1 Topic by dcihon (edited by dcihon 2017-04-07 20:43:30)

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Topic: I think my mail server is sending spam

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

I think my mail server is sending out spam. My server uses Gmail to send mail out and I am getting this message.
I can no longer send mail out from my Gmail account:

Mar 29 20:42:55 mail postfix/cleanup[14823]: 5B48522189D: message-id=<SSqWkDuJqVTvtu@mail.dccathome.com>
Mar 29 20:42:55 mail postfix/smtpd[14830]: disconnect from localhost[127.0.0.1]
Mar 29 20:42:55 mail postfix/qmgr[2011]: 5B48522189D: from=<>, size=3589, nrcpt=1 (queue active)
Mar 29 20:42:55 mail amavis[11262]: (11262-17) Blocked SPAM {BouncedOpenRelay,Quarantined}, [23.239.180.53]:8233 [23.239.180.53] <arapaima@anaschisatom.us> -> <danc@dccathome.com>, quarantine: q/spam-qWkDuJqVTvtu.gz, Queue-ID: 8E0E3220D9C, Message-ID: <178b83efab6432e36af5d02_d062dc583X5EH9C9H@mccluskey.anaschisatom.us>, mail_id: qWkDuJqVTvtu, Hits: 4.224, size: 11056, 510 ms
Mar 29 20:42:55 mail postfix/smtp[14828]: 8E0E3220D9C: to=<danc@dccathome.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=1.1/0.01/0/0.51, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=11262-17, BOUNCE)
Mar 29 20:42:55 mail postfix/qmgr[2011]: 8E0E3220D9C: removed
Mar 29 20:42:55 mail postfix/smtpd[14806]: disconnect from mccluskey.anaschisatom.us[23.239.180.53]
Mar 29 20:42:56 mail postfix/smtp[14831]: 5B48522189D: to=<arapaima@anaschisatom.us>, relay=smtp.gmail.com[74.125.193.109]:587, delay=0.94, delays=0.04/0.03/0.76/0.12, dsn=5.4.5, status=bounced (host smtp.gmail.com[74.125.193.109] said: 550 5.4.5 Daily user sending quota exceeded. d142sm624294itd.18 - gsmtp (in reply to DATA command))
Mar 29 20:42:56 mail postfix/qmgr[2011]: 5B48522189D: removed
Mar 29 20:44:49 mail postfix/master[2006]: terminating on signal 15

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

dcihon wrote:

Mar 29 20:42:56 mail postfix/smtp[14831]: 5B48522189D: to=<arapaima@anaschisatom.us>, relay=smtp.gmail.com[74.125.193.109]:587, delay=0.94, delays=0.04/0.03/0.76/0.12, dsn=5.4.5, status=bounced (host smtp.gmail.com[74.125.193.109] said: 550 5.4.5 Daily user sending quota exceeded. d142sm624294itd.18 - gsmtp (in reply to DATA command))

Gmail says "Daily user sending quota exceeded".

Try to use script "find_top_sasl_usernames.sh" below to search Postfix log file, it will print top email addresses used to perform smtp auth.
https://bitbucket.org/zhb/iredmail/src/ … ail/tools/

Note: it doesn't directly find why your server is sending spam, but it will help you find out which email address were sending most spams. You'd better change its password immediately to avoid further sending.

3 Reply by dcihon (edited by dcihon 2017-03-30 20:09:31)

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

ZhangHuangbin wrote:
dcihon wrote:

Mar 29 20:42:56 mail postfix/smtp[14831]: 5B48522189D: to=<arapaima@anaschisatom.us>, relay=smtp.gmail.com[74.125.193.109]:587, delay=0.94, delays=0.04/0.03/0.76/0.12, dsn=5.4.5, status=bounced (host smtp.gmail.com[74.125.193.109] said: 550 5.4.5 Daily user sending quota exceeded. d142sm624294itd.18 - gsmtp (in reply to DATA command))

Gmail says "Daily user sending quota exceeded".

Try to use script "find_top_sasl_usernames.sh" below to search Postfix log file, it will print top email addresses used to perform smtp auth.
https://bitbucket.org/zhb/iredmail/src/ … ail/tools/

Note: it doesn't directly find why your server is sending spam, but it will help you find out which email address were sending most spams. You'd better change its password immediately to avoid further sending.

I get this when I try to run the script:
mail log # ./find_top_sasl_usernames.sh
./find_top_sasl_usernames.sh: line 1: syntax error near unexpected token `newline'
./find_top_sasl_usernames.sh: line 1: `<!DOCTYPE html>'

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

You downloaded a HTML file, not a shell script. Download this one:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

5 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

ZhangHuangbin wrote:

You downloaded a HTML file, not a shell script. Download this one:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

Ok I am getting this:

mail log # ./find_top_sasl_usernames.sh
      2 sasl_username=danc@dccathome.com

This is what is in my /etc/postfix/sasl_passwd file:

[smtp.gmail.com]:587    dcihon@gmail.com:<Password not shown>

Note: I did not include the actual password above

6 Reply by ThASattler

  • ThASattler
  • Member
  • Offline
  • Registered: 2016-10-15
  • Posts: 44

Re: I think my mail server is sending spam

dcihon wrote:

Ok I am getting this:

mail log # ./find_top_sasl_usernames.sh
      2 sasl_username=danc@dccathome.com

Probably mail.log was rotated, so try
find_top_sasl_usernames.sh /var/log/mail.log.1

7 Reply by dcihon (edited by dcihon 2017-03-31 20:09:45)

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

ThASattler wrote:
dcihon wrote:

Ok I am getting this:

mail log # ./find_top_sasl_usernames.sh
      2 sasl_username=danc@dccathome.com

Probably mail.log was rotated, so try
find_top_sasl_usernames.sh /var/log/mail.log.1

I ran it this way if this was correct for what you wanted:

mail log # ./find_top_sasl_usernames.sh /var/log/mail.log.1
      2 sasl_username=danc@dccathome.com

I got to thinking and decided to look at my gmail account settings.
I wonder if this is causing the problem in my setting I have this:

Send mail as:
   
Dan Cihon <dcihon@gmail.com>
Dan Cihon <danc@dccathome.com>
   
When replying to a message:
    Reply from the same address the message was sent to

8 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

Could my dovecot settings be set to reply to bounced mail.
It almost looks like every spam mail I receive the server is trying to send back mail to them.

