Topic: SPAM emails sent out from domain configured in iredmail
==== BASIC INFO OF IREDMAIL SERVER ====
- iRedMail version : 0.9.9 MARIADB edition.
- Deployed with installer
- Ubuntu 18.04.2 LTS / bionic
- MARIADB
- Nginx
- Open source iredadmin
-Roundcube webmail
===========================================
Lot of SPAM emails sent out from one of our email account (info@isted.com) configured in iredmail server (community server), we are using amazon SES as relay service for this iredmail server.
When i first login and checked the roundcube webmail settings, one identity is added without our knowledge, and an auto-reply yandex email id and extra content in the signature is also added in the webmail settings, so i removed that settings, and reset the email id password.
But after 2 days, again lot of SPAM emails sent out from this same email id (info@isted.com), this time i didn't see any settings changed in roundcube webmail, but when i see some bounced SPAM emails, it look like have Trojan attachments.
----------------------------------------------------------------------
Below is the sample email sent out from that domain
-----------------------------------------------------------------------
Subject Payment Review
From Cathy Zhai Yan <info@isted.com>
To undisclosed-recipients:
Date Mon 09:21
Good day,
Should I pay to this account in this invoice?
The below invoice was forwarded to the account department this morning by our sales department.
Check the attached Invoice and confirm for a final confirmation of the details for the payment within 48 hours.
Awaiting your quick response.
Thanks & Best Regards!
Cathy Zhai Yan
----------------------------------------------------------------------------------------
Below email sample with Header details
----------------------------------------------------------------------------------------
Authentication-Results: mail.tech.in (amavisd-new);
dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
header.d=trd.in
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=trd.in; h=
user-agent:message-id:references:in-reply-to:subject:subject:to
:from:from:date:date:content-type:content-type:mime-version; s=
dkim; t=1572234816; x=1574826817; bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal9
9wpzPMVJv/bPtaas=; b=LP6BZUT5hLYz8k104kQmMWNXj7J4KwIkXn1e05+fmEk
DjW2s6vA7TeajMvrqipIjdbSxxu9zTRcrJZe+y40HwQoVcYOdaeUwWQ2Y4pPeMcc
fZC37KfcSj7O8e6f0JZ3LhDHlI+Y+B24B27ZfgBSUjyzBeJOHRiPKF4tVG1YSdag
=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572234820;
h=MIME-Version:Content-Type:Date:From:To:Subject:In-Reply-To:References:Message-ID:Feedback-ID;
bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal99wpzPMVJv/bPtaas=;
b=YFP8Ldgk5vozjsvHMsWeqG4qtMW3xhJHaAFPAsFHY9keLNCZwo/hk5Lv1DnHyPzK
fy9ijtsOK/5RcCkorppdwK56Qjm5eSwIrFNcEUeg5lSzrlqXqw6t/GwYuMQm9ckqCP/
KqjDqsSeiP1xKr5g1/2Nnlqkw04cayQM4VQ6YN4Q=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=e43lmvfk2zolf7txvxtu5deejpfz6rjs; d=isted.com; t=1572234820;
h=MIME-Version:Content-Type:Date:From:To:Subject:In-Reply-To:References:Message-ID;
bh=/ZTsZ/yhOCbiD3zjZEUOT10Sal99wpzPMVJv/bPtaas=;
b=m/jq2GTRAIGmjEN1yzbg2dT3IwY1WIulVDgHxI7xv1u6LUMjx20GZAeV0LVr/Whw
umKh26/ITwM5oXsURt8kODdHJJHqZKNnIQHlAJ8ZtL61gC8wKBK9IJRqtCCYm/Q6GZQ
P8/rxDTDK1ay7qfUbwYT0jM+zg7anWXC8iCYUkS8=
X-Virus-Scanned: Debian amavisd-new at mail.tech.in
X-Amavis-Alert: BANNED, message contains
.exe,.exe-ms,0713714001572228566/INVOICE.exe
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_663dd9d71340dc9d492dce9a82bd22e3"
Date: Mon, 28 Oct 2019 03:53:40 +0000
From: Cathy Zhai Yan <info@isted.com>
To: undisclosed-recipients:;
Subject: Payment Review
In-Reply-To: <698272af1e231780e7243879655d8c61@isted.com>
References: <fb398202caa5a4e906a39b8c2c4ada1f@isted.com>
<d0fe2c591e328927bcc2f6d23f40235d@isted.com>
<0bb78bbdf1f7579803752ac79715495f@isted.com>
<8f20017d694df726abc4cc10397f04ab@isted.com>
<c6a9076f16649160998c6804097900e1@isted.com>
<698272af1e231780e7243879655d8c61@isted.com>
Message-ID: <0100016e107f7a9e-013e4928-40cb-4fa8-bac0-8aba6c378d38-000000@email.amazonses.com>
X-Sender: info@isted.com
User-Agent: Roundcube Webmail
X-SES-Outgoing: 2019.10.28-54.240.8.78
Feedback-ID: 1.us-east-1.Lg5O8ueviEy+ooBOTQSbFM3cXw+b6rduabFbI+09BrA=:AmazonSES
-------------------------------------------------------------------------------------------------------------------------
Below bounce message we received shows that above SPAM email contain some kind of Trojon
-------------------------------------------------------------------------------------------------------------------------
Subject: Payment Review
Sender: info@isted.com
Time received: 10/28/2019 3:53:11 AM
Message ID:<0100016e107ef9f7-ed7b7d6e-3e12-4e88-9a80-221bf4f65845-000000@email.amazonses.com>
Detections found:
invoice.gz W32/Trojan.SW.gen!Eldorado
---------------------------------------------------------------------------------------------------------------------
Where is the issue ?, is one of our computer is infected or the web mail is infected with Maleware, Virus or Trojan ?, kindly help me to find the issue.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.