1

Topic: SPAM emails sent out from domain configured in iredmail

==== BASIC INFO OF IREDMAIL SERVER ====
- iRedMail version : 0.9.9 MARIADB edition.
- Deployed with installer
- Ubuntu 18.04.2 LTS / bionic
- MARIADB
- Nginx
- Open source iredadmin
-Roundcube webmail
===========================================
Lot of SPAM emails sent out from one of our email account (info@isted.com) configured in iredmail server (community server), we are using amazon SES as relay service for this iredmail server.

When i first login and checked the roundcube webmail settings, one identity is added without our knowledge, and an auto-reply yandex email id and extra content in the signature is also added in the webmail settings, so i removed that settings, and reset the email id password.

But after 2 days, again lot of SPAM emails sent out from this same email id (info@isted.com), this time i didn't see any settings changed in roundcube webmail, but when i see some bounced SPAM emails, it look like have Trojan attachments.

----------------------------------------------------------------------
Below is the sample email sent out from that domain
-----------------------------------------------------------------------
Subject    Payment Review
From    Cathy Zhai Yan <info@isted.com>
To    undisclosed-recipients:
Date    Mon 09:21

Good day,


Should I pay to this account in this invoice?

The below invoice was forwarded to the account department this morning by our sales department.

Check the attached Invoice and confirm for a final confirmation of the details for the payment within 48 hours.


Awaiting your quick response.


Thanks & Best Regards!
Cathy Zhai Yan

----------------------------------------------------------------------------------------
Below email sample with Header details
----------------------------------------------------------------------------------------

Authentication-Results: mail.tech.in (amavisd-new);
dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
header.d=trd.in
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=trd.in; h=
user-agent:message-id:references:in-reply-to:subject:subject:to
:from:from:date:date:content-type:content-type:mime-version; s=
dkim; t=1572234816; x=1574826817; bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal9
9wpzPMVJv/bPtaas=; b=LP6BZUT5hLYz8k104kQmMWNXj7J4KwIkXn1e05+fmEk
DjW2s6vA7TeajMvrqipIjdbSxxu9zTRcrJZe+y40HwQoVcYOdaeUwWQ2Y4pPeMcc
fZC37KfcSj7O8e6f0JZ3LhDHlI+Y+B24B27ZfgBSUjyzBeJOHRiPKF4tVG1YSdag
=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572234820;
h=MIME-Version:Content-Type:Date:From:To:Subject:In-Reply-To:References:Message-ID:Feedback-ID;
bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal99wpzPMVJv/bPtaas=;
b=YFP8Ldgk5vozjsvHMsWeqG4qtMW3xhJHaAFPAsFHY9keLNCZwo/hk5Lv1DnHyPzK
fy9ijtsOK/5RcCkorppdwK56Qjm5eSwIrFNcEUeg5lSzrlqXqw6t/GwYuMQm9ckqCP/
KqjDqsSeiP1xKr5g1/2Nnlqkw04cayQM4VQ6YN4Q=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=e43lmvfk2zolf7txvxtu5deejpfz6rjs; d=isted.com; t=1572234820;
h=MIME-Version:Content-Type:Date:From:To:Subject:In-Reply-To:References:Message-ID;
bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal99wpzPMVJv/bPtaas=;
b=m/jq2GTRAIGmjEN1yzbg2dT3IwY1WIulVDgHxI7xv1u6LUMjx20GZAeV0LVr/Whw
umKh26/ITwM5oXsURt8kODdHJJHqZKNnIQHlAJ8ZtL61gC8wKBK9IJRqtCCYm/Q6GZQ
P8/rxDTDK1ay7qfUbwYT0jM+zg7anWXC8iCYUkS8=
X-Virus-Scanned: Debian amavisd-new at mail.tech.in
X-Amavis-Alert: BANNED, message contains
.exe,.exe-ms,0713714001572228566/INVOICE.exe
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_663dd9d71340dc9d492dce9a82bd22e3"
Date: Mon, 28 Oct 2019 03:53:40 +0000
From: Cathy Zhai Yan <info@isted.com>
To: undisclosed-recipients:;
Subject: Payment Review
In-Reply-To: <698272af1e231780e7243879655d8c61@isted.com>
References: <fb398202caa5a4e906a39b8c2c4ada1f@isted.com>
<d0fe2c591e328927bcc2f6d23f40235d@isted.com>
<0bb78bbdf1f7579803752ac79715495f@isted.com>
<8f20017d694df726abc4cc10397f04ab@isted.com>
<c6a9076f16649160998c6804097900e1@isted.com>
<698272af1e231780e7243879655d8c61@isted.com>
Message-ID: <0100016e107f7a9e-013e4928-40cb-4fa8-bac0-8aba6c378d38-000000@email.amazonses.com>
X-Sender: info@isted.com
User-Agent: Roundcube Webmail
X-SES-Outgoing: 2019.10.28-54.240.8.78
Feedback-ID: 1.us-east-1.Lg5O8ueviEy+ooBOTQSbFM3cXw+b6rduabFbI+09BrA=:AmazonSES

-------------------------------------------------------------------------------------------------------------------------
Below bounce message we received shows that above SPAM email contain some kind of Trojon
-------------------------------------------------------------------------------------------------------------------------
Subject: Payment Review
Sender: info@isted.com

Time received: 10/28/2019 3:53:11 AM
Message ID:<0100016e107ef9f7-ed7b7d6e-3e12-4e88-9a80-221bf4f65845-000000@email.amazonses.com>
Detections found:
invoice.gz     W32/Trojan.SW.gen!Eldorado
---------------------------------------------------------------------------------------------------------------------

Where is the issue ?, is one of our computer is infected or the web mail is infected with Maleware, Virus or Trojan ?, kindly help me to find the issue.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPAM emails sent out from domain configured in iredmail

- Check Postfix log to figure out how this account sent out email. Was he/she performed smtp authentication?
- Did you reset it to a strong password?

3 (edited by ramesh2019 2019-10-31 21:50:26)

Re: SPAM emails sent out from domain configured in iredmail

The postfix logs shows like below.

It seems they are sending emails from roundcube only, so this mean roundcube webmail is infected with any malware ?, but only this particular email id is sending lot of SPAM emails from the server.
-----------------------------------------------------Postfix-Log----------------------------------------------------------------------
ct 25 00:49:34 ip-10-0-1-97 roundcube: <hmppifj0> User info@isted.com [5.62.59.47]; Message for undisclosed-recipients:, sefdgry101@outlfgook.com, shtrfgdyop@vipfdgper.lt, satrhdfgdfgles@vvpdfger.lt, mantfghyrager@vvfgdgfdkpper.lt, hrfgdsh@globalsfdgdources....
-----------------------------------------------------------------------------------------------------------------------------------------

ramesh2019 wrote:

Did you reset it to a strong password?,

Yes i reset the password as strong as possible.

4

Re: SPAM emails sent out from domain configured in iredmail

ramesh2019 wrote:

It seems they are sending emails from roundcube only, so this mean roundcube webmail is infected with any malware ?

It just means spammer was sending email with Roundcube, not Roundcube itself is infected.