Apr  4 08:19:13 mail postfix/smtp[5130]: 71D2E225118: to=<The-Huffington-Post@debonair.irestorememoryquick.top>, relay=smtp.gmail.com[74.125.126.108]:587, delay=334, delays=333/0.03/0.95/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.126.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials b126sm9098305ioa.55 - gsmtp)
Apr  4 08:19:13 mail postfix/smtp[5133]: 54AA5225ED4: to=<stephanie@taratarnboutique.com>, relay=smtp.gmail.com[74.125.126.109]:587, delay=2269, delays=2268/0.05/0.92/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.126.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials g64sm9098797iof.25 - gsmtp)
Apr  4 08:19:13 mail postfix/smtp[5132]: 57D62224D3D: to=<maggie@multihitech.in>, relay=smtp.gmail.com[74.125.126.109]:587, delay=515, delays=514/0.04/0.96/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.126.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials m77sm7222617ita.16 - gsmtp)
Apr  4 08:19:13 mail postfix/smtp[5134]: 1AAF7220FF0: to=<FreeNavySealFlashlight@average.dzrpick.top>, relay=smtp.gmail.com[74.125.126.108]:587, delay=902, delays=901/0.06/1/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.126.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials f130sm9087815iof.2 - gsmtp)
Apr  4 08:19:13 mail postfix/error[5139]: B3469224E43: to=<sheila@bathrakali.org>, relay=none, delay=448, delays=447/1.1/0/0.03, dsn=4.7.8, status=deferred (delivery temporarily suspended: SASL authentication failed; server smtp.gmail.com[74.125.126.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials g64sm9098797iof.25 - gsmtp)

Right now it is failing because I have changed the password to my gmail to try to stop it from sending.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

You have to check Postfix log file to figure out which account is trying to send emails.

10 Reply by dcihon (edited by dcihon 2017-04-06 19:38:54)

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

ZhangHuangbin wrote:

You have to check Postfix log file to figure out which account is trying to send emails.

Ok I get that.

What I don't understand is why my postfix is sending mail without me telling it to send mail.

How do I find out what in it is triggering to send mail?
I've looked at the logs and they show me what it is doing but it doesn't tell me why it is doing it.

For example I see this:
Apr  6 06:33:20 mail postfix/smtp[31794]: A3A37223335: to=<SamsClubCashBack@points.medalmz.top>, relay=none, delay=3317, delays=3287/0.04/30/0, dsn=4.4.1, status=deferred (connect to mail.medalmz.top[208.98.3.69]:25: Connection timed out)

I did not tell it to try to send this mail. It is just doing it by itself.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

dcihon wrote:

It is just doing it by itself.

It's probably someone's password was cracked and the account is used to send spams.

Check Postfix log files to see which client IP address is connecting, block it in iptables firewall first, then check old log to get more details and figure out how the client was sending spam.

Try to use "find_top_sasl_usernames.sh" script to find which email account performed sasl auth most times, it must be the one used by spammer to send emails.

12 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

I believe I have solved this issue. There was mail in the queue that couldn't be sent.
I cleared out the queue and rebuilt the sasl_passwd file and restarted postfix. All seems to be back to normal.
For some reason the mail in the queue was exceeding the limit that gmail allowed for sending mail.
I'll mark this as solved.
Thanks for the help.

13 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

It isn't solved.
Started doing it again.
I think I am going to start over.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

dcihon wrote:

rebuilt the sasl_passwd file

I think you're working on wrong direction. You need to check whether some local mail user was cracked, not the one in sasl_passwd file used for relay.

15 Reply by dcihon (edited by dcihon 2017-04-09 23:00:16)

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

ZhangHuangbin wrote:
dcihon wrote:

rebuilt the sasl_passwd file

I think you're working on wrong direction. You need to check whether some local mail user was cracked, not the one in sasl_passwd file used for relay.

I am only using this system for my own personal mail.
I have three users in the system.
My self
postmaster
webmaster

I can I tell which one has been cracked?

Right now postfix service is stopped to halt the process.

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: I think my mail server is sending spam

I'd like to repeat myself: you have to check Postfix log file to figure out which one is cracked.
A simple but blind solution is changing all 3 accounts' passwords immediately, but again, it's blind solution because we still didn't figure out what caused the spamming issue.

17 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

I removed amavis and it looks like the spamming has stopped.
I am not sure what that exactly means.
Somehow amavis was allowing my server to be used as a spam system.
I think I now just want to use spamassasssin to filter my mail.
Thanks for your help.
I am going to still monitor this for awhile.

18 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: I think my mail server is sending spam

Spam sending has stopped.
Should I try to fix amavis or just leave it?
Not sure what to look for in the config files to troubleshoot the problem.
Can I just reinstall the whole system to the latest release?
Thanks