1

Topic: Infected IRedMail Server ?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer?downloadable installer
- Linux/BSD distribution name and version: Debian Bullseye
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Recently i was banned by spamhaus with this message :

The machine using this IP is infected with malware that is emitting spam or is sharing a connection with an infected device.

As a result, this IP address is listed in the eXploits Blocklist (XBL)

Click on Show Details to see if you can request a delisting from this blocklist. This will also display any further information we have relating to this listing.
Hide details 
Why was this IP listed?

A device (computer, server, mobile phone, etc), or an app on a device that is using 2001:xxx:xxx:xxxx::/64 is infected, badly misconfigured, or compromised. It is making SMTP connections with multiple unrelated HELO values on port 25.

The most recent detection was on: May 23 2023, 07:40:00 UTC (+/- 5 minutes). The observed HELO values were dushonaghxjf.com, pnoleonorapu.com, razarleenbc.com, olobrynstu.com, ckjohannaugv.com, wgdmadelinerm.com, brrjazmineqds.com, hfodanicaxq.com, mgksimranvg.com, wnsfernga.com, prajaylinnss.com, macjaniyaijt.com, hrlaurenxx.com.

it's the second time i'm listed in XBL

How can i check this in log ? and stop it.

thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Infected IRedMail Server ?

spamhaus explain

Limiting port 25 access is a best practice. Please call your ISP or IT department for assistance with configuring your router or firewall correctly.
Remediation

The device(s) or computer(s) that caused this issue should be found and secured. The following information should address most cases, but please seek professional assistance if it is necessary:

    The cause of this problem is frequently found to be coming from an phone or laptop with "free" VPNs, channel unlockers, streaming type apps installed.
    Programs like Windows Defender, Windows Malicious Software Removal Tool (MSRT), Malwarebytes, Norton Power Eraser, CCleaner and/or McAfee Stinger can help. There is also a version of Malwarebytes for Mac/OSX. These tools are free of charge!
    Update your enterprise anti-virus/anti-malware programs, and run full scans on every device that is available
    If you have a CMS or website, ensure it is up to date. All plug-ins, extensions & patches for it should be updated and maintained
    We can only see what's coming from the NAT (public) IP; anything inside your network is visible only to you. Packet capture is the best way to identify which devices are generating unwanted traffic. In general, only mailservers are supposed to generate traffic to port 25, as mail clients rely on the dedicated ports 587 or 465.
    If this IP address is a NAT gateway, firewall or router: in some cases, the compromised device can also be the router/firewall itself. Please consult the documentation of your device regarding how to make sure its software is up to date, and how to ensure that the device is properly secured.

What i need to do ?

My ISP confirmed that my ip is dedicated

3

Re: Infected IRedMail Server ?

A device (computer, server, mobile phone, etc), or an app on a device that is using 2001:xxx:xxx:xxxx::/64

Is that /64 dedicated to you?
If not, that someone else is causing the listing and you cannot do anything about this

In this case, you need to deactivate IPv6 and only send mails trough IPv4

4 (edited by Ange7 2023-05-25 15:48:41)

Re: Infected IRedMail Server ?

Is that /64 dedicated to you?
→ Yes.

you need to deactivate IPv6 and only send mails trough IPv4

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

→ ipv4 only ?

5

Re: Infected IRedMail Server ?

Well in this case, your mailserver was breached and is sending spam, you should fix it

6

Re: Infected IRedMail Server ?

Cthulhu wrote:

Well in this case, your mailserver was breached and is sending spam, you should fix it

my question was « How can i fix it »

7

Re: Infected IRedMail Server ?

No idea ?

8

Re: Infected IRedMail Server ?

Ange7 wrote:

The most recent detection was on: May 23 2023, 07:40:00 UTC (+/- 5 minutes). The observed HELO values were dushonaghxjf.com, pnoleonorapu.com, razarleenbc.com, olobrynstu.com, ckjohannaugv.com, wgdmadelinerm.com, brrjazmineqds.com, hfodanicaxq.com, mgksimranvg.com, wnsfernga.com, prajaylinnss.com, macjaniyaijt.com, hrlaurenxx.com.

spamhaus already gave the HELO hostnames sent from your server, please check Postfix log file to figure out whether they were sent from your server and from which client.

9

Re: Infected IRedMail Server ?

ZhangHuangbin wrote:
Ange7 wrote:

The most recent detection was on: May 23 2023, 07:40:00 UTC (+/- 5 minutes). The observed HELO values were dushonaghxjf.com, pnoleonorapu.com, razarleenbc.com, olobrynstu.com, ckjohannaugv.com, wgdmadelinerm.com, brrjazmineqds.com, hfodanicaxq.com, mgksimranvg.com, wnsfernga.com, prajaylinnss.com, macjaniyaijt.com, hrlaurenxx.com.

spamhaus already gave the HELO hostnames sent from your server, please check Postfix log file to figure out whether they were sent from your server and from which client.

Thank you for answer

Problem : I don't have any term « dushonaghxjf, pnoleonorapu, razarleenbc, olobrynstu, ckjohannaugv, wgdmadelinerm, brrjazmineqds, hfodanicaxq, mgksimranvg, wnsfernga.com, prajaylinnss, macjaniyaijt, hrlaurenxx » in my /var/log/mail*.log ...

10

Re: Infected IRedMail Server ?

Hello,

Today i have the same problem as 6 months ago

Blocked by spamhaus cause :

2001:41d0:304:300::/64 is making SMTP connections which indicate that it is potentially misconfigured. Unfortunately it appears some elements of your existing configuration create message characteristics identical to previously identified spam messages.

Please correct the mail server's HELO 'p2s6j4bpn0sh.io' and if needed, configure it with correct DNS (forward and reverse) and HELO/EHLO values. Here is an example:

Correct HELO/DNS/rDNS alignment for domain example.com:
- Mail server HELO: mail.example.com
- Mail server IP: 192.0.2.12
- Forward DNS: mail.example.com -> 192.0.2.12
- Reverse DNS: 192.0.2.12 -> mail.example.com

Correcting an invalid HELO or a HELO/forward DNS lookup mismatch will stop the IP from being listed again.

Points to consider:

* Alignment: it is strongly recommended that the forward DNS lookup (domain name to IP address) and rDNS (IP to domain) of your IP should match the HELO value set in your server, if possible
* The IP and the HELO value should both have forward and rDNS, and should resolve in public DNS
* Ensure that the domain used in HELO actually exists!

Additional points:

* According to RFC, the HELO must be a fully qualified domain name (FQDN): "hostname.example.com" is an FQDN and "example.com" is not an FQDN.
* The domain used should belong to your organisation.
* HELO is commonly a server setting, not DNS.

Contact your hosting provider for assistance if needed.

Please verify your HELO. If all settings are correct, you have a different problem, probably malware/spambot.

Again, the HELO we are seeing is 'p2s6j4bpn0sh.io'. The last detection was at 2023-12-18 21:10:00 (UTC).

I tried

cd /var/log && grep -R "p2s6j4bpn0sh" 

But no result

Someone can help me to resolve this ?

thank you

11

Re: Infected IRedMail Server ?

if the mail is going from your mail server, you might see top senders from iredmail pro (if bought) and find the "spammer" account