1

Topic: Weird Spam Problem

==== Required information ====
- iRedMail version: 0.8.4 / 1.6.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.4
- Related log if you're reporting an issue: maillog
====

I believe one of my customers pcs have been compromised (one or multiple machines have a trojan), and spammers have their credentials for my server.

My server has been sending a lot of email -- from address / domains that aren't hosted by my server.  For example the dashboard shows top senders as -- "xbsjcjaed@yahoo.com".  Many emails going out don't even have a 'From'.

So there's a couple of issues here.

1.  The Pro Panel doesn't show who's credentials are being used to send emails.  Right now -- I don't know who's password to reset / account to disable to prevent the spamming.  The Pro Panel just show's who the email is FROM -- even though it's not a valid account on my server.

2.  How can I configure the server to reject emails without a 'FROM' address -- and to only allow From addresses from valid domains and users that I host?

Here's an excerpt from my maillog:

Jul  1 20:19:32 pcrmail amavis[28249]: (28249-05) Passed SPAM, MYNETS LOCAL [10.1.1.1] [18.200.248.175] <pjzmnkllg@yahoo.com> -> <daventing@yahoo.com.tw>, Message-ID: <ZSSLIPAQRVNCRPDYPUNXDU@yahoo.com>, mail_id: 0b8S0Uo8m1eI, Hits: 11.033, size: 3000, queued_as: 6E88B52A05, 160 ms

Jul  1 20:19:32 pcrmail postfix/error[28189]: 5C6874B2B8: to=<huang_chengjui@yahoo.com.tw>, relay=none, delay=411489, delays=411488/0.73/0/0.01, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx-tw.mail.gm0.yahoodns.net[203.188.197.111] refused to talk to me: 421 4.7.0 [TS01] Messages from 24.173.86.174 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Attached is an image of my pro panel -- showing top senders as accounts I don't even host (and obviously fake).

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Weird Spam Problem

I've been doing some research ..perhaps it isn't a virus infection on my customers side.  It looks like my server may be acting as a relay.  It's a clean install - pretty much default setup options.

All the postfix settings I've been looking at seem legit ..  I don't know why this is spamming.

3

Re: Weird Spam Problem

According to unlocktheinbox.com .. my server is an open relay.

4

Re: Weird Spam Problem

Ok .. got it figured out.  Just for everyone else's amusement, and perhaps some beginners in the future.

The postfix setting - 'mynetworks_style'  (in main.cf) was misconfigured.  My server is behind a NAT.  By default postfix sets 'mynetworks_style' to subnet - which says - hey trust everything you're handed to send .. if it's on the same subnet as you.

The problem is, everything my server was being handed was coming from my router ... so the entire internet was effectively 'on the same subnet'.  The server trusted everything -- and so was relaying everything.

I changed the setting to host, and purge the mailq .. and now everything is good.

Thank you.

5

Re: Weird Spam Problem

Sorry about this trouble, and thanks for sharing.
Upcoming iRedMail release will use "mynetworks_style=host" by default. smile