cleanup[4381]: DBB75468AE: message-id=<20190624212947.A4E72A6F882D24D7@eme.com.py>
Jun 25 00:29:49 mail postfix/cleanup[4391]: EB74D468B1: message-id=<20190624212947.A339A11507D5E2F3@eme.com.py>
Jun 25 00:29:49 mail postfix/cleanup[4399]: 05809468B3: message-id=<20190624212947.7ADB649C9894114B@eme.com.py>
Jun 25 00:29:49 mail postfix/qmgr[20030]: DBB75468AE: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 00:29:49 mail amavis[24321]: (24321-08) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Connection refused
Jun 25 00:29:49 mail postfix/qmgr[20030]: 05809468B3: from=<natalia.amarilla@eme.com.py>, size=394535, nrcpt=1 (queue active)
Jun 25 00:29:49 mail postfix/submission/smtpd[4349]: E3C93468B6: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:50 mail amavis[29284]: (29284-02) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Connection refused
Jun 25 00:29:50 mail postfix/cleanup[4381]: E3C93468B6: message-id=<20190624212947.3584CF793F4B7346@eme.com.py>
Jun 25 00:29:50 mail postfix/qmgr[20030]: E3C93468B6: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 00:29:50 mail postfix/submission/smtpd[4347]: 8EAA6468B7: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:50 mail postfix/cleanup[4399]: 8EAA6468B7: message-id=<20190624212949.C58C7E37113F8B52@eme.com.py>
Jun 25 00:29:50 mail amavis[24321]: (24321-08) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Connection refused
Jun 25 00:29:50 mail amavis[24321]: (24321-08) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 00:29:50 mail postfix/qmgr[20030]: EB74D468B1: from=<natalia.amarilla@eme.com.py>, size=394535, nrcpt=1 (queue active)
Jun 25 00:29:50 mail postfix/submission/smtpd[4349]: CE5F8468C3: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:51 mail postfix/cleanup[4381]: CE5F8468C3: message-id=<20190624212949.499772429EFF277D@eme.com.py>
Jun 25 00:29:51 mail postfix/qmgr[20030]: D839345678: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 00:29:51 mail amavis[29284]: (29284-02) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Connection refused
Jun 25 00:29:51 mail amavis[29284]: (29284-02) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 00:29:51 mail postfix/submission/smtpd[4345]: 3564E468C4: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:51 mail postfix/submission/smtpd[4348]: 540F846E80: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:51 mail postfix/cleanup[4391]: 3564E468C4: message-id=<20190624212950.6C4C0C01D394357E@eme.com.py>
Jun 25 00:29:51 mail postfix/cleanup[4380]: 540F846E80: message-id=<20190624212950.57BCB9479232312C@eme.com.py>
Jun 25 00:29:52 mail postfix/qmgr[20030]: CE5F8468C3: from=<natalia.amarilla@eme.com.py>, size=394537, nrcpt=1 (queue active)
Jun 25 00:29:52 mail postfix/submission/smtpd[4349]: 7833A46E81: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:52 mail postfix/cleanup[4381]: 7833A46E81: message-id=<20190624212951.4E2B42EA21362CD7@eme.com.py>
Jun 25 00:29:53 mail postfix/qmgr[20030]: 8EAA6468B7: from=<natalia.amarilla@eme.com.py>, size=394535, nrcpt=1 (queue active)
Jun 25 00:29:53 mail postfix/submission/smtpd[4347]: 81FCF46E83: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:53 mail postfix/cleanup[4399]: 81FCF46E83: message-id=<20190624212952.62D5E371715FA2BB@eme.com.py>
Jun 25 00:29:54 mail postfix/qmgr[20030]: 540F846E80: from=<natalia.amarilla@eme.com.py>, size=394533, nrcpt=1 (queue active)
Jun 25 00:29:54 mail postfix/qmgr[20030]: 3564E468C4: from=<natalia.amarilla@eme.com.py>, size=394531, nrcpt=1 (queue active)
Jun 25 00:29:54 mail postfix/submission/smtpd[4348]: BDA7046E88: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py
Jun 25 00:29:54 mail postfix/submission/smtpd[4345]: CE61846E8E: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py

5 Reply by Neutro (edited by Neutro 2019-06-26 02:40:52)

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: Postfix sending SPAM - PLEASE HELP

Jun 25 00:29:48 mail postfix/submission/smtpd[4348]: D839345678: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py

The problem is coming from the natalia.amarilla@eme.com.py account on your server mail.eme.com.py

There are 2 possible explainations:

- one of the devices of your user natalia amarilla has been compromised/hacked because of a virus or an exploit and the compromised device uses her mail account on your server to send spam (most likely),

- the password set by natalia amarilla was too weak and someone was able to brute force it (less likely).


You need to reset the password of natalia.amarilla@eme.com.py and contact her to let her know. Ask her IP address as well.

If her IP is 188.209.49.125 it means she has a virus from one of her devices. If it's not then someone brute forced her password, ban the IP 188.209.49.125 with fail2ban on your server.

