1 Topic by pasaisea

  • pasaisea
  • Member
  • Offline
  • Registered: 2015-12-15
  • Posts: 28

Topic: Help, one of user account sends massive spam

==== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.2
- Linux/BSD distribution name and version: Ubuntu 15.10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No, Free Opensource
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Please help, my ISP told me that one of email users sends a lot of spam to various countries, france, italy, etc. I checked the corresponding mailbox there are tons of bounceback mailer daemon but not a single spammy email in his mailbox "Sent Items". I have checked in mxtoolbox that my server is not an open relay. Do you have any advice on what to check to fix this spam? Thanks in advance

Return-Path: <user@mydomain.com>
Received: from sangstersbooks.com (91.183.96.66.static.eigbox.net [66.96.183.91])
    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mydomain.com (Postfix) with ESMTPSA id 22A9E8460CBC
    for <pidelahaye@wanadoo.fr>; Sat, 17 Mar 2018 05:33:29 +0700 (WIB)
Date: Fri, 16 Mar 2018 18:33:26 -0400
To: pidelahaye@wanadoo.fr
From: "Cateline M." <user@mydomain.com>
Reply-To: "Cateline M." <user@mydomain.com>
Subject: Mon amie veut faire ta connaissance
Message-ID: <75755ceca70791076399423da07e3a0f@sangstersbooks.com>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_75755ceca70791076399423da07e3a0f"
Content-Transfer-Encoding: 8bit

This is a multi-part message in MIME format.

--b1_75755ceca70791076399423da07e3a0f
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Appele-moi d'urgence parce que j'ai perdu ton numéro de téléphone
Le rendez-vous est super. Tu m'as plu aussi!
Voici un lien sur { http://studioolbinski.be/learn.php?utm_ … 24it31iv6x } clique sur un compte


--b1_75755ceca70791076399423da07e3a0f
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
<body>
Appele-moi d'urgence parce que j'ai perdu ton numéro de téléphone <br>
Le rendez-vous est super. Tu m'as plu aussi!<br>
Voici un lien sur <a href="http://studioolbinski.be/learn.php?utm_source=67bczw9r77&utm_medium=vglleju2xk&utm_campaign=uww8638qza&utm_term=2qv556a7xl&utm_content=24it31iv6x">clique sur un compte</a>
</body>
</html>



--b1_75755ceca70791076399423da07e3a0f--

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Help, one of user account sends massive spam

FYI: https://forum.iredmail.org/topic12561-i … -spam.html

Use script "find_top_sasl_usernames.sh" mentioned in the first reply.

3 Reply by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Re: Help, one of user account sends massive spam

If you add the following line to the script, just after the "awk" line, you get a listing of the ipadresses the client uses to connect. You should then easily pinpoint not only the users ID that is apamming (has been hacked?) , but also the originating IP adress of the client computer.

awk '{print $7}' ${tmpfile} |sort |uniq -c |sort -n


ZhangHuangbin wrote:

FYI: https://forum.iredmail.org/topic12561-i … -spam.html

Use script "find_top_sasl_usernames.sh" mentioned in the first reply.

4 Reply by pasaisea

  • pasaisea
  • Member
  • Offline
  • Registered: 2015-12-15
  • Posts: 28

Re: Help, one of user account sends massive spam

swejun wrote:

If you add the following line to the script, just after the "awk" line, you get a listing of the ipadresses the client uses to connect. You should then easily pinpoint not only the users ID that is apamming (has been hacked?) , but also the originating IP adress of the client computer.

awk '{print $7}' ${tmpfile} |sort |uniq -c |sort -n


ZhangHuangbin wrote:

FYI: https://forum.iredmail.org/topic12561-i … -spam.html

Use script "find_top_sasl_usernames.sh" mentioned in the first reply.

Thanks mate, your add-on script is really useful. I can now see incoming ips that connect to mail accounts, though I didn't find any suspicious IP connections after I've change the password of the corresponding spammy mail account