1 Topic by holywyvern

  • holywyvern
  • Member
  • Offline
  • Registered: 2016-11-21
  • Posts: 6

Topic: Spam email is being sent from localhost

==== Required information ====
- iRedMail version: 0.8.7
- Linux/BSD distribution name and version: Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)
- Store mail accounts in which backend: MySQL
- Web server: Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
====

I am having a problem with spam email recently, they are sending from my email, to my same email, and the headers are (probably forged) to look like they came from localhost

myhost.com is our primary mail server (wich is the one with iredmail installed) mx.myhost.com is a relay server.

Return-Path: <webmaster@myhost.com>
Delivered-To: webmaster@myhost.com
Received: from localhost (myhost.com [127.0.0.1])
    by mail.gesell.com.ar (Postfix) with ESMTP id 9C6F13BE1D8
    for <webmaster@myhost.com>; Thu, 22 Dec 2016 00:43:16 -0300 (ART)
Authentication-Results: myhost.com (amavisd-new);
    dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
    header.d=myhost.com
Received: from myhost.com ([127.0.0.1])
    by localhost (myhost.com [127.0.0.1]) (amavisd-new, port 10028)
    with ESMTP id 0Hn6hFw3784c for <webmaster@cotel.com.ar>;
    Thu, 22 Dec 2016 00:43:16 -0300 (ART)
Received: from mx.myhost.com (proxy.cotel.com.ar [181.192.0.131])
    by mail.gesell.com.ar (Postfix) with ESMTP id 6AF0E3BE1D5
    for <webmaster@myhost.com>; Thu, 22 Dec 2016 00:43:15 -0300 (ART)
Received: from localhost (unknown [127.0.0.1])
    by mx.myhost.com (Postfix) with ESMTP id 8D34F6067C
    for <webmaster@myhost.com>; Thu, 22 Dec 2016 00:43:20 -0300 (ART)
X-Virus-Scanned: amavisd-new at myhost.com
Received: from mx.myhost.com ([127.0.0.1])
    by localhost (mx.myhost.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id hZpNIxoEzJQX for <webmaster@myhost.com>;
    Thu, 22 Dec 2016 00:43:20 -0300 (ART)
Received: from [31.25.135.223] (unknown [31.25.135.223])
    by mx.myhost.com (Postfix) with ESMTP id 0092C60783
    for <webmaster@myhost.com>; Thu, 22 Dec 2016 00:43:18 -0300 (ART)
From: <webmaster@myhost.com>
To: <webmaster@myhost.com>
Date: 22 Dec 2016 08:38:23 +0200
MIME-Version: 1.0
Subject: Crecimiento de carrera
Message-ID: <585B7D13.1459.6092DD@webmaster.cotel.com.ar>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.52)
Content-type: multipart/alternative; boundary="Alt-Boundary-73041.9101670"

I can see than the real origin is from: [31.25.135.223] but is there a way to stop those emails from entering.
For now I can only see emails aimed at webmaster, and no user is still affected. But I'm worried about that.

They are not using my email account, after all I changed passwords and even use a random one generated my iredadmin.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Spam email is being sent from localhost

*) check postfix log file to make sure the spam sender or From: address performed smtp auth to send email. If yes, it should be easy for you to figure out which sasl username was used for smtp auth, it's password was cracked / stolen, reset it immediately.

*) Do you have "reject_sender_login_mismatch" in /etc/postfix/main.cf? Or do you have plugin "reject_sender_login_mismatch" enabled in iRedAPD config file (/opt/iredapd/settings.py)?

*) According to mail header "Received: from [31.25.135.223] (unknown [31.25.135.223]) by mx.myhost.com (Postfix) with ESMTP id 0092C60783 for <webmaster@myhost.com>; " , seems spam was sent from your relay server, not from end user directly. You may need to check the spam setting on relay server instead. If your iRedMail server has this relay server listed in Postfix "my networks=" , there's no restriction applied to relay server.