Also update iredmail from 0.9.7 to latest version 0.9.9

Last but not least you should change https://mail.eme.com.py/iredadmin to another alias to increase security.

6 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

Neutro wrote:

Jun 25 00:29:48 mail postfix/submission/smtpd[4348]: D839345678: client=unknown[188.209.49.125], sasl_method=LOGIN, sasl_username=natalia.amarilla@eme.com.py

The problem is coming from the natalia.amarilla@eme.com.py account on your server mail.eme.com.py

There are 2 possible explainations:

- one of the devices of your user natalia amarilla has been compromised/hacked because of a virus or an exploit and the compromised device uses her mail account on your server to send spam (most likely),

- the password set by natalia amarilla was too weak and someone was able to brute force it (less likely).


You need to reset the password of natalia.amarilla@eme.com.py and contact her to let her know. Ask her IP address as well.

If her IP is 188.209.49.125 it means she has a virus from one of her devices. If it's not then someone brute forced her password, ban the IP 188.209.49.125 with fail2ban on your server.

Also update iredmail from 0.9.7 to latest version 0.9.9

Last but not least you should change https://mail.eme.com.py/iredadmin to another alias to increase security.

The fist thing I did was to disable the account in iRedAdmin with no effect.

Changed password (of disabled account) no effect

Added IP to fail2ban, spam stopped, resumed with a different IP after a couple of minutes.

7 Reply by Neutro (edited by Neutro 2019-06-26 03:20:27)

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: Postfix sending SPAM - PLEASE HELP

https://forum.iredmail.org/topic5890-ir … -user.html

ZhangHuangbin wrote:

Disable it with SQL row: mailbox.active, alias.active

Check if the vmail database contains the correct value for disabling that user as explained in that topic.

In mysql command that translates to:

use vmail;

select active from mailbox where username='natalia.amarilla@eme.com.py';

If value is 1 change it to 0:

update mailbox set active=0 where username='natalia.amarilla@eme.com.py';

Restart your server after you check the changes if needed to make sure they have been taken into account by all mail systems on your server (this shouldn't be needed but if possible it doesn't hurt to do it).

Keep banning the connecting IP with fail2ban, eventually the attacker might run out of them.

Post the associated log of the attacker connecting to the natalia amarilla account when it's disabled if it keeps going.

8 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

Mail working Ok for users now, still getting bursts of  postfix/qmgr from=<natalia.amarilla@eme.com.py> comming from somewhere.

9 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

I think the issue was solved disabling the troubled user but spam got stuck in queue

10 Reply by jpbogado

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

jpbogado wrote:

I think the issue was solved disabling the troubled user but spam got stuck in queue

-- 3040557 Kbytes in 7882 Requests.

Yep

11 Reply by Neutro (edited by Neutro 2019-06-26 04:26:03)

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: Postfix sending SPAM - PLEASE HELP

Good smile

You can use command "postqueue -p" to see if some spam mails are still waiting in queue.

The fact that the attack kept going with another IP could mean that your user natalia had a compromised mobile phone with wifi on so the first attack came from wifi then when you banned the IP it kept going on mobile network... Or something similar.

It seems not likely that her password was guessed right by someone brute forcing it because after a few tries failed fail2ban should ban the corresponding IP automatically.

Dont forget to warn her, she's gonna wonder why she can't use email big_smile And check her devices IP to see if they matched the IP you banned.

12 Reply by jpbogado (edited by jpbogado 2019-06-26 04:31:19)

  • jpbogado
  • Member
  • Offline
  • Registered: 2019-06-26
  • Posts: 9

Re: Postfix sending SPAM - PLEASE HELP

Neutro wrote:

Good smile

You can use command "postqueue -p" to see if some spam mails are still waiting in queue.

The fact that the attack kept going with another IP could mean that your user natalia had a compromised mobile phone with wifi on so the first attack came from wifi then when you banned the IP it kept going on mobile network... Or something similar.

It seems not likely that her password was guessed right by someone brute forcing it because after a few tries failed fail2ban should ban the corresponding IP automatically.

Dont forget to warn her, she's gonna wonder why she can't use email ^^

I think the attack stopped with the first measure, just got confused by the queue.

We use only roundcube as client with iredadmin sugested password saved in the browser of the users computer.

I thought that was safe enough,I was wrong. Disconnected the computer from the network and doing a fresh install of the OS.

Thanks for your help!

13 Reply by ms2504

  • ms2504
  • Member
  • Offline
  • Registered: 2019-06-15
  • Posts: 65

Re: Postfix sending SPAM - PLEASE HELP

Neutro wrote:

In mysql command that translates to:

use vmail;

select active from mailbox where username='natalia.amarilla@eme.com.py';

If value is 1 change it to 0:

update mailbox set active=0 where username='natalia.amarilla@eme.com.py';

Do you know what corresponding command I have to submit if users are stored in openLDAP, instead?
just curiosity..

14 Reply by Neutro (edited by Neutro 2019-06-27 02:42:28)

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: Postfix sending SPAM - PLEASE HELP

I have no idea, never used OpenLDAP smile

Maybe the master of this forum can answer you